The revamped data protection Bill released by the Ministry of Electronics and IT (MeitY) on Friday, came up with some key provisions, such as easing cross-border data flows, hiking penalties for data breaches and non-compliance, and allowing the government to exempt state agencies from the law in the interest of national security.
Three months ago the Government withdrew an earlier version that had triggered a pushback from Big Tech and sections of the civil society. The new draft, now called the Digital Personal Data Protection Bill, 2022, has provisions on “purpose limitations” around data collection. The draft is up for public consultation until December 17 and the final version is expected to be tabled in the Budget session of Parliament next year.
The new draft offers significant concessions on cross-border data flows, in a departure from the previous Bill’s contentious requirement of local storage of data within India’s geography. The new Bill would relax data localisation requirements and allow data flows to trusted geographies.
Under the previous Bill, businesses were supposed to store a copy of certain “sensitive personal data” of citizens like health and financial data within India, and the export of undefined “critical” personal data from the country was prohibited. Firms such as Meta said that it could have an impact on its services in India.
The Bill also proposes to set up a Data Protection Board to ensure compliance with the Bill. Companies will be required to stop retaining user data if it no longer serves the business purpose for which it was collected, and users will have the right to correction and erasure of their personal data in the possession of businesses.
National security-related exemptions, similar to the previous 2019 version, have been kept intact. The Centre has been empowered to exempt its agencies from adhering to provisions of the Bill in the interest of the sovereignty and integrity of India.
The draft also proposes to impose significant penalties on businesses that have data breaches. The maximum penalty that could be imposed on an entity has been capped at Rs 500 crore, per instance of violation. The Bill also prescribes penalties for users. Users could be fined up to Rs 10,000.