On Friday, the government proposed a new data privacy law that would allow the transfer and storage of personal data in some countries with increased penalties for breaches.
The Digital Personal Data Protection (DPDP) Bill of 2022 will be a huge relief to him The GoogleAnd the AmazonAnd the Facebook And other global companies that replace an earlier version that has big technology companies worried about their strict restrictions on the flow of data across borders.
According to the draft disclosed on Friday for public opinion, the government will “notify those countries or territories outside India to which a data agent may transfer personal data”.
The new bill will become law once it is approved by parliament.
The proposed legislation provides for consent prior to the collection of personal data and Provides For severe penalties amounting to Rs. 500 crore on persons and companies that fail to prevent data breaches including accidental disclosure, sharing, alteration or destruction of personal data.
Companies are allowed to store collected data for limited periods only.
The draft also gives powers to the central government to exempt state agencies from the provisions of the law “in the interests of the sovereignty and integrity of India” and to maintain public order.
The bill covers personal data collected online and digital data offline. It will also apply to the processing of personal data abroad if that data includes the profiling of Indian users or the sale of services to them.
“The 2022 DPDP has simplified the proposed data protection regime and eliminated some of the controversial provisions that set back the industry in previous versions. In particular, data mirroring, data localization requirements and general compliance appear to be limited compared to the previous bill,” said Rupinder Malik, Partner in the JSA law firm.
He said the legislative intent appears to be business-friendly and IT-friendly, and focuses on facilitating the flow of data across borders. “Certain aspects that have been watered down could reduce the overall protection given to individual privacy rights. The positive thing is that the bill has been worded in a simpler way, with less vagueness.” The new bill replaces the Data Protection Bill, which was withdrawn by the government in August this year. The draft is open for public comment through December 17.
The bill requires the creation of a Data Protection Board to ensure compliance. The board will also hear user complaints.
It requires companies like Google and Facebook to be accountable to a “consent manager” to provide an “accessible, transparent and interoperable platform” for giving, managing, reviewing and withdrawing consent.
Users have the right to correct and erase their personal data.
While children’s personal data cannot be obtained or processed without parental consent, the bill states that advertising cannot be targeted to children.
Companies with “high” volume – based on factors such as the volume of data they process – are required to hire an independent data auditor to assess compliance with the provisions of the law.
The provision in the previous version that gave the government powers to require a company to provide anonymous personal data and non-personal data to help target the delivery of services or formulate policies, is not present in the new draft.
The new draft raises the penalty amount to Rs. 500 crore for breach of provisions. The Personal Data Protection Bill, passed in 2019, proposed a penalty of Rs. 15 crore or 4 per cent of the global turnover of an entity, whichever is higher.
“The purpose of this bill is to provide for the processing of digital personal data in a manner that recognizes the right of individuals to protect their personal data, and the need to process personal data for lawful and other incidental purposes,” an explanatory note from the bill said.
The project proposes to set up a Data Protection Board of India, which will take over functions as per the provisions of the bill.
“If the Board determines at the conclusion of an investigation that the non-compliance of a person is material, it may, after giving the person a reasonable opportunity to have his or her voice heard, impose such monetary penalty as specified in Schedule 1, not to exceed five rupees one hundred crore rupees in each condition “.
I have proposed a tiered system of penalties for data underwriters and data processors in the event of any breach under the proposed legislation.
Data agents are those entities that will process personal data, either on their own or with the help of data processors.
The project suggested a penalty of up to Rs. 250 crore if the data agent or data processor fails to protect against breaches of personal data in its possession or control.
The draft also proposed a penalty of up to Rs. 200 crore if the data agent or data processor fails to notify the board of directors and the data owner about the data breach.
Besides, the bill proposes a penalty of Rs. 10,000 on individuals who provide unconfirmed or false information while applying for any document, service, proof of identity, address, etc. and for registering a false or frivolous complaint with the data agent or the board of directors.
The bill contains a provision that allows entities to transfer the personal data of a citizen outside the country in cases where the processing of the personal data is necessary to enforce any legal right or claim, perform any judicial or quasi-judicial function, investigate or prosecute any crime or if the owner is not data within the territory of India and no contract is entered into with any person outside the country.
“The central government may, after making an assessment of such factors as it may deem necessary, notify those countries or territories outside India to which the data custodian may transfer personal data,” according to the draft.
The explanatory memorandum issued by the Ministry of Electronics and Information Technology listed seven principles on which the draft law is based.
This includes the use of personal data by organizations in a manner that is lawful, transparent and fair to the individuals concerned and the personal data is used for the purposes for which it was collected.
The draft also contains a provision to ensure that only items of personal data that are required to fulfill a particular purpose are collected and that they are stored permanently by default.
The explanatory memorandum states that “the Digital Personal Data Protection Law is legislation that defines the rights and duties of a citizen (Digital Nagrik) on the one hand and the obligations to use the legally collected data of the data custodian on the other hand.”
Comments on the bill can be submitted until December 17.