Data Protection Bill: Fine up to 500 crores on misuse of data, 10 responsibilities fixed, draft of bill presented

Pankaj Prasad
Digital Data Protection Bill 2022
Digital Data Protection Bill 2022

Many new provisions have been added to the new draft of the Digital Data Protection Bill 2022.

Misuse of data in India will attract a fine of up to Rs 500 crore. The Central Government has made public the draft of the new Digital Data Protection Bill 2022. According to the proposed law, it will be mandatory to take consent before collecting personal data of people.

However, global companies like Amazon and Facebook have been given some relief in taking the data of Indians out of the country. The 2019 draft of the bill imposed tough restrictions on big tech companies moving data out of India, which the companies objected to.

According to the draft issued by the Union Ministry of Information Technology, companies will be able to store personal data only for a fixed period of time. The central government will have the right to exempt law enforcement agencies and states from the law in the interest of the sovereignty and integrity of the country and to maintain public order.

In particular, a provision has been made to allow agencies to keep personal data for an unlimited period of time. The new draft has been introduced in place of the 2019 draft that was withdrawn in August this year. Objections or suggestions can be given on this till 17th December.

10 thousand fine will have to be paid now for giving wrong information in any document
Law enforcement agencies will be able to store personal data for unlimited time

For the first time in the legislative history of the country, for the purpose of empowering women in this bill, instead of masculine HE (she) and HIS (her), feminine SHE and HER have been used. 

Consent manager will become a link between the company and the person

Companies like Google and Facebook need to create consent managers to create an accessible, transparent and interoperable platform for users to give, review and withdraw consent. 
Large companies will have to appoint independent data auditors to assess compliance with the law on grounds such as data processing capacity.

Data can be kept only in friendly countries 

Data of Indian citizens can be kept only on servers established in friendly countries of India. The government will release the list of these countries. In legal cases, there is a provision to allow personal data to be taken out of the country if necessary for judicial or quasi-judicial investigation.

Earlier, the fine was kept at Rs 15 crore

In the new draft, the maximum fine amount has been increased to Rs 500 crore. In the 2019 draft, this amount was equal to Rs 15 crore or four per cent of the company's global turnover, whichever was higher. 
The draft proposes a fine of up to Rs 250 crore on data aggregators for personal data theft. 
A provision has been made for a fine of Rs 200 crore for not giving information about data theft to the Data Protection Board.
The important thing is that we have tried to incorporate the philosophy of women empowerment in this bill. PM Narendra Modi is committed for this. We have used feminine pronouns instead of masculine pronouns throughout the Bill. This is an innovative effort. Ashwini Vaishnav, Minister of Information Technology

10 responsibilities fixed for data collectors as well, Protection Board will be established 

In the draft of the new Data Protection Bill, 2022 presented by the Central Government, wrong information while applying for documents, services, proof of identity or address etc. A provision has also been made to impose a fine of Rs 10,000 on those giving. Along with this, ten responsibilities have also been fixed for those who collect data. Along with this, a proposal has also been made to set up a Data Protection Board for compliance of the law and redressal of complaints. 

The government reviewed the personal data protection laws of Singapore, Australia, the European Union, and the United States for the bill. Personal data shall be accurate and complete in accordance with the prescribed responsibilities Take appropriate technical measures for effective compliance Take appropriate security measures to prevent theft Notify the affected person and the Board in case of unauthorized use Must meet the purpose of collection After the data has to be erased, the business contact of the Data Protection Officer has to be provided.

four rights 

Right to Information about Personal Data
Right to rectification and deletion of personal data
right to grievance redressal
right to nominate

four duties 

A person shall comply with applicable laws while exercising the rights of this Act.  
The person shall not make false or frivolous complaints to the Data Fiduciary or the Board.  
Under no circumstances the person shall furnish false particulars
To exercise the right of data rectification, the information must be verifiable and authentic.

Permission will not be sought in 8 situations 

for fraud prevention and detection
In the event of a merger, acquisition or reorganization of the company
for network-information security
Credit rating and scoring
publicly available personal data for the operation of search engines
for the processing of publicly available personal data
for debt recovery
For any proper purpose, which the Government may subsequently decide

Four provisions related to the safety of children 

Prior to collecting data of children, consent from the parent or legal guardian has to be obtained in such a way that it can be verified.
Such data will not be processed and stored, due to which there is a possibility of harm to the child.
No data loggers will monitor children's online behavior
Personal data of children will not be collected through advertisements targeted to children 

Will not apply in four situations 

Non-automatic processing of personal data
Offline processing of personal data
Individually storing personal data of an individual
With respect to the personal data of an individual that has existed for 100 years

Law will be applicable abroad too

If users are profiled or services are sold on the basis of Indian people's data, then this law will also be applicable abroad.  
Information will have to be given in all the languages ​​scheduled in the constitution: In view of the linguistic diversity of India, provision has been made in the bill that the basic information related to personal data should be made available to the person in all the languages ​​included in the Eighth Schedule of the Constitution, so that the person can get information in the right way. able to assess from where his personal data will be used and for what purposes. Based on this, he will be able to decide whether to share the data or not.

Big companies will have to appoint Data Protection Officer: Big companies will have to appoint a Data Protection Officer, who will be responsible for grievance redressal under the provisions of this Act.

Bill inspired by the philosophy of women empowerment: Ashwini 

Information Technology Minister Ashwini Vaishnav said, the bill has been prepared in an easy language. Apart from this, many new efforts have been made. Now it will be available for Indian users in the scheduled languages ​​of the constitution. Another important thing is that we have tried to incorporate the philosophy of women empowerment in this Bill, for which Prime Minister Narendra Modi is committed. We have used the feminine pronouns she and every instead of the male pronouns he and his throughout the Bill. Thirdly, we have clearly included all the principles of privacy laid down by the Supreme Court in the Bill.