Revised Personal Data Protection Bill Proposes Hefty Fines, Eases Cross-Border Data Flow

What’s in today’s news?

• The Digital Personal Data Protection Bill, 2022

 

Why In News?

• The Union Ministry of Electronics and IT (MeitY) recently released the new draft - the Digital Personal Data Protection Bill, 2022.
• Some of the significant aspects of the revised Bill include:
  • easing cross-border data transfers,
  • increasing penalties for data breaches and noncompliance,
  • allowing the government to exempt state agencies from the law in the interests of national security.

 

The Digital Personal Data Protection Bill, 2022:

Background:

• The revised draft was released after the government withdrew an earlier version that sparked outrage from Big Tech and civil society.
• Original bill (2019): It was prepared by retired Supreme Court Justice B N Srikrishna, to provide for protection of personal data of individuals and establish a Data Protection Authority for the same.
• The new draft, which has 30 provisions (against more than 90 in the 2019 bill), is now open for public comment, and the final version is scheduled to be tabled in Parliament during the Budget session next year.

Salient provisions in the new draft:

• Purpose limitations, specified grounds for collecting and processing of personal data.
• A Data Protection Board as the adjudicating body to enforce the provisions of the Bill.
• Offers significant concessions on cross-border data flows.
  • The Centre will notify regions, based on their data security landscape, to which data of Indians can be transferred.
  • The previous Bill required businesses to keep a copy of some "sensitive personal data" within India and prohibits the export of undefined "critical" personal data from the country.
    • It was one of the most serious issues raised by IT
  • The new Bill takes a softer stance on data localisation rules and allows data flow to specific worldwide destinations based on predetermined evaluations.
• Companies will no longer be required to retain user data, which no longer serves its business purpose.
• Users will have the right to have their personal data in the custody of enterprises corrected and erased.
• Companies should not process personal data that is “likely to cause harm” to children (less than 18 years of age) and cannot run targeted advertising on children.
• National security-related exemptions have been kept intact. The Centre has been empowered to exempt its agencies from adhering to provisions of the Bill in the interest of -
  • Sovereignty and integrity of India,
  • Security of the state,
  • Friendly relations with foreign states,
  • Maintenance of public order or preventing incitement to any cognisable offence.
• Keeping in mind the start-up ecosystem of the country, the government could also exempt certain businesses from adhering to provisions of the Bill on the basis of volume of users and personal data processed.
• Penalties for companies: Ranging from Rs 50 crore to Rs 500 crore for data breaches and noncompliance.
• Penalties for users: A customer who provides fraudulent documentation for an online service or files frivolous grievance complaints may be penalised up to Rs 10,000.

 

Concerns:

• Wide-ranging, excessively vague exemptions to the state agencies: This may not qualify the test of ‘necessity’ and ‘proportionality’ as laid down in the landmark right to privacy judgement of 2017
• Reduced independence of a proposed regulator: The appointment of the chairperson and members of the proposed Data Protection Board is completely left to the discretion of the central government.
  • This is unlike the Data Protection Authority (under the 2019 Bill), which was envisaged to be a statutory