Data Protection Bill 2022
In light of digitalization and growth of the economy enabling citizens of India to access the internet for various purposes, the Government of India has brought forward the Personal Data Protection Bill, 2022.
This bill aims to moderate the access to personal data of the citizens collected by different companies for lawful purposes in an automated manner. It focuses on recognizing the rights of individuals to protect their personal data and different organizations need to process such personal data.
For the purpose of this Act, a board to be called the Data Protection Board of India shall be established, which will monitor organizations for non-compliance, violations, and in case of a breach, provide directions to remediate the situation.
Now, coming to the most important part, the matters of money – the bill proposes financial penalties on the organizations in case of non-compliance.
For failure to set up reasonable security measures to prevent data breaches, a fine of up to ₹250Cr will be imposed on organizations.
For failure to notify the board and individuals of a data breach and non-compliance in relation to rules for the underage, a fine of up to ₹200Cr will be imposed.
Failure to non-compliance with various other sections of the Act will result in a fine anywhere from ₹10,000 to ₹150Cr as per the specifics mentioned in the Bill.
The bill highlights the appointment of a Data Protection Officer based in India, by a Data Fiduciary (any person or organization determining the purpose and means of the processing of personal data) to monitor the whole process. Data collected here includes data collected online, collected offline later to be digitized in an automated manner. It does not include data collected offline, for personal or domestic purposes, or data that has already been on record for at least 100 years.
Other Highlights of the bill:
Another important point mentioned in this act is that in case of a data breach, it will be obligatory for the organization/data fiduciary to inform authorities and every affected individual about the breach. Focusing on data retention done by social media platforms, it has been made obligatory under this bill to remove any personal data belonging to an individual if they no longer use such platform within a reasonable duration of time. Personal data sharing among various organizations (third-party sharing) would also be restricted by the contract and consent of the individual.
This bill makes it obligatory for any Data Fiduciary to take consent of an individual before processing and storing data, through a prior notice listing the data that will be collected and the need for collecting it along with contact details of the Data Protection Officer. For data that already has been collected before the commencement of this bill, the same process of intimation needs to be followed. In case an individual at some point of time wants to withdraw their consent to the processing of personal data, the organization/data fiduciary must, within a reasonable time, cease the processing. This can be understood by an example of unsubscribing to a mailing list or SMS notifications.
To curb the major issue of online crime against children (everyone individual underage of 18), the government has sought to make it obligatory for organizations to collect “Parental Consent” before processing any personal data.
The bill presents good efforts by the government in order to streamline the process of accumulating personal data with a central authority on the top. However, it comes with certain exemptions that are not clearly defined. Under Clause 18(1c), the bill suggests that data processing is exempt from the other clause if it is in the interest of national security, that is, for prevention and detection of any offence under the law. In addition, under Clause 18(2), it clearly states that the central government is exempted from the provisions of the bill in the interest of sovereignty, integrity, security and maintenance of public order, and for statistical purposes.
The need for a clearer view of the exemption of the central government is necessary as the current statements may be interpreted in a vague manner without any accountability on the government’s end.
The overall outlook of this bill intends to portray the accountability of organizations while processing any personal data and the need for securing personal data in the current geopolitical scenario with China. Accounting to 47% of the total population in India using the internet for various purposes including online transactions, E-commerce, social media, etc., and increased cyber-crimes in terms of data breaches and national security, it is necessary to strictly monitor organizations and hold them accountable for any shortcomings.
For a detailed view of the bill, refer to MEITY website.