The government has released the Draft Digital Personal Data Protection Bill 2022 with heavy fines of ₹200 crores plus

For organizations that fail to alert users about a data breach, the Digital Personal Data Protection Bill 2022 has set severe penalties (1). If organizations also fail to protect children's privacy, they will face comparable penalties that could total up to Rs 200 crore as a fine.

The Ministry of Electronics and IT (MeitY) (2) has produced a draft version of the Digital Personal Data Protection Bill 2022. The government is now looking for suggestions and opinions from the general public. The Bill specifies the rights and responsibilities of digital citizens and outlines the procedure and regulations for data collection by businesses.

The legislation also imposes severe penalties for breaking any of its rules. The Data Protection Board of India (3), established following the new law, will decide on these cases, and its rulings may be appealed in a High Court (4).

Source: The Digital Personal Data Protection Bill, 2022.pdf (5)

The Bill is provisioned on seven principles:

According to an explanatory note for the Bill, the use of personal data by organizations must be done in a way that is legal, fair to the individuals involved, and transparent to the individuals. This is the first of seven principles that the measure is built on. According to the second principle, personal information shall only be used for the purposes for which it was originally gathered.

Data minimization is a third-principle directive, and data accuracy in terms of the collection is a fourth-principle directive. The fifth principle discusses collecting personal information and how it should only be kept for a specific time rather than being held indefinitely by default.

The sixth principle states that adequate measures should be in place to guarantee that personal data is not being collected or used without authorization. The seventh principle states that whoever chooses the reason for or the method used to process personal data should be responsible for that decision.

Photo by Scott Graham / Unsplash

Data Principal & Data Fiduciary

The term "data principal" in the Bill refers to the person whose data is being collected, and the term "data fiduciary" refers to the entity—whether it be a person, business, government agency, or other—that chose the goals and procedures for processing a person's data. The law also recognizes that in cases involving children, defined as all users under 18, their parents or legal guardians will be regarded as the "data principals."

According to the law, "personal data" refers to any information that can be used to identify a specific person, and "processing" refers to the full range of actions that can be taken about personal information. As a result, according to the Bill, everything from data collection to storage falls under "processing of data."

The Bill also guarantees that people should have access to essential information in the languages included in the Indian Constitution's eighth schedule (5). The Bill also specifies that each individual must be aware of the types of personal data that a data fiduciary intends to acquire as well as the reason for such collection and further processing. Individuals must also provide consent before having their data processed.

💡
The language used in the notice of data collection must be simple and understandable. Individuals have the right to revoke their consent from a data fiduciary.

Significant Data Fiduciaries

The Central Government (6) will determine who falls under this category based on several factors, including the volume of personal data processed, the risk of harm, and the potential impact on the sovereignty and integrity of India. "Significant Data Fiduciaries" deal with a high volume of personal data.

The Bill's explanatory note states that this group must fulfill additional requirements to permit increased examination of its operations. Such organizations will be required to designate a data protection officer who will act as their representative and point of contact for complaints. They will also be required to designate an independent data auditor to assess their compliance with the act.

Data erasure and nomination rights

Data principles will have the authority to request that the data collected by the fiduciary be erased and corrected. They will also have the authority to designate people who will exercise these rights in the event of the data principal's death or incapacity.

Suppose they don't receive a satisfactory response from the business. In that case, users also have the option to file a complaint against a "data fiduciary" with the Data Protection Board under the Bill.

Photo by Tingey Injury Law Firm / Unsplash

Cross-border data transfer

The note states that although the Bill permits the cross-border storage and transfer of data to specific notified nations and territories, such notification would only take effect once the Central Government has evaluated all pertinent considerations.

Financial Penalties

The draft calls for stiff penalties on companies that experience data breaches or fail to notify customers when they do, as well as a fine of up to Rs 250 crore for those who don't implement reasonable security measures to prevent breaches of personal data.

According to the number of users and the volume of personal data an entity processes, the government may exempt some companies from adhering to Bill's provisions. This has been done to consider the concerns of the nation's startups, who complained that the previous version of the Bill required too much compliance.

Organizations that fail to protect children's privacy will face similar punishment. The new Bill maintains national security-related exemptions. The Center is empowered to announce such exemptions in the interest of India's sovereignty and integrity, state security, friendly relations with foreign states, maintaining public order, or preventing invitation to any cognizable offense related to any of these.

The government may also exempt some businesses from Bill's provisions based on the number of uses and volume of personal data processed by the entity. The Bill also proposes the establishment of a data protection board to ensure that the previously mentioned legislation is followed.

Source: The Digital Personal Data Protection Bill, 2022.pdf (8)

The draft Bill only said that the board would be "digital by design" but provided no further information regarding its composition. The new Bill is open for public opinion until December 17 and is anticipated to be introduced during Parliament's budget session the following year.