Up to Rs 500 crore! Govt raises penalty in draft data protection bill

The Central government on Friday released a revised draft of the personal data protection bill by prescribing heavy financial penalties for not adhering to sufficient security safeguards to prevent data breaches.

The Central government has increased the penalty amount to up to Rs 500 crore for violating the provisions proposed under the draft Digital Personal Data Protection Bill 2022 issued on Friday.

"The purpose of this Act is to provide for the processing of digital personal data in a manner that recognizes both the right of individuals to protect their personal data and the need to process personal data for lawful purposes," stated the Bill. 

The much-awaited law seeks to provide a legal framework for collecting and processing personal digital data in India.

Three months after the withdrawal of the Digital Personal Data Protection Bill from the lower house of the Parliament, the Central government has now come up with a new draft Bill seeking views from the public.

The draft Personal Data Protection Bill in 2019 proposed a penalty of Rs 15 crore or 4 per cent of the global turnover of an entity.

The Union Minister for Railways, Communications, Electronics and Information Technology Ashwini Vaishnaw today tweeted: "Seeking your views on draft Digital Personal Data Protection Bill, 2022."

The draft bill allows the central government to appoint the ‘Data Protection Board of India’, which will operate as an independent body working as a digital office. The board will determine non-compliance with provisions of the DPDP bill and also decide on the penalty for non-compliance.

"If the Board determines at the conclusion of an inquiry that noncompliance by a person is significant, it may, after giving the person a reasonable opportunity of being heard, impose such a financial penalty as specified in Schedule 1, not exceeding rupees five hundred crore in each instance," the draft said.

"The strength and composition of the Board and the process of selection, terms and conditions of appointment and service, removal of its Chairperson and other Members shall be such as may be prescribed," the draft added.

The draft has proposed a graded penalty system for data fiduciary, which will process the personal data of data owners only in accordance with the provisions of the Act.

The same set of penalties will be applicable to the Data Processor, which will be an entity that will process data on behalf of the Data Fiduciary.

The draft proposes a penalty of up to Rs 250 crore in case the Data Fiduciary or Data Processor fails to protect against personal data breaches in its possession or under its control.

The first principle of the proposed Bill is that usage of personal data by organisations must be done in a manner that is lawful, fair to the individuals concerned and transparent. The second principle of purpose limitation is that the personal data is used for the purposes for which it was collected. The third principle of data minimisation is that only those items of personal data required for attaining a specific purpose must be collected.

The draft is open for public comment till December 17.

ALSO READ: Govt introduces Digital Personal Data Protection Bill draft; check details

With inputs from Agencies