The government has released the long-awaited draft of the digital personal data protection bill, which calls for the creation of a regulator and stipulates fines of up to Rs 500 crore for noncompliance.
The government intends to introduce this draft bill in Parliament by the upcoming budget session after extensive consultation.
The conditions for data collection and the consent of the individuals whose data would be processed are outlined in the draft bill, now known as The Digital Personal Data Protection Bill, 2022. A fiduciary is required to give each individual before collecting their personal information an itemised notice in simple language that includes a description of the personal information sought and why it is being processed.
For instance, the bank must erase the customer’s account-related data when the customer closes their savings bank account. A data fiduciary is required to keep personal data only as long as it is necessary for the purpose for which it was collected, so if a user deletes their social media account on a specific platform, their data must also be deleted.
According to the bill, a data fiduciary is not permitted to track children or monitor their behaviour or to target them with advertisements. The fiduciary must obtain verifiable parental consent before processing any personal information pertaining to a child.
“Where consent given by the Data Principal is the basis of processing of personal data, the Data Principal shall have the right to withdraw her consent at any time. The consequences of such withdrawal shall be borne by such Data Principal. The withdrawal of consent shall not affect the lawfulness of processing of the personal data based on consent before its withdrawal. The ease of such withdrawal shall be comparable to the ease with which consent may be given,” the draft read.
The draft bill empowers the central government to appoint an independent “Indian Data Protection Board.” The board will decide on the penalty for non-compliance as well as whether or not the bill’s provisions have been violated.
In the event of a personal data breach, failure to notify the Board and the affected “data principals” may result in fines of up to Rs 200 crore. Failure to comply with obligations relating to the processing of children’s personal data may subject the fiduciaries to fines of Rs 200 crore.
The draft bill also includes a section titled “duties of data principal” that asks users to give accurate information when claiming the right to correct or erase their data, refrain from filing an unfounded or unjustified grievance or complaint with a Data Fiduciary or the Board, and refrain from giving false information or posing as someone else.
Also Read: Up to Rs 500 crore! Govt raises penalty in draft data protection bill
Also Read: Govt releases new draft of data protection bill, invites feedback from the public