Government announces draft bill on personal data protection; proposes penalty of up to Rs 500 cr

Government announces draft bill on personal data protection; proposes penalty of up to Rs 500 cr

The draft bill 2022 is expected to be presented in the next session of parliament.


Mumbai: The ministry of electronics and information technology (MeitY) has formulated a draft bill, titled "The Digital Personal Data Protection Bill 2022." In a press release published on Friday, the ministry invited feedback from the public on the draft bill. According to the statement, the draft is open for public comment till December 17.

As expected to be presented in the next session of parliament, the purpose of the draft bill, as stated in the official statement from the ministry, is to provide for the processing of digital personal data in a manner that recognises both the right of individuals to protect their personal data and the need to process personal data for lawful purposes and for matters connected therewith or incidental thereto.

In addition to this, the ministry has further stated that it has raised the penalty amount to up to Rs 500 crore for violating the provisions proposed under the draft bill. The draft bill, released in 2019, proposed a penalty of Rs 15 crore or four per cent of the global turnover of an entity.

The proposed bill comes in place of the Data Protection Bill, which was withdrawn by the ministry in August this year. The draft proposes to set up a Data Protection Board of India, which will carry out functions as per the provisions of the bill.

“The Digital Personal Data Protection Bill”

The Digital Personal Data Protection Bill frames out the rights and duties of the citizen (Digital Nagrik) on the one hand and the obligations to use collected data lawfully of the data fiduciary on the other.

In an explanatory document issued by the MeitY, seven principles around the data economy have been listed on which the bill is based:

    The first principle is that organisations must use personal data in a way that is legal, fair to the individuals involved, and transparent to individuals.

    The second principle of purpose limitation is that the personal data is used for the purposes for which it was collected.

    The third principle of data minimisation is that only those items of personal data required for attaining a specific purpose must be collected.

    The fourth principle of accuracy of personal data is that reasonable efforts are made to ensure that the personal data of the individual is accurate and kept up-to-date.

    The fifth principle of storage limitation is that personal data is not stored perpetually by default. The storage should be limited to such a duration as is necessary for the stated purpose for which personal data was collected.

    The sixth principle requires that reasonable safeguards be put in place to prevent the unauthorised collection or processing of personal data. This is intended to prevent personal data breaches.

    The seventh principle is that the person who decides the purpose and means of processing personal data should be accountable for such processing.

    These principles have been used as the basis for personal data protection laws in various jurisdictions. The actual implementation of such laws has allowed the emergence of a more nuanced understanding of personal data protection wherein individual rights, public interest, and ease of doing business, especially for startups, are balanced.

Financial penalty:

"If the board determines at the conclusion of an inquiry that non-compliance by a person is significant, it may, after giving the person a reasonable opportunity of being heard, impose such a financial penalty as specified in Schedule 1, not exceeding rupees five hundred crore in each instance," stated the draft.

Other obligations included are:

    The draft bill has proposed a graded penalty system for data fiduciaries that will process the personal data of data owners only in accordance with the provisions of the act.

    The same set of penalties will be applicable to the data processor — which will be an entity that processes data on behalf of the data fiduciary.

    The draft has proposed a penalty of up to Rs 250 crore in case the data fiduciary or data processor fails to protect against personal data breaches in its possession or under its control.

    The draft has also proposed a penalty of Rs 200 crore in case the data fiduciary or data processor fails to inform the board and data owner about the data breach.

Furthermore, in the draft issued by the MeitY, there is a provision to allow entities to transfer the personal data of a citizen outside the country in cases where the processing of personal data is necessary for enforcing any legal right or claim, the performance of any judicial or quasi-judicial function, the investigation or prosecution of any offence, or the data owner is not within the territory of India and has entered into any contract with any person outside the country.

"The central government may, after an assessment of such factors as it may consider necessary, notify such countries or territories outside India to which a data fiduciary may transfer personal data," it added.