Up to Rs 500 crore fine for data breach proposed

New Delhi, November 18

The government on Friday proposed a new data privacy law that allows the transfer and storage of personal data in some countries while raising the penalty for violations to as much as Rs 500 crore, up from Rs 15 crore earlier.

The draft Digital Personal Data Protection Bill, 2022, will be a great relief for Google, Amazon, Facebook and other global firms as it replaces an earlier version that had alarmed big tech companies over its stringent restrictions on cross-border data flows.

The government will “notify such countries or territories outside India to which a data fiduciary may transfer personal data”, according to the draft unveiled on Friday for public feedback. The new draft will become law once Parliament approves it. Companies are allowed to store the collected data for only specified periods.

The proposed legislation stipulates consent before collecting personal data and provides for stiff penalties of as much as Rs 500 crore on persons and companies that fail to prevent data breaches, including accidental disclosures, sharing, altering or destroying personal data.

The draft also gives powers to the Union Government to exempt state agencies from

provisions of the Bill “in the interests of sovereignty and integrity of India” and to maintain public order. With more than 750 million internet users and the second-largest home for mobile phones, India is a big and growing market for tech giants but the previous privacy rules had riled them.

The draft Bill covers personal data collected online and digitised offline data. It will also apply to the processing of personal data abroad if such data involves profiling Indian users or selling services to them. It requires the setting up of a ‘Data Protection Board’ to ensure compliance. The board will also hear user complaints.

It requires firms such as Google and Facebook to be accountable to a ‘consent manager’ to provide an “accessible, transparent and inter-operable platform” to give, manage, review and withdraw consent. Users shall have the right to correct and erase their personal data. While the personal data of children cannot be obtained or processed without parental consent, the draft law provides that advertising cannot target children.

Companies of ‘significant’ size—based on factors such as the volume of data they process—would be required to appoint an independent data auditor to evaluate compliance with provisions of the law. The provision in the previous version that gave the government powers to ask a company to provide anonymised personal data and non-personal data to help target the delivery of services or formulate policies is not there in the new draft. — PTI

Bill allows govt to exempt state agencies

• Draft Bill gives powers to the Centre to exempt state agencies from the law’s ambit
• Allows easier cross-border transfer, storage of data
• Breaches that entail penalty include accidental disclosures, sharing, altering or destroying of personal data

Join Whatsapp Channel of The Tribune for latest updates.

#Amazon #facebook #Google