A new draught of the nation’s digital personal data protection law was put up by India’s information technology ministry on Friday, November 18. The bill’s provisions permit the cross-border transmission of some users’ data to ‘certain specified nations and territories’. Big Tech is said to be relieved by this. In recent years, the problem of personal data has caused several social media juggernauts to clash with the Indian government.
In an effort to create a new, more incisive bill that fits into the entire legal framework and protects the data of billions of residents, the government withdrew the disputed Personal Data Protection (PDP) Bill in August after it had undergone 81 revisions in the previous three years. The revised draught law said that ‘the Central government may, after considering all relevant criteria, notify those countries or territories outside India to which a Data Fiduciary may transmit personal data, in accordance with such terms and conditions as may be specified’.
The new bill also includes tough fines of up to USD 30 million for businesses that don’t take steps to prevent data breaches. The maximum fine is USD 30 million for ‘failure of Data Processor or Data Fiduciary to adopt sufficient security controls to avoid personal data breach under sub-section (4) of section 9 of this Act’.
According to the draught bill, a ‘personal data breach’ is any unauthorised processing of personal data or an unintentional acquisition, sharing, use, alteration, destruction, or loss of access to personal data that jeopardises its confidentiality, integrity, or availability.
The measure has now been made available for public comment. Up to December 17, the ministry will take public comments and recommendations. The draught stated that the goal of the legislation was to ‘provide for the processing of digital personal data in a manner that recognises both the right of individuals to protect their personal data and the need to process personal data for lawful purposes, and for matters connected therewith or incidental thereto’.
The draught law states that ‘the storage shall be restricted to such time as is necessary for the declared purpose for which personal data was gathered’ in regards to data storage. Similar to Europe`s GDPR, the proposed Indian bill will apply to companies operating in the country and to any entities processing the data of Indian citizens.
The planned data protection framework has been streamlined, and numerous controversial elements that the industry objected to in earlier draughts have been removed, according to Rupinder Malik, Partner at the legal firm JSA. ‘ Data mirroring, data localization requirements, and general compliances appear to be restricted in comparison to the last Bill. The legislation’s stated goal of promoting cross-border data flows looks to be beneficial to the IT and IT industries ‘, Malik said.
Post Your Comments