Latest bill for India’s new data protection law published

India has proposed a new data privacy law by publishing the bill for the legislation on 18 November 2022, according to The Straits Times.

The new Digital Personal Data Protection Bill, now available for public consultation until 17 December, comes after several iterations over five years. The Hindu said that this was the fourth iteration of the proposed law after a first draft was introduced in 2018.

This followed a 2017 ruling by the Supreme Court of India that the right to privacy is a constitutionally protected fundamental freedom.

The law, which may be called the Digital Personal Data Protection Act, will govern how people’s personal data is collected, stored and used by private companies and the government in one of the world’s biggest online markets.

According to Reuters, India considered global best practices and reviewed data legislation in Singapore, Australia, and European Union, while making the new proposal for the law, which would impact the right to privacy for a fast-growing digital market.

India has more than 760 million active internet users in a population of 1.4 billion, according to the Financial Times. The number of users is expected to reach 1.2 billion later this decade.

To find out more about data protection and privacy laws and regulations in India, attend Data Protection Principles in Asia Part 1. This module is part of the Advanced Certificate in Data Protection Principles programme, which also covers the EU GDPR, Cross Border Privacy Rules and the APEC Privacy Framework.

What is the scope of the legislation and why does it matter?

The law would apply to all processing of personal data that is carried out digitally. This would include both personal data collected online and personal data collected offline but is digitised for processing.

TechCrunch highlighted that the law would mandate how companies handle the data of India’s citizens, including permitting cross-border interactions, including transfer, of information with “certain notified countries and territories.”

The draft also proposes that companies only use the data they have collected on users for the purpose they obtained them originally. It also seeks accountability from the firms to ensure that they are processing the personal data for the users for the precise purpose they collected it.

For any non-compliance to the proposed law, the bill proposed financial penalties of up to 2.5 billion rupees (USD30.6 million) if someone is found breaching the provisions of the law. TechCrunch elaborated that this penalty is applicable in the event a firm fails to provide “reasonable security safeguards to prevent personal data breach.”

It added that there was potential for another fine of USD24.5 million if any firm fails to notify the local authority and users for failure to disclose personal data breach. Meanwhile, The Straits Times reported that the hefty penalties could add up to five billion rupees (USD61.2 million) for non-compliance.

Liked this story? Sign up for a FREE membership at the Data Protection Excellence (DPEX) Network and get regular data protection and data governance news, industry updates, and resources.

When could the Digital Personal Data Protection Law be passed?

According to The Hindu, the government is expected to introduce the Bill in Parliament in the budget session of 2023. The Financial Times added that the government would seek passage of the draft by the end of the next parliamentary season in April or May 2023.

Some of the initial sentiments over the proposed law have noted that it could benefit tech companies, while others have expressed concern over the extent of independence of the government-appointed oversight body, the proposed Data Protection Board.

The Hindu also cited industry observers and experts saying that the draft bill would need multiple iterations before becoming practical.