Draft data protection Bill allows cross-border data flows under stipulation, proposes hefty fines

New Delhi [India], November 19 : The draft Digital Personal Protection Bill, which has been put up for public consultation, has provisions for cross-border data flows under stipulations and significant penalties for violations by businesses.
Ministry of Electronics and IT (MeitY) on Friday put the draft Digital Personal Protection Bill 2022 on its website for public consultation.
The proposed bill comes in place of the Data Protection Bill, which was withdrawn by the government in August this year.
The new draft is up for public consultation until December 17, and the final version is expected to be tabled in the Budget session of Parliament next year.
According to the draft, a Data Protection Board of India will be set up that will function as notified by the provisions of the Bill.
According to the draft, the failure of Data Processor or Data Fiduciary to take reasonable security safeguards to prevent personal data breach will invite a penalty up to Rs 250 crore.
Data Processor or Data Fiduciary's failure to notify the Board and affected Data Principals in the event of a personal data breach will also attract a penalty of Rs 200 crore and the non-fulfilment of additional obligations in relation to children will land the data processor or data fiduciary a penalty of Rs 200 crore.
There will be a penalty of Rs 150 crore for the non-fulfilment of additional obligations of Significant Data Fiduciary.
According to the draft in the matters of transfer of personal data outside India, the Central government may, after an assessment of such factors as it may consider necessary, notify such countries or territories outside India to which a Data Fiduciary may transfer personal data, in accordance with such terms and conditions as may be specified.
Certain provisions of the bill may not apply if (a) the processing of personal data is necessary for enforcing any legal right or claim; (b) the processing of personal data by any court or tribunal or any other body in India is necessary for the performance of any judicial or quasi-judicial function; (c) personal data is processed in the interest of prevention, detection, investigation or prosecution of any offence or contravention of any law; and (d) personal data of Data Principals not within the territory of India is processed pursuant to any contract entered into with any person outside the territory of India by any person based in India.
The exemptions also include any instrumentality of the State in the interests of sovereignty and integrity of India, security of the State, friendly relations with foreign States, maintenance of public order or preventing incitement to any cognizable offence relating to any of these and (b) necessary for research, archiving or statistical purposes if the personal data is not to be used to take any decision specific to a data principal and such processing is carried on in accordance with standards specified by the Board.
According to the draft, the functions of the board are, firstly, to determine non-compliance with provisions of this Act and impose penalty under the provisions of this Act; and to perform such functions as the Central Government may assign under the provisions of this Act or under any other law by an order published in the Official Gazette.
The Board may, in the event of a personal data breach, direct the Data Fiduciary to adopt any urgent measures to remedy such personal data breach or mitigate any harm caused to Data Principals (person).
The Board may, on a representation made to it or on its own motion, modify, suspend, withdraw or cancel any direction issued, according to the draft.
While determining the amount of a financial penalty to be imposed, the Board shall have regard to (a) the nature, gravity and duration of the non-compliance; (b) the type and nature of the personal data affected by the noncompliance; (c) repetitive nature of the non-compliance; (d) whether the person, as a result of the non-compliance, has realized a gain or avoided any loss; (e) whether the person took any action to mitigate the effects and consequences of the non-compliance, and the timeliness and effectiveness of that action; (f) whether the financial penalty to be imposed is proportionate and effective, having regard to achieving compliance and deterring non-compliance with the provisions of this Act; and (g) the likely impact of the imposition of the financial penalty on the person.