NEW DELHI: Three months after withdrawing the data protection bill following protests from big technology companies, the Centre on Friday released the draft of a new comprehensive law, making some of the provisions even more stringent.
According to the new proposed law, Digital Personal Data Protection Bill 2022, entities will have to pay as much as Rs 250 crore in case of failure to take reasonable measures to prevent data breach, against Rs 15 crore or 4% of the global turnover of an entity proposed in the previous bill, which was withdrawn in August.
The new draft, which is open for consultation till December 17, 2022, also proposes to set up a Data Protection Board, which will carry on functions as per the provisions of the Bill. Failure to notify the board of any personal data breach will invite penalties up to Rs 200 crore. Non-fulfilment of additional obligations in relation to children will also attract a similar fine. Also, non-fulfilment of additional obligations of significant data fiduciary will attract penalties up to Rs 150 crore.
The government has made several changes after withdrawing the Personal Data Protection Bill 2019 during the monsoon session of Parliament this year. This is the fourth iteration of the Bill. The government in its explanatory note of the Bill said the purpose of the legislation is to provide for the processing of digital personal data in a manner that recognises both the right of individuals to protect their personal data and the need to process personal data for lawful purposes.
Minister of state for electronics and IT Rajeev Chandrasekhar said the new bill is a modern legislation that will help achieve Prime Narendra Modi’s goal of $1 trillion digital economy. Experts, however, are not impressed. According to the Internet Freedom Foundation, the proposed Data Protection Board lacks autonomy. Also, it “grants vast exemptions to governmental agencies”, it said.
Heavy fines
Failure of data fiduciary (entity that collects data) or data processor (entity that processes the data — usually a third party) to take reasonable security safeguards to prevent personal data breach:
Up to `250 crore
Failure to notify in the event of a personal data breach: Up to Rs 200 crore
Non-fulfilment of additional obligations of Significant Data Fiduciary: Up to Rs 150 crore