The government has raised the fine to Rs 500 crore for breaching the proposed draft clauses of the Digital Personal Protection Bill 2022 released on Friday. A draft Personal Data Protection Bill released in 2019 proposes a fine of Rs 15 crore or 4% of an entity’s global turnover.
“The Bill aims to provide for the processing of digital personal data in a manner that recognizes the right of individuals to protect their personal data, the need to process personal data for legitimate purposes and other incidental purposes,” says an explanatory note of the draft.
The proposed bill replaces the Data Protection Bill, which the government withdrew in August this year. The draft proposes setting up the Data Protection Board of India, which will perform the functions prescribed in the Act.
“If the board, after its investigation, determines that the non-compliance by a person is material, it may, after giving the person a reasonable opportunity to speak, impose a fine under Schedule 1 not exceeding Rs 500 crore per case,” the draft says.
It proposes a system of graded penalties for data fiduciaries that will only process the personal data of data owners by the provisions of the Act.
The same penalties will apply to data processors, i.e., entities that process data on behalf of data fiduciaries.
The draft proposes fines of up to Rs 250 crore if data fiduciaries or data processors fail to prevent the breach of personal data in their possession or control.
The draft also proposes a fine of Rs 200 crore if a data fiduciary or data processor fails to notify the board and data owners of a data breach.
The Act has a provision that allows entities to process personal data when it is required to enforce any legal rights or claims, perform any judicial or quasi-judicial functions, investigate or prosecute any crime or when the data owner is not located in India and has contacted anyone to sign any contract.
“The central government may, after assessing factors it deems necessary, notify the data fiduciary of a country or territory outside India to which personal data may be transferred,” the draft said.
An explanatory issued by the Ministry of Electronics and Information Technology lays out seven principles on which the bill is based.
This includes that an organisation’s use of personal data must be done in a manner that is lawful, fair to the individual concerned, and transparent to the individual, and the personal data must be used for the purpose for which it was collected.
The draft has a provision ensuring that only items of personal data required to fulfil a specific purpose must be collected and stored permanently by default.
“The Digital Personal Data Protection Bill is a piece of legislation that sets out the rights and duties of citizens (Digital Nagrik) on the one hand and the obligations of data fiduciaries to legally use the collected data on the other,” explains the note. The draft is open for comment until December 17.