News

Govt Releases Revised Draft Of Data Protection Bill

The government has also asked stakeholders for feedback by December 17

Data Protection Bill: Tech Firms May Go To Court If JPC’s Suggestions Accepted
info_icon

The government on Friday released the revised draft of the Digital Personal Data Protection Bill and has asked stakeholders for feedback by December 17.

The revised Bill is aimed at protecting digital personal data, and the transfer of data outside India, and has provided for penalties regarding data breaches.

“The Digital Personal Data Protection Bill is a legislation that frames out the rights and duties of the citizen (Digital Nagrik) on one hand and the obligations to use collected data lawfully of the Data Fiduciary on the other hand,” the Ministry of Electronics and Information Technology said in a statement.

Advertisement

The revised draft of the Bill was brought in after the government in August withdrew the Personal Data Protection Bill from the Lok Sabha and said it will come out with a “set of fresh legislation” that will fit into the comprehensive legal framework.

In the revised draft of the new data Bill, the storage and transfer of data will be allowed in “trusted” jurisdictions, which would be defined by the government from time to time.

Besides, there will be penalties on companies for breaches of data. 

The Bill is expected to be presented in the next session of parliament, 

Advertisement

As per the final draft of the bill, If any organisation, data fiduciary or processor, handling the personal data of users fails to "take reasonable security safeguards to prevent personal data breach", a penalty of up to Rs 200 crore will be levied.

Further, if an organisation fails to "notify the (Data Protection) Board and affected Data Principals (users) in the event of a personal data breach that is likely to result in significant harm to data principals, a penalty of up to Rs 150 crore shall be imposed".

Under the revised draft of the Bill, the government has raised the penalty amount to up to Rs 500 crore for violating provisions.

The earlier draft of the Bill personal, issued in 2019, had proposed a penalty of Rs 15 crore or 4 per cent of the global turnover of an entity. 

"The purpose of this Bill is to provide for the processing of digital personal data in a manner that recognises the right of individuals to protect their personal data, the need to process personal data for lawful purposes and for other incidental purposes," an explanatory note of the draft bill said.

The proposed bill comes in place of the Data Protection Bill, which was withdrawn by the government in August this year.
    
The draft proposes to set up a Data Protection Board of India, which will carry on functions as per the provisions of the Bill.

Advertisement

It has proposed a graded penalty system for data fiduciaries that will process the personal data of data owners only in accordance with the provisions of the Act.

The draft has proposed a penalty of up to Rs 250 crore in case the Data Fiduciary or Data Processor fails to protect against personal data breaches in its possession or under its control.

The draft has also proposed a penalty of Rs 200 crore in case the Data Fiduciary or Data Processor fails to inform the Board and data owner about the data breach. 

The Bill has a provision to allow entities to transfer the personal data of a citizen outside the country in cases where the processing of personal data is necessary for enforcing any legal right or claim, the performance of any judicial or quasi-judicial function, investigation or prosecution of any offence or data owner is not within the territory of India and has entered into any contract with any person outside the country.
    
"The Central Government may, after an assessment of such factors as it may consider necessary, notify such countries or territories outside India to which a Data Fiduciary may transfer personal data," according to the draft. 

Advertisement

The draft has a provision to ensure that only those items of personal data required for attaining a specific purpose must be collected and it must be stored perpetually by default.

"The Digital Personal Data Protection Bill is a legislation that frames out the rights and duties of the citizen (Digital Nagrik) on one hand and the obligations to use collected data lawfully of the Data Fiduciary on the other hand," the explanatory note said. 

(With inputs from PTI)

Advertisement

Advertisement

Advertisement

Advertisement