Digital Personal Data Protection Bill, 2022: Everything to know
What's the story
The Union government released a draft of the Digital Personal Data Protection Bill, 2022, on Friday, seeking public feedback. A highlight of the draft is the proposed penalty of Rs. 250 crore on the data processor for failing to maintain the necessary security to prevent personal data breaches. In comparison, the previous 2019 draft bill had proposed a corresponding penalty of Rs. 15 crore.
Context
Why does this story matter?
In August 2022, the Electronics & IT Ministry withdrew the Personal Data Protection Bill 2019 after a parliamentary committee suggested 81 amendments to it. Many provisions in the draft—like data localization and hardware authenticity clauses—didn't come under the purview of data protection. This had come after a joint parliamentary committee deliberated the 2019 draft for two years before tabling its report in December 2021.
Information
First ever legislation to use 'she/her' pronouns as standard
The proposed legislation has been renamed from "Personal Data Protection Bill" to "Digital Data Personal Protection Bill, 2022." It aims to facilitate the processing of digital personal data information while recognizing the rights of citizens to protect and process their personal data. In a first, the draft legislation has used the terms "she" and "her" as the standard pronoun irrespective of an individual's gender.
Twitter Post
Government has sought public feedback on the draft Bill
Seeking your views on draft Digital Personal Data Protection Bill, 2022.
— Ashwini Vaishnaw (@AshwiniVaishnaw) November 18, 2022
Link below: https://t.co/8KfrwBnoF0
Details
Data privacy laws of Australia, EU, Singapore reviewed
The draft was prepared after reviewing the data privacy legislation in Australia, European Union (EU), Singapore, and a prospective bill in the United States, too. It has six chapters—Preliminary, Obligations of Data Fiduciary, Rights and Duties of Data Principal, Special Provisions, Compliance Framework, and Miscellaneous. The draft proposes setting up a Data Protection Board of India to enforce the provisions of the new law.
Information
Individual's consent required before processing data
The individual's (Data Principal) consent before processing their information is mandatory, per the draft Bill. Data processing won't be allowed if it is likely to harm a child. Cross-border personal data transfer will be allowed only to select countries after a government assessment and verification.
Data processing
Provision to provide basic information in all 8th Schedule languages
To help citizens better assess the situation under which their personal data is sought, a provision also focuses on mandating the availability of basic information to them in all languages under the 8th Schedule of the Constitution. An individual's data can be processed only if it's done in accordance with the provisions of the Bill and if the purpose isn't forbidden under the law.