Govt’s draft Data Protection Bill proposes hefty fine for violation

If an entity fails to notify users about a data breach, the fine could go as high as Rs 200 crore. A similar penalty would be imposed if entities fail to safeguard children’s privacy.

The draft also proposes to impose significant penalties on businesses that undergo data breaches or fail to notify users when breaches happen. (File photo)

The Ministry of Electronics and IT (MeitY) Friday released the revamped draft data protection Bill, three months after withdrawing a previous version that had alarmed big technology companies and the civil society.

The new Bill now being called the Digital Personal Data Protection Bill, 2022, has provisions on ‘purpose limitations’ around data collection, grounds for collecting and processing personal data, relaxation on cross-border data flows, and imposes significant penalties on businesses for violating provisions of the Bill.

Also Read | Data protection Bill revised: Penalty up to Rs 200 crore if firms don’t have safeguards

The new measure is up for public consultation until December 17, and the final version is expected to be tabled in the Budget session of Parliament next year.

The proposed legislation offers significant concessions on cross-border data flows, in a departure from the previous Bill’s contentious requirement of local storage of data within India’s geography. According to the new draft, the Centre will notify regions to which data of Indians can be transferred. Sources said the conditions for selecting such regions would be based on its data security landscape and if the government can access data of Indians from there.

The Indian Express, in August, had reported that the new Bill would relax data localisation requirements and allow data flows to trusted geographies. Data localisation under the previous Bill was among the biggest issues flagged by technology companies, with firms like Meta having said that it could have an impact on its services in India.

The draft also proposes to impose significant penalties on businesses that undergo data breaches or fail to notify users when breaches happen. Entities that fail to take “reasonable security safeguards” to prevent personal data breaches will be fined as high as Rs 250 crore. If an entity fails to notify users about a data breach, the fine could go as high as Rs 200 crore. A similar penalty would be imposed if entities fail to safeguard children’s privacy. On Tuesday (November 15) The Indian Express had reported on these penalties.

Explained | Why the Govt has withdrawn the Personal Data Protection Bill, and what happens now

National security-related exemptions have been kept intact in the new Bill. The Centre has been empowered to notify such exemptions in the interest of sovereignty and integrity of India, security of the state, friendly relations with foreign states, maintenance of public order or preventing incitement to any cognisable offence relating to any of these.

Story continues below this ad

The government could also exempt certain businesses from adhering to provisions of the Bill on the basis of number of users and the volume of personal data processed by the entity. This has been done keeping in mind startups of the country who had complained that the previous version of the Bill was too “compliance intensive”. On Thursday (November 17), this paper had reported about exemptions to startups under the new Bill.

The Bill also proposes to set up a Data Protection Board to ensure compliance with the Bill. The draft Bill did not include details about the composition of the board, but said that it will be “digital by design”.

Soumyarendra Barik

Soumyarendra Barik is a Special Correspondent with The Indian Express, specializing in the complex and evolving intersection of technology, policy, and society. With over five years of newsroom experience, he is a key voice in documenting how digital transformations impact the daily lives of Indian citizens. Expertise & Focus Areas Barik’s reporting delves into the regulatory and human aspects of the tech world. His core areas of focus include: The Gig Economy: He extensively covers the rights and working conditions of gig workers in India. Tech Policy & Regulation: Analysis of policy interventions that impact Big Tech companies and the broader digital ecosystem. Digital Rights: Reporting on data privacy, internet freedom, and India's prevalent digital divide. Authoritativeness & On-Ground Reporting: Barik is known for his immersive and data-driven approach to journalism. A notable example of his commitment to authentic storytelling involves him tailing a food delivery worker for over 12 hours. This investigative piece quantified the meager earnings and physical toll involved in the profession, providing a verified, ground-level perspective often missing in tech reporting. Personal Interests Outside of the newsroom, Soumyarendra is a self-confessed nerd about horology (watches), follows Formula 1 racing closely, and is an avid football fan. Find all stories by Soumyarendra Barik here. ... Read More