The Indian government on Friday released the much-awaited draft of the Digital Personal Data Protection Bill, which provides for penalties of up to ₹250 crores for non-compliance and constitutes a regulatory body. It allows the storage of data in certain trusted countries.
The draft bill has been released for public view and consultations. The bill is expected to be tabled in the parliament in the next Budget session.
The bill focuses on only personal data, thereby removing regulations on the use of non-personal data.
It establishes a comprehensive legal framework governing digital personal data protection in the country.
The bill provides for the processing of digital personal data in a manner that recognises the right of individuals to protect their personal data, societal rights and the need to process personal data for lawful purposes, the Central government said.
With an overall goal of preventing unintended use of personal data, the bill lays down detailed rules for the collection, storage and processing of personal data, and required safeguards against any misuse.
It aims to make a fine balance between individual rights and public interest and ease of doing business, especially for startups, as per government officials.
If a data fiduciary fails to take reasonable security safeguards to prevent personal data breach may result in the imposition of a financial penalty of ₹250 crores, the bill says.
As per its provisions, data fiduciaries are required to obtain the consent of parents while processing any personal data of a child. Such entities cannot process any personal data for children that could potentially harm them. They have also been barred from processing data of any child for targeted advertisement.
However, the government has not clearly specified rules for data localisation, a demand raised by data protection activists and political leaders for a long time.
On data localisation, a term used to refer to the storage of the data in the territory where it was collected, the bill says, “Cross-border interactions are a defining characteristic of today’s interconnected world. Recognising this, it has been provided in the bill that personal data may be transferred to certain notified countries and territories.”
The draft bill mandates the storage of personal data until necessary for the purpose it was collected for a specific purpose. Listing out a set of seven principles of the bill, the government said that personal data cannot be “stored perpetually by default”.
It also mandates data collecting entities to take “reasonable safeguards” to prevent any breach and will hold accountable the person who decides the purpose and means of the processing of personal data.
The government has introduced voluntary undertakings as a measure to encourage timely admission and rectification of lapses. “This would go a long way in establishing the clear focus on enabling and facilitating compliance rather than penalising noncompliance,” the Centre said.
The financial penalty has been introduced as a deterrent against non-compliance. The bill has avoided the criminalisation of lapses and non-compliance.
A regulatory body, the Data Protection Board, will be set up with the task of enforcing the laws. It will receive complaints and pronounce decisions in digital format, the bill says.
While framing the bill, the government took into account the global best practices, including a review of the personal data protection legislations of Singapore, Australia, the European Union and prospective federal legislation of the US.
The government said it also considered India’s USD1 trillion digital economy goals and the rapidly growing innovation and startup eco-system while formulating the rules in the bill.