The draft of the revised Data Protection Bill is likely to be released this week with Minister of State for Electronics and IT Rajeev Chandrasekhar adding the new law would put an end to the misuse of customer data and that violators would face punitive action under the rule.
This comes after the government in August withdrew the Personal Data Protection Bill from the Lok Sabha and said it will come out with a “set of fresh legislation” that will fit into the comprehensive legal framework.
The Personal Data Protection (PDP) Bill is being renamed the Digital Data Protection Bill. The revised draft will also drop provisions to regulate non-personal data and social media.
The updated version of the bill will deal with personal data and leave out non-personal data. Additionally, it will also deal with digital data.
The new Bill proposes to set up an appellate body known as the Data Protection Board, instead of the Data Protection Authority.
The new Bill is likely to deal with safeguards around personal data only and keep non-personal data (information that does not reveal the identity of an individual) out of its ambit.
Data Protection Bill: What’s New In It?
The provision on data localisation and clauses on criminal penalty, social media regulation, and non-personal data were some of the most contentious clauses in the old draft.
In August, Chandrashekhar emphasized during a press briefing that the compliance burden on startups was one of the reasons for withdrawing the bill.
“Big tech firms would have just hired more lawyers to comply if there was a complicated privacy law. The burden of such legislation would hurt startups," he had said.
When it comes to data localization rules, where the government mandated all companies dealing with sensitive data of Indian users to keep a copy within its borders,
Now, the government is likely to allow the transfer of data and its storage in “trusted geographies” in the revised draft of the data protection Bill, doing away with the data localisation requirement proposed in the earlier version.
The government will define which geographies are “trusted” from time to time.
Criminal penalties proposed for employees of companies involved in data breaches also will be scrapped in the new draft.
“It is a different Bill from the PDP Bill. It deals with digital personal data. It is a much simpler Bill so that it does not become the last word on data protection. It will continue to evolve (with the changing technology),” an Economic Times report quoted an official as saying.
Clauses on criminal penalty, non-personal data, and social media regulation along with a provision on data localisation were among the most contentious clauses in the old draft.
Thus, tech companies and Indian startups had voiced their concerns after that.
According to a Mint report citing a government official, the bill may relax some data localization, data storage, and data processing norms.
In what is seen as good news for Indian start-ups, the proposed bill will make it easier for companies to comply with the new guidelines on data protection.
The Bill may also propose allowing the transfer of data and its storage in “trusted geographies” as opposed to the data localisation requirement proposed in the earlier version, Economic Times reported.
Data Protection Bill: How Much Fine Companies May Face In Case Of A Breach?
The Data Protection Board will decide the penalties for a breach. The revised draft may impose a penalty of around Rs 200 crore on companies dealing in the personal data of consumers for failing to take reasonable safeguards to prevent data breaches. The earlier version of the Bill proposed a penalty of Rs 15 crore or 4 percent of the company’s annual turnover for violation of the law.
The fine will be imposed by the Data Protection Board, an adjudicating body that will be set up to enforce the provisions of the Bill. Companies will be given an opportunity of being heard, the report said.
Apart from this, data fiduciaries are likely to be asked to stop retaining personal data. These entities will be asked to delete data collected by them after the initial purpose for which it was collected was fulfilled.
Penalties will depend on the nature of non-compliance by data fiduciaries that handle and process the personal data of individuals.
In case a company does not agree with the penalty imposed by the board, it can appeal the decision in a court of law.
How The Earlier Bill Was Brought In
The government set up a committee under Justice BN Srikrishna to draft the first version of the Bill in 2017. A year later, the Sriksrishkna committee submitted its report which was the first draft version of the Bill.
The bill was introduced in Lok Sabha in December 2019. Subsequently, a joint parliamentary committee in a 16 December 2021 report tabled in the parliament, said that the law should bring both personal and non-personal data under its purview.
In August this year, the government withdrew the Personal Data Protection Bill from Parliament after working on it for nearly five years.