The Indian government on Friday introduced a revamped draft of the digital privacy law– the Digital Personal Data Protection Bill, 2022. This is the fourth iteration of a data protection law in the country, proposed three months after the central government withdrew an earlier version that had triggered scrutiny and concerns from privacy advocates and tech giants. The new Bill focuses on easing cross-border data flows with certain nations and increasing penalties for data breaches and non-compliance.
The new digital privacy law draft is available in the public domain for public consultation and will hear views until December 17. The final version is expected to be tabled in the Budget session of Parliament 2023. The previous Bill had more than 90 provisions, however, the new Bill only has 30 provisions.
With DPDT 2022, the government has relaxed certain strict norms on cross-border transfers proposed earlier, stating that it could specify countries to which entities managing data can transfer the personal data of users. This move will impact how giants such as Meta and Amazon process and transfer data in India’s fast-growing digital market. “The Central Government may, after an assessment of such factors as it may consider necessary, notify such countries or territories outside India to which a Data Fiduciary may transfer personal data, in accordance with such terms and conditions as may be specified,” the draft says. The names of the countries have yet not been specified. The previous Bill required local storage of data within India’s geography.
The Bill proposes that tech companies should only use data from users for the original purpose for which they obtained them. Companies will be required to stop retaining user data if it no longer serves the business purpose for which it was obtained, and users will also have the right to correct and erase their personal data. “The storage should be limited to such duration as is necessary for the stated purpose for which personal data was collected,” the draft says.
The latest digital privacy law also proposes to set up a Data Protection Board to ensure compliance of tech companies with the Bill. However, it does not include details about the composition of the board except that it will be “digital by design”.
Another key provision of data privacy is that it also proposes to impose hefty penalties on businesses for data breaches or failure to notify users when breaches happen. Entities that fail to take “reasonable security safeguards” to prevent personal data breaches will be fined as high as Rs 250 crore. The maximum penalty that could be imposed on an entity has been capped at Rs 500 crore, per instance of violation.
The Bill empowers the Centre to exempt its agencies from adhering to provisions of the law in the interest of the sovereignty and integrity of India, security of the state, friendly relations with foreign states, maintenance of public order, or preventing incitement to any cognizable offense.
The Personal Data Protection Bill 2019 was introduced in Parliament back in December 2019. However, it faced pushback from a range of stakeholders including tech companies and privacy activists, and was referred to the JCP for examination. The committee presented its report to the Lok Sabha on December 16, 2021.
Big tech players like Facebook and Twitter have also feared that the Bill would create a host of technical and policy issues as after being implemented, the Bill will increase their compliance burden and data storage requirements