After delays, Centre unveils new data bill
THE GOVT SAID THAT IT COULD SPECIFY NATIONS OR TERRITORIES OUTSIDE INDIA TO WHICH ENTITIES MANAGING DATA CAN TRANSFER PERSONAL DATA OF USERS
NEW DELHI: The central government on Friday proposed a new data privacy law that will allow companies to transfer users’ personal data to certain countries abroad, the latest regulation that will have an impact on how tech giants such as Facebook and Google operate in the market.
The draft bill comes after the government in August withdrew a 2019 proposal that had alarmed big technology companies by proposing stringent regulations on cross-border data flows.
In the new draft released on Friday, the government said it could specify countries or territories outside India to which entities managing data can transfer personal data of users.
The new bill also proposes financial penalties on companies for incident related to data breaches. It also says the federal government would have powers to exempt state agencies from provisions of the bill in the interest of national security.
“Cross-border interactions are a defining characteristic of today’s interconnected world ... Personal data may be transferred to certain notified countries and territories,” the government said in a statement.
The Digital Personal Data Protection Bill is open for public
ceed.”
At least 77 countries other than India and 16 multilateral agencies such as Interpol are attending the conference, the third since 2018. Delegates are expected to discuss global trends in terror financing, terrorism, the use of social media, the dark web for funding terror organisations, and the nexus between terrorists and organised crimes.
Ministers of 20 countries are taking part in the two-day conference. Pakistan and Afghanistan were not invited while China opted out of it.
consultation, Union information technology said on Twitter, without giving a deadline.
Companies, including Facebook, Twitter and Google have for years been concerned with many technology sector regulations India, which have also strained relations with the United States in recent years. Raising the the penalty amount to up to ₹500 crore for violating provisions under the proposed draft, the government’s draft proposal said: “The purpose of this Bill is to provide for the processing of digital personal data in a manner that recognises the right of individuals to protect their personal data, the need to process personal data for lawful purposes and for other incidental purposes.”
The draft personal data protection bill, issued in 2019, had proposed a penalty of ₹15 crore or 4 per cent of the global turnover of an entity. The draft proposes to set up a Data Protection Board of India, which will carry on functions as per the provisions of the bill. It has proposed a graded penalty system for data fiduciaries that will process the personal data of data owners only in accordance with the provisions of the Act. The same set of penalties will be applicable to the Data processor — which will be an entity that will process data on behalf of the Data Fiduciary.
The draft has proposed a penalty of up to ₹250 crore in case the Data Fiduciary or Data Processor fails to protect against personal data breaches in its possession or under its control.
The draft has also proposed a penalty of ₹200 crore in case the Data Fiduciary or Data Processor fails to inform the Board and data owner about the data breach. The bill has a provision to allow entities to transfer the personal data of a citizen outside the country in cases where the processing of personal data is necessary for enforcing any legal right or claim, the performance of any judicial or quasi-judicial function, investigation or prosecution of any offence or data owner is not within the territory of India and has entered into any contract with any person outside the country.
“The Central Government may, after an assessment of such factors as it may consider necessary, notify such countries or territories outside India to which a Data Fiduciary may transfer personal data,” according to the draft. The explanatory issued by the Ministry of Electronics and IT listed seven principles on which the bill is based. This includes the usage of personal data by organisations must be done in a manner that is lawful, fair to the individuals concerned and transparent to individuals and personal data is used for the purposes for which it was collected. The draft has a provision to ensure that only those items of personal data required for attaining a specific purpose must be collected and it must be stored perpetually by default.“The Digital Personal Data Protection Bill is a legislation that frames out the rights and duties of the citizen (Digital Nagrik) on one hand and the obligations to use collected data lawfully of the Data Fiduciary on the other hand,” the explanatory note said. The draft is open for public comment till December 17.