News Highlight
The government released the draft Digital Personal Data Protection Bill 2022 for public comment.
Key Takeaway
- The bill is supposed to outline the rights and duties of ‘digital nagriks’ or citizens while laying out the process and rules for data collection when it comes to companies.
Background
- Justice B N Srikrishna’s committee
- The data protection Bill has been in the works since 2018, when a panel led by Justice B N Srikrishna prepared a draft version of the Bill.
- Withdrawal of the bill
- In August 2022, the government withdrew the earlier Personal Data Protection Bill from Parliament after putting in nearly four years and having gone through multiple iterations, including deliberations by a Joint Committee of Parliament.
- Aims
- It aims at regulating online space, including separate legislation on data privacy, the overall internet ecosystem, cyber security, telecom regulations, and harnessing non-personal data for boosting innovation in the country.
Major provisions of the revamped Bill
- High penalties
- Companies dealing with consumers’ personal data that fail to take reasonable safeguards to prevent data breaches could end up facing penalties as high as around Rs 200 crore.
- Data breach
- Companies failing to notify people impacted by a data breach could be fined around Rs 150 crore.
- Children’s personal data
- Those failing to safeguard children’s personal data could be fined close to Rs 100 crore.
- The Data Protection Board
- It is an adjudicating body proposed to enforce the provisions of the Bill, which is likely to be empowered to impose the fine after giving the companies an opportunity of being heard.
- Personal data
- The new Bill will only deal with safeguards around personal data and is learnt to have excluded non-personal data from its ambit.
- Non-personal data essentially means any data that cannot reveal an individual’s identity.
- Under the law, personal data is “any data by which or about which an individual can be identified.”
- Data Principal
- The bill uses the term “Data Principal” to denote the individual whose data is being collected.
- Data Fiduciary
- The term “Data Fiduciary” refers to the entity (can be an individual, company, firm, state etc.), which decides the “purpose and means of the processing of an individual’s personal data.”
- Prior consent
- The bill also clarifies that individuals need to consent before their data is processed and that “every individual should know what items of personal data a Data Fiduciary wants to collect and the purpose of such collection and further processing.”
- Significant Data Fiduciaries
- The bill talks of ‘Significant Data Fiduciaries, who deal with a high volume of personal data.
- The Central government will define who is designated under this category based on several factors, including the volume of personal data processed.
- Such entities will have to appoint a ‘Data protection officer’ to represent them.
- Cross-border data transfer
- The bill allows for cross-border storage and transfer of data to “certain notified countries and territories.”
- However, “an assessment of relevant factors by the Central Government would precede such a notification,”.
Significance of the bill
- Strong safeguards
- The proposed higher penalties will prompt entities to build strong safeguards to protect data and enforce fiduciary discipline.
- Punitive actions
- Companies would face punitive actions like financial penalties in the event of misuse of data and data breaches.
- End to misuse of customer data
- The upcoming data protection Bill will end the misuse of customer data, with companies facing financial consequences.
Content Source: Indian Express