Draft digital data protection Bill tabled for comments

The Centre’s significantly shortened and revised draft Bill on personal data protection proposes a hefty increase in penalty amounts up to ₹500 crore, while also easing rules on cross-border data flows, in a big relief for large tech firms. The revised draft — now called The Digital Personal Data Protection Bill, 2022 — comes just over three months after its earlier avatar was withdrawn from Parliament by the Central government.

The new draft Bill, on which stakeholder comments have been invited till December 17, narrows down the scope of the data protection regime to personal data protection, leaving out non-personal data from its ambit — a move welcomed by the industry.

The Bill proposes to impose a penalty of ₹10,000 on individuals providing unverifiable or false information while applying for any document, service, proof of identity or address, or registering a false or frivolous complaint with a Data Fiduciary (who collects and processes the data) or with the Board.

The government, which is hopeful of introducing the Bill in the Budget session in February 2023, has introduced the concept of ‘Consent Managers’ in the Bill. Pointing out that it is not always possible to keep track of the instances in which one has given consent to the processing of personal data, the government said that a consent manager platform will enable an individual to have a comprehensive view of her interactions with Data Fiduciaries and the consent given to them.

Consent of individual

The Bill requires the consent of the individual to be the basis for processing of their personal data, except in certain circumstances where seeking the consent of the Data Principal is “impracticable or inadvisable due to pressing concerns”.

Every request for consent will need to be presented to the Data Principal in clear and plain language, and an option to access such a request for consent in English or any language specified in the Eighth Schedule to the Constitution of India.

The Data Principal shall have the right to withdraw her consent at any time, the Bill stated.

Data Fiduciaries collecting personal data from individuals will need to provide “itemised notice” in clear and plain language containing a description of personal data sought and the purpose of processing of such personal data.

The Bill also gives the power to the government to offer exemption from its provisions “in the interests of sovereignty and integrity of India” and to maintain public order. While the earlier version of the draft Bill had recommended that a Data Protection Authority be set up to prevent misuse of personal information, the revised Bill has proposed a Data Protection Board of India, which will be notified by the Central government.

Related reportPage 8