MeitY has invited feedback from the public on the draft Bill by December 17, 2022
The Bill has narrowed down its scope to focus on personal data
The government has proposed a penalty of up to INR 500 Cr for non-compliance with the provisions
Inc42 Daily Brief
Stay Ahead With Daily News & Analysis on India’s Tech & Startup Economy
The government on Friday (November 18) published the long-awaited draft Digital Personal Data Protection Bill, 2022. The Ministry of Electronics and Information Technology (MeitY) has invited feedback from the public on the draft Bill by December 17, 2022.
The Bill has narrowed down its scope to focus on personal data, rather than regulating the use of non-personal data.
“The purpose of this Act is to provide for the processing of digital personal data in a manner that recognises both the right of individuals to protect their personal data and the need to process personal data for lawful purposes,” the government said in a statement.
As per the draft, the provisions of the Bill will be applicable to processing of digital personal data outside the territory of India as well, if such processing is in connection with any profiling of, or activity of offering goods or services to individuals within the territory of India.
It must be noted that the government withdrew the Personal Data Protection Bill, 2021 in August after 81 amendments were proposed by a joint parliamentary committee (JPC).
“Considering the report of the JPC, a comprehensive legal framework is being worked upon. Hence, in the circumstances, it is proposed to withdraw The Personal Data Protection Bill, 2019 and present a new bill that fits into the comprehensive legal framework,” Minister of Electronics and Information Technology Ashwini Vaishnaw said at that time.
Minister of State for Electronics and Technology Rajeev Chandrasekhar recently said in a tweet that India’s upcoming Digital Data Protection Bill will end misuse of data of consumers.
In the latest bill, the government has defined ‘data fiduciary’ as any person who alone or in conjunction with other persons determines the purpose and means of processing of personal data.
A data fiduciary can process the personal data of a data principal (user) who has given or is deemed to have given her consent. On or before requesting an individual’s consent, a data fiduciary will need to give the individual an itemised notice in clear and plain language containing a description of personal data sought to be collected and the purpose of processing of such personal data. In addition to that, an itemised notice on the description of data collected and the purpose for which such personal data has been processed, has to be shared with the individual, as per the Bill.
More importantly, the government has also said that it is the responsibility of the data fiduciary to ensure that a user is able to seek effective redressal of grievances. Hence, every data fiduciary will have to publish contact details of the person to whom grievances and queries can be addressed.
When it comes to processing any personal data of a child, data fiduciaries need to obtain verifiable parental consent. The Bill also restricts a data fiduciary from undertaking such processing of personal data that can cause harm to a child, as well as tracking or behavioural monitoring of children or targeted advertising directed at children.
A significant data fiduciary will be required to appoint a Data Protection Officer based in India who will be the point of contact for the grievance redressal mechanism. Besides, they will also have to appoint an Independent Data Auditor who shall evaluate the compliance of the significant data fiduciary.
However, the government has not yet defined a significant data fiduciary. The government will notify a data fiduciary as a significant one based on several factors such as the volume and sensitivity of personal data processed, risk of harm to the user, potential impact on the sovereignty and integrity of India, among others.
The government may also notify countries or territories outside India to which a data
fiduciary may transfer personal data, in accordance with terms and conditions that may be specified later.
The government will set up a Data Protection Board of India (Board) under the Act for receipt of complaints, pronouncement of decisions, among others.
The government has also proposed a penalty of up to INR 500 Cr for non-compliance with the Act.
“If the Board determines on conclusion of an inquiry that noncompliance by a person is significant, it may, after giving the person a reasonable opportunity of being heard, impose such financial penalty as specified in Schedule 1, not exceeding rupees five hundred crore in each Instance,” the government said.
{{#name}}{{name}}{{/name}}{{^name}}-{{/name}}
{{#description}}{{description}}...{{/description}}{{^description}}-{{/description}}
Note: We at Inc42 take our ethics very seriously. More information about it can be found here.