The Ministry of Electronics and IT (MeitY) has already released the draught Digital Personal Data Protection Bill 2022, and the government is currently seeking public feedback and consultations on the bill. The measure is intended to lay out the procedures and guidelines for data collecting for businesses as well as the rights and obligations of “digital nagriks,” or citizens.
The measure also establishes severe penalties for breaking any law’s rules, and the Data Protection Board of India—which has been set up by the new law—will make these determinations. Orders of the board, however, may be contested in a High Court.
The person whose data is being gathered is referred to throughout the bill as the “Data Principal.”
The “purpose and means of the processing of an individual’s personal data” are determined by the “Data Fiduciary,” which may be a person, business, government agency, or other entity.
The law also acknowledges that parents or legal guardians shall be regarded as children’s “Data Principals” in cases where they are children, which is defined as all users under the age of 18.
According to the law, “all data by or in connection to which an individual can be identified” is considered personal data. Processing is defined as “the full range of processes that may be applied to personal data.” Therefore, according to the bill, the entire process of gathering and storing data would be considered processing.
The measure also guarantees that people should have access to “basic information” in the languages included in the Indian Constitution’s eighth schedule. Furthermore, the bill stipulates that consent must be obtained from the individual before their data is processed and that “each individual should be aware of the specific personal data that a Data Fiduciary wishes to collect and the purposes for such collection and further processing.”
Additionally, the notice of data collection must be written in language that is both clear and understandable. A person may also revoke their consent given to a data fiduciary.
Data principals will have the ability to request the deletion and updating of data that the data fiduciary has acquired. If the data principal passes away or becomes incapable, they will also have the option of designating a person to act on their behalf.
The measure also grants customers the ability to protest to the Data Protection Board about a “Data Fiduciary” if they do not receive a sufficient response from the business.
The legislation also permits the storage and transfer of data across international borders to “certain notified countries and territories.” The memo further states that “the Central Government would consider important criteria prior to such a notification.”
The draught also suggests that organisations that have data breaches or fail to notify customers when breaches occur face harsh fines. Entities that do not implement “reasonable security controls” to avoid breaches of personal data could face fines of Rs 250 crore.
Based on the number of users and the volume of personal data processed by the firm, the government may additionally exempt specific enterprises from adhering to the Bill’s rules. The startups in the nation who had complained that the previous version of the Bill was too “compliance intensive” had been taken into consideration when doing this.