The Indian government is on the verge of finalising the revamped Data Protection Bill four years after its introduction in the Parliament in 2019. The new revision imposes a heavy fine on companies mishandling user data dealing with safeguards around personal data and has excluded non-personal data from its scope.
The bill will likely be released for public consultation this week and brings major changes since the previous draft was withdrawn in August this year. This older version was met with 81 amendment suggestions and 12 tweaks from a joint parliamentary committee that had studied the bill for nearly two years.
The Personal Data Protection bill (the old draft) has also seen a change in naming, now being called the Digital Data Protection bill and takes a different approach so as not to become the absolute authority on data protection.
The new draft brings much higher fines in case of non-compliance and non-implementation of proper safeguards and eases data localisation rules. This new version will also reportedly ease compliance.
Here’s everything you need to know about the new draft:
- Companies failing to implement proper safeguards against data breaches can be fined as high as ₹200 crores.
- Companies failing to notify victims of a data breach can be fined around ₹150 crores.
- Companies failing to safeguard children’s data can be fined around ₹100 crores.
- Penalties are expected to change based on the nature of non-compliance by the company at fault.
- Penalties will be decided by a Data Protection Board that’ll judge the nature and severity of the data breach and determine the penalty accordingly.
- The bill also does away with data localisation requirements as companies can now transfer the data and their storage in “trusted geographies”.
- These “trusted geographies” will be defined by the government and can be changed from time to time.
- Select early-stage startups will be exempt from the bill’s provisions.
- The new draft will be released along with an explainer and a bill summary in the near future.
- The bill will undergo extensive consultation and likely be reintroduced to the Parliament in the Budget Session next year.
Similar to the CERT-In directives released in June earlier this year, the bill’s previous version had seen significant pushback from big tech companies and startups alike.
The new version of the bill seems to be geared towards addressing these problems to make it easier to adopt while at the same time maintaining a hard stance in case a company overlooks essential data protection measures.
Someone who writes/edits/shoots/hosts all things tech and when he’s not, streams himself racing virtual cars. You can reach out to Yadullah at [email protected], or follow him on Instagram or Twitter.