Latest bill for India’s new data protection law published

India has proposed a new data privacy law by publishing the bill for the legislation on 18 November 2022, according to The Straits Times.

The new Digital Personal Data Protection Bill, now available for public consultation until 17 December, comes after several iterations over five years. The Hindu said that this was the fourth iteration of the proposed law after a first draft was introduced in 2018.

This followed a 2017 ruling by the Supreme Court of India that the right to privacy is a constitutionally protected fundamental freedom.

The law, which may be called the Digital Personal Data Protection Act, will govern how people’s personal data is collected, stored and used by private companies and the government in one of the world’s biggest online markets.

According to Reuters, India considered global best practices and reviewed data legislation in Singapore, Australia, and European Union, while making the new proposal for the law, which would impact the right to privacy for a fast-growing digital market.

India has more than 760 million active internet users in a population of 1.4 billion, according to the Financial Times. The number of users is expected to reach 1.2 billion later this decade.

To find out more about data protection and privacy laws and regulations in India, attend Data Protection Principles in Asia Part 1. This module is part of the Advanced Certificate in Data Protection Principles programme, which also covers the EU GDPR, Cross Border Privacy Rules and the APEC Privacy Framework.

What is the scope of the legislation and why does it matter?

The law would apply to all processing of personal data that is carried out digitally. This would include both personal data collected online and personal data collected offline but is digitised for processing.

TechCrunch highlighted that the law would mandate how companies handle the data of India’s citizens, including permitting cross-border interactions, including transfer, of information with “certain notified countries and territories.”

The draft also proposes that companies only use the data they have collected on users for the purpose they obtained them originally. It also seeks accountability from the firms to ensure that they are processing the personal data for the users for the precise purpose they collected it.

For any non-compliance to the proposed law, the bill proposed financial penalties of up to 2.5 billion rupees (USD30.6 million) if someone is found breaching the provisions of the law. TechCrunch elaborated that this penalty is applicable in the event a firm fails to provide “reasonable security safeguards to