Aiming to protect against personal data breaches, the Indian government released the draft Digital Personal Data Protection Bill 2022
, which entails the provision of a fine of up to Rs250 crore on data-managing entities that fail to adopt reasonable security safeguards. However, several experts feel that the new draft Bill has watered down the objective of a data privacy and protection framework.
The draft Bill, shared by the ministry of electronics and information technology (MeitY), frames out the rights and duties of the citizen (digital nagrik), on the one hand, and the obligations to use collected data lawfully of the data fiduciary, on the other.
One of the Bill's main objectives is to process digital data in a way that recognises both - the right of individuals to protect their personal data and the need to process it for lawful purposes and related matters.
Noncompliance with other provisions of the proposed legislation would entail a penalty ranging from Rs10,000 to Rs200 crore. Though this would depend on the nature of violation or noncompliance with its provisions, the draft Bill says.
"Failure of data processor or data fiduciary to take reasonable security safeguards to prevent personal data breach under sub-section (4) of section 9 of this Act will cost a maximum penalty of Rs250 crore.
"Personal data breach means any unauthorised processing of personal data or accidental disclosure, acquisition, sharing, use, alteration, destruction of or loss of access to personal data, that compromises the confidentiality, integrity or availability of personal data," the draft Bill says.
The Bill also envisages setting up of a data protection board of India, which will act as a digital regulator.
"If the board determines at the conclusion of an inquiry that noncompliance by a person is significant, it may, after giving the person a reasonable opportunity of being heard, impose such a financial penalty as specified in Schedule 1, not exceeding Rs500 crore in each instance," the draft says.
The Bill aims to establish the comprehensive legal framework governing digital personal data protection in India. It also provides for the processing of digital personal data in a manner that recognises the right of individuals to protect their personal data, societal rights and the need to process personal data for lawful purposes, MeitY says.
On data storage, the draft Bill requires consent before calling data and said that "the storage should be limited to such duration as is necessary for the stated purpose for which personal data was collected".
Like Europe's general data protection regulation (GDPR), the proposed Indian Bill will apply to companies operating in the country and to any entities processing the data of Indian citizens.
According to experts, the new draft Bill appears to give a simpler framework for people to be able to adopt it seamlessly. Unfortunately, the scope and applicability provisions have also been curtailed and limited to where the collection is online or digitised and where Indians are targeted for profiling, they pointed out.
Raman Chima, co-founder of SaveTheInternet.in, calls the new draft Bill 'quite disappointing'. In a series of tweets, he says, "This is a data protection bill one would expect from a country in the mid-2000s, before the GDPR, before the Indian Supreme Court's Puttaswamy ruling."
"While claiming to be shorter and using simpler language than the previous draft bill, it actually deletes entire data protection rights that the earlier draft proposed. It uses weaker, pro-corporate language around consent. And even wider carve-outs for government agencies, law enforcement agencies (LEAs)," he says.
According to Rupinder Malik, partner at law firm JSA, the legislative intent appears to be tech and IT business-friendly, focused on facilitating cross-border data flows. "Some aspects that have been watered down could potentially reduce overall protection accorded to individual privacy rights," he says.
Earlier, the Union government had brought the data protection Bill 2019, which was scrapped amid opposition from political parties and various sections of society. The earlier Bill drew intense scrutiny from privacy advocates, industry stakeholders and tech companies.
The earlier legislation was introduced on 11 December 2018 and then referred to the joint parliamentary committee (JPC) for examination.
After the Parliamentary panel's report was presented to the Lok Sabha in December 2021, the Bill was returned with as many as 81 amendments and 12 recommendations.