Revived India Data Protection Bill Proposes Huge FinesDraft Bill Out for Public Comment Through Dec. 17 Also Raises Privacy Concerns
The Indian government today resurrected a data protection bill that carries fines potentially 3,000% higher than a failed 2019 version of the legislation but allows limited cross-border movement of data - an apparent concession to an earlier push to require strict data localization.
The Digital Personal Data Protection Bill 2022 bill is up for public comment through Dec. 17.
Fines Up to Rs. 500 Crore, or $61 Million
The proposed fines for noncompliance are "stupendously higher than anticipated," says Shivangi Nadkarni, the co-founder and CEO of Arrka, who authored the first textbook on privacy for the Data Security Council of India, a think tank set up by NASSCOM. Organizations may face a fine of Rs. 500 crore, or $61 million, for noncompliance, according to the draft bill. That's 3,200% higher than the 2019 version, which was scrapped in August. The previous version, drafted by Justice B.N. Srikrishna, proposed a penalty of Rs. 15 crore, or $1 million, or 4% of the global turnover of an entity.
"I'm still trying to wrap my head around the quantum of penalties on behalf of all my clients," says Nadkarni, who helps organizations implement and manage their privacy and security and comply with regulations.
Data Localization Mandate Eased
The previous version required the data of all companies operating in India to be stored locally, but the new draft would allow cross-border data movement. The bills says the government will determine which regions will be eligible for data transfer in the future based on criteria such as the data security landscape and ease of access for the government.
A cross-border policy will likely foster country-to-country trade agreements, said Manish Sehgal, a partner specializing in data privacy at Deloitte India. The bill would make it easier for global companies to operate in India and help them avoid costs related to building more capacity locally, he says.
"The bill's exemptions for central and state agencies, along with exclusion of personal data stored and or processed in nondigital format, may be a gap to protect personal data and ensure privacy in entirety," Sehgal adds.
The 2019 version of the bill faced criticism from tech firms over its strict data localization requirements. India already required payment processor data to be stored in India, but the tech firms opposed extending the requirement to other types of cross-border data flows.
Dropping the data localization requirement puts the bill in direct conflict with other government agencies, such as the Reserve Bank of India and CERT-In, says Amit Jaju, senior managing director at Ankura Consulting Group. "This is the single biggest gap in the latest draft," he says.
Data Breach Reporting
The draft bill proposes major penalties for businesses that suffer a data breach or fail to disclose a breach. Companies that fail to take "reasonable" measures to prevent data breaches could be fined Rs. 250 crore, or $30 million. Failure to disclose a data breach or to safeguard children's privacy carries a fine of up to Rs 200 crore, or $24 million.
The latest bill is friendly to the tech sector and falls short of needed privacy protections, said Rupinder Malik, partner at national law firm JSA. "Some aspects that have been watered down could potentially reduce overall protection accorded to individual privacy rights. The positive bit is that the bill has been drafted in a simpler manner, with fewer ambiguities," Malik said.
Experts Seek Clarity
But Rahul Sharma, founder of The Perspective, a consultancy specializing in data policy and privacy, said that the bill does not "fully satisfy" the requirements of privacy protection, as outlined in the Puttaswamy judgment, which reaffirmed privacy as a fundamental right under the nation's constitution.
Sharma expects additional supplements, including other special laws and sectoral regulations, to be implemented in future versions. A lot of details are left to further rule-making, which will determine how stakeholders are eventually affected, he says.
After the public comment period ends Dec. 17, the bill is expected to be presented in the next session of Parliament in February.