caalley logo

Welcome to the one-stop destination for Indian Chartered Accountants and other finance professionals

Draft personal data protection Bill: Penalties may range up to Rs 250 crore

New Delhi, November 18, 2022

Updated legislation allows data to be transferred to 'trusted geographies' listed by the government

The government on Friday released for public consultation a revised version of the personal data protection bill by prescribing financial penalties ranging up to Rs 250 crore on fiduciaries for failing to take security safeguards to prevent breaches.

The much-awaited document seeks to provide a legal framework for collecting and processing personal digital data in India. After four years of deliberations, the government on August 3 withdrew the Personal Data Protection (PDP) Bill, 2019 and replaced it with a new version providing comprehensive framework’ and ‘contemporary digital privacy laws.

The new draft has eased the data localisation mandate of the previous version, which had alarmed many big multinational technology companies. The new bill notifies such countries or territories outside India where data fiduciaries may transfer personal data, after assessing factors the government may consider necessary.

The draft bill, renamed as The Digital Personal Data Protection Bill, 2022, has laid out the conditions for collecting data and the consent of the people whose data would be processed. Before taking up anybody’s data, a fiduciary must give to them an itemised notice in clear and plain language containing a description of personal data sought and the purpose of the processing of such personal data.

The draft bill allows the central government to appoint an independent ‘Data Protection Board of India’. The board will determine non-compliance with provisions of the bill and also decide on the penalty for non-compliance.

Failure to notify the Board and affected "data principals" in the event of a personal data breach may invite a penalty of up to Rs 200 crore. Failure to obligations concerning the processing of the personal data of children may also cause the fiduciaries to pay Rs 200 crore in fines.

“Data Fiduciary” means any person who alone or in conjunction with other persons determines the purpose and means of the processing of personal data, while “Data Principal” means the individual to whom the personal data relates and where such individual is a child includes the parents or lawful guardian of such a child.

The draft also defines the purpose limitation, restricting the data used only to the purpose the data was shared. “A Data Fiduciary must cease to retain personal data, or remove how the personal data can be associated with particular Data Principals, as soon as it is reasonable to assume that: (a) the purpose for which such personal data was collected is no longer being served by its retention, and (b) retention is no longer necessary for legal or business purposes,” says the draft.

“The purpose of this Act is to provide for the processing of digital personal data in a manner that recognizes both the right of individuals to protect their data and the need to process personal data for lawful purposes and matters connected therewith or incidental thereto,” reads the official document.

A person may process the personal data of a Data Principal only by the provisions of this Act and Rules made thereunder, for a lawful purpose for which the Data Principal has given or is deemed to have given her consent per the provisions of the bill.

  • - The privacy law to be renamed as The Digital Personal Data Protection Bill, 2022
  • - The bill may allow government to appoint Data Protection Board of India to decide on non-compliance and penalty
  • - Provisions over consent and purpose limitation for data collection tightened
  • - Section 43A of the IT Act to be omitted
  • - The revised draft released for public consultations

[The Business Standard]

Read more on:
Don't miss an update!
Subscribe to our newsletter