PremiumThe Ministry of Electronics and Information technology on Friday released the draft Digital Personal Protection Bill 2022, only three months after withdrawing the draft personal data protection bill, issued in 2019. IT minister Ashwini Vaishnaw took to micro-blogging site Twitter to make the announcement.
"The purpose of this Bill is to provide for the processing of digital personal data in a manner that recognises the right of individuals to protect their personal data, the need to process personal data for lawful purposes and for other incidental purposes," an explanatory note of the draft bill said.
The proposed bill comes in place of the Data Protection Bill, which was withdrawn by the government in August this year.
The draft is open for public comment till December 17.
"The Digital Personal Data Protection Bill is a legislation that frames out the rights and duties of the citizen (Digital Nagrik) on one hand and the obligations to use collected data lawfully of the Data Fiduciary on the other hand," the explanatory note attached mentioned.
“Seeking your views on draft Digital Personal Data Protection Bill, 2022." Vaishnaw wrote on his Twitter profile.
-The government has raised the penalty amount to up to ₹500 crore for violating provisions. The draft personal data protection bill, issued in 2019, had proposed a penalty of ₹15 crore or 4% of the global turnover of an entity
-The draft proposes to set up a Data Protection Board of India, which will carry on functions as per the provisions of the bill.
-The bill has proposed a graded penalty system for data fiduciaries that will process the personal data of data owners only in accordance with the provisions of the Act.
-The same set of penalties will be applicable to the Data processor -- which will be an entity that will process data on behalf of the Data Fiduciary.
-The draft has proposed a penalty of up to ₹250 crore in case the Data Fiduciary or Data Processor fails to protect against personal data breaches in its possession or under its control.
-The draft has also proposed a penalty of ₹200 crore in case the Data Fiduciary or Data Processor fails to inform the Board and data owner about the data breach.
-Interestingly, as noted by Hindustan Times, the bill in a bid to empower women, for the first time uses the terms ‘her’ and ‘she’ irrespective of an individual's gender, in a legislative document.
-The bill has a provision to allow entities to transfer the personal data of a citizen outside the country in cases where the processing of personal data is necessary for enforcing any legal right or claim, the performance of any judicial or quasi-judicial function, investigation or prosecution of any offence or data owner is not within the territory of India and has entered into any contract with any person outside the country.
The explanatory issued by the Ministry of Electronics and IT listed seven principles on which the bill is based.
This includes the
-Usage of personal data by organisations in a lawful manner
-Purpose limitation
-Data minimisation
-Accuracy of personal data
-Storage limitation
-Prevention of breach of personal data
-Accountability for data processing