The government has raised the penalty amount to up to ₹500 crore, apart from setting up a Data Protection Board of India, under the draft Digital Personal Data Protection (DPDP) Bill, 2022 released on Friday.
The draft is open for public comments till December 17.
“If the Board determines at the conclusion of an inquiry that noncompliance by a person is significant, it may, after giving the person a reasonable opportunity of being heard, impose such a financial penalty as specified in Schedule 1, not exceeding rupees five hundred crore in each instance,” the draft said.
This penalty amount is much higher than proposed by a previous draft. The draft Personal Data Protection Bill in 2019 proposed a penalty of ₹15 crore or four per cent of the global turnover of an entity.
Graded penalty system
The draft has proposed a graded penalty system for data fiduciary that will process the personal data of data owners only in accordance with the provisions of the Act. The draft proposes a penalty of up to ₹250 crore if the Data Fiduciary or Data Processor fails to protect data under its possession from breaches.
The same set of penalties will be applicable to the data processor—which will be an entity that will process data on behalf of the Data Fiduciary, the draft said.
The government has also tried to simplify the draft Bill with simple language to make it easier to understand.
“Some innovative things that have been attempted in this Bill include – the consent notice which comes from any of the applications/ platform will now have to be given in any one of the Schedule-8 languages of the Constitution. That means the Indian languages will be available to users for getting the consent notice. Secondly, in the philosophy of women empowerment…we have attempted to use the words She/ Her in the entire Bill, instead of He/ His/ Him,” Ashwini Vaishnaw, Minister of Communications and Electronics & Information Technology, said.
He also said that all the principles of privacy which are laid down by the Supreme Court in various judgements and based on the experiences of various countries, have been included in the draft Bill.
“Simultaneously, we have made sure that the start-up innovation ecosystem and small businesses are not encumbered with huge compliance burden. Instead of that we have tried to create a digital by design compliance framework so that it becomes an easy/ simple accessible way for implementing the Bill,” he added.
However, some of the experts said that in an attempt to make the latest draft Bill simpler, the government has missed out on many points.
‘Details not covered’
For instance, the Bill in multiple places says ‘as may be prescribed’, but these are details which does not need to be left to the Centre or the Ministry to be prescribed later.
“Look at examples of good data protection laws globally, where details are covered often in the language of the Bill itself. It is completely missing (here)…there are 30 provisions and in 18 of them it says something has to be ‘prescribed’ later. So that also gives unlimited power to the hands of the Executive (government),” Amber Sinha, Senior Fellow at Mozilla Foundation told BusinessLine.
However, Rajeev Chandrasekhar, Minister of State for Electronics and IT said, “DPDP is a modern legislation that is part of a comprehensive framework of laws and rules that include IT rules, DPDP bill, National Data Governance Framework Policy and a new Digital India Act – that will be global standard policy framework that will catalyse the India Techade and PM Narendra Modiji’s goal of $1 Trillion Digital Economy.”
“A Data Principal shall have the right to readily available means of registering a grievance with a Data Fiduciary. A Data Principal who is not satisfied with the response of a Data Fiduciary to a grievance or receives no response within seven days or such shorter period as may be prescribed, may register a complaint with the Board in such manner as may be prescribed,” it added.
On transfer of personal data outside India, it said the government may, after an assessment of such factors as it may consider necessary, ‘notify such countries or territories outside India’ to which a Data Fiduciary may transfer personal data, in accordance with such terms and conditions as may be specified.