Draft personal data protection bill proposes up to ₹500 cr penalty
The Ministry of Electronics and Information Technology (MeitY) on Friday released the draft digital personal data protection bill, prescribing financial penalties up to ₹500 crore as a deterrent for non-compliance.
As part of the new bill, the government will establish the Data Protection Board of India to determine non-compliance with the law's provisions and impose penalties. The allocation of work, receipt of complaints, formation of groups for hearing, pronouncement of decisions, and other functions of the board shall be digital by design, the draft says.
In the event of a personal data breach, the board may direct the company to adopt any urgent measures to remedy such personal data breach or mitigate any harm caused to individuals, according to the draft bill.
"If the board determines on conclusion of an inquiry that noncompliance by a person is significant, it may, after giving the person a reasonable opportunity of being heard, impose such financial penalty as specified in Schedule 1, not exceeding rupees five hundred crore in each instance," says the draft data protection bill.
The draft bill prescribes a penalty of up to ₹250 crore for failure of a company to take reasonable security safeguards to prevent personal data breach. It also proposes a fine of up to ₹200 crore for failure to notify the Data Protection Board and affected users.
This comes three months after the government withdrew its previous data protection after it alarmed Big Tech companies. India has over 76 crore active internet users and over the next coming years this is expected to touch 120 crore. The country is also among the highest consumers of data per capita in the world.
The revised data protection bill is expected to be tabled in the next session of Parliament.
"This bill is certainly a step in the right direction of striking a balance between supporting innovation and protecting user rights," says Shahana Chatterji, partner, Shardul Amarchand Mangaldas & Co.
"In particular we note that many obligations applicable to data fiduciaries and processors and mechanisms relating to data processing have been simplified, which will likely enable easier compliance," Chatterji says.
"A significant portion of the rulemaking is likely to occur through rules and guidelines to be issued under the proposed law. We look forward to working with the government in developing these rules and the emerging data protection framework in India and supporting its aim of a $1 trillion digital economy," she adds.