Under the updated version of the Data Protection Bill (1), businesses that deal with personal consumer data may be subject to fines of up to Rs 200 crore if they fail to take reasonable precautions to prevent data breaches.
Following a hearing for the companies, the Data Protection Board, an administrative body proposed for enforcing Bill's provisions, is likely to be given the authority to impose the fine.
Penalties are expected to vary depending on the specific non-compliance by data fiduciary entities handling and processing individuals' data. Companies that fail to notify people affected by a data breach could be fined close to Rs 150 crore, and those that fail to protect children's data could be fined close to Rs 100 crore.
The penalty for breaking the law in the earlier iteration of the Bill, which was withdrawn earlier this year, was set at Rs. 15 crores or 4% of the company's annual revenue, whichever was higher.
The revised Bill, internally known as the "Digital Personal Data Protection Bill" (2), is reportedly close to being finalized by the government, which is expected to release a final draft this week.
According to the information obtained, the new Bill will not address non-personal data; instead, it will only address protections for personal data. Any information that cannot be used to identify a specific person is considered non-personal data.
The earlier Personal Data Protection Bill was also withdrawn by the government from Parliament in August after nearly four years of work and several revisions, including discussions by a Joint Committee of Parliament. A complete legal framework for the online ecosystem is reportedly close to being completed by the government.
The withdrawal occurred despite Union IT Minister Ashwini Vaishnaw's (3) declaration in February 2022 that he hoped to get the parliBillt's approval on the bill in the monsoon session.
In the event of data misuse and breaches, according to the Minister of State for Electronics and IT, Rajeev Chandrashekhar (4), the companies would be subject to punitive actions in the form of financial penalties.
He reaffirmed this in a tweet on Tuesday, claiming that the upcoming data protection bill will stop firms from misusing consumer data by imposing financial penalties.
According to a senior government official, there will also be tight or specific limitations on the data businesses can collect and the amount of time they can store it under the new Bill.
It is also known that the data fiduciaries would be expected to stop keeping personal data once the initial purpose for which it was gathered has been fulfilled and to destroy previously collected data.
The proposed harsher penalties are thought to make it possible for businesses to develop robust security protocols to safeguard individual data.
Ashwini Vaishnav, the union minister for telecom and IT, said that the joint parliamentary committee that reviewed the initial form of the 91-section Bill offered 88 revisions, leaving the government "no choice" except to withdraw the original plan fully.
Next year's Parliamentary Budget Session is when the Bill is most likely to be introduced.