Recently, the Companies dealing in the personal data of consumers that fail to take reasonable safeguards to prevent data breaches could face penalties of around Rs.200 crore under the revamped Data Protection Bill, 2022.
The Union Information Technology Minister announced the withdrawal of The Personal Data Protection Bill, 2019 in the Lok Sabha.
He stated that the government has decided to come up with a fresh bill that fits into the comprehensive legal framework with reference to the suggestions made by the Joint Committee of Parliament (JCP) on the Bill.
The Joint Committee of Parliament on the Personal Data Protection Bill submitted a 542-page report with 93 recommendations overall and 81 amendments to the Bill in December 2021.
Apart from that, the panel, headed by the former Union Minister, had recommended about 97 corrections and improvements to the Bill.
Now, the new bill has come up with a new set of guidelines addressing the loopholes in the previous statement and demarcating more stringent lines for violators.
Key features of the New Bill:
Fines and Penalties: For breach of Law; According to the new bill, Companies dealing with the personal data of consumers that fail to take reasonable safeguards to prevent data breaches could end up facing penalties as high as around Rs.200 crore.
Under the previous bill, the penalty proposed on a company for violation of the law was 15 crore or 4 percent of its annual turnover, whichever is higher.
For intimidating: Penalties are expected to vary on the basis of the nature of non-compliance by data fiduciaries — entities that handle and process the personal data of individuals.
Companies failing to notify people impacted by a data breach could be fined around Rs.150 crore, and those failing to safeguard children’s personal data could be fined close to Rs.100 crore.
Administration body: The Data Protection Board, an adjudicating body proposed to enforce the provisions of the Bill, is likely to be empowered to impose the fine after giving the companies an opportunity of being heard.
Scope of Data being protected: The new Bill will only deal with safeguards around personal data and is learned to have excluded non-personal data from its ambit.
Non-personal data essentially means any data that cannot reveal an individual's identity.
Need for reforms:
With nearly 450 million Internet users and a growth rate of 7-8%, India is well on the path to becoming a digital economy, which has a large market for global players. So, it is important to maintain the regulatory mechanism for Users.
Why has the previous Bill been withdrawn?
The Bill was also seen as being too “compliance intensive” by start-ups in the country.
The revamped bill will be much easier to comply with, especially for start-ups.
Issues with Data Localisation:
The tech companies questioned a proposed provision in the Bill called Data Localisation.
Under data localization, it would have been mandatory for companies to store a copy of certain sensitive personal data within India, and exporting undefined “critical” personal data from the country would be prohibited.
The activists had criticized that it would allow the central government and its agencies blanket exemptions from adhering to any and all provisions of the Bill.
Pushback from Stakeholders:
The bill had faced significant pushback from a range of stakeholders including big tech companies such as Facebook and Google, and privacy and civil society activists.
Delay in Implementation:
The delays in the Bill had been criticized by several stakeholders pointing out that it was a matter of grave concern that India did not have a basic framework to protect people’s privacy.
Other Government Interventions:
Information Technology Act, 2000: It provides for safeguarding against certain breaches in relation to data from computer systems.
It contains provisions to prevent the unauthorized use of computers, computer systems, and data stored therein.