The Indian government published a draft version of the long-awaited data protection regulation on Friday, making it the fourth such effort since it was first outraged in July 2018.
The Digital Personal Data Protection Bill 2022, as it’s called, aims to protect personal data, while seeking consent from users in what the draft claims is “clear and plain language.” which describes the exact types of information that will be collected and for what. objective.
The draft is open for public consultation until December 17, 2022.
India has more than 760 million active internet users, which requires data generated and used by online platforms to be subject to privacy rules to prevent abuse and increase accountability and trust.
“The bill will establish the comprehensive legal framework governing the protection of digital personal data in India,” the government said. “The bill provides for the processing of digital personal data in a way that recognizes the right of individuals to protect their personal data, social rights, and the need to process personal data for lawful purposes.”
The legislation, in its current form, requires companies (i.e. data processors) to follow sufficient security measures to protect user information, alert users in the event of a data breach, and stop retaining data. of users if people choose to delete their accounts.
“Storage should be limited to the duration that is necessary for the stated purpose for which the personal data was collected,” reads an explanatory note published by the Indian Ministry of Electronics and Information Technology (MeitY).
If steps are not taken to prevent data breaches, companies may face a financial penalty of up to Rs 250 million ($30.6 million). The same goes for entities that fail to notify users of the breach, bringing the total fines to ₹500 crores ($61.3 million).
Users of Internet services, for their part, can request companies to share the categories of personal data that have been delivered to other third parties, without mentioning that their data be deleted or updated in cases where such information is considered “inaccurate”. or misleading”.
In addition, the draft imposes data minimization requirements, as well as additional security measures that companies must adopt to prevent the unauthorized collection or processing of personal data.
What is also notable is that the legislation no longer requires data localization, allowing tech giants to transfer personal data outside India’s geographic borders to specific countries and territories.
Lastly, the new measure seeks to establish a Data Protection Board, a government-appointed body that will oversee basic compliance efforts.
That said, the central (also known as federal) government is exempt from the provisions of the act “in the interest of India’s sovereignty and integrity, state security, friendly relations with foreign states, maintenance of public order or the prevention of incitement to any knowable act”. crime related to any of them”.
These broad clauses, in the absence of any data protection mechanisms, could give the government broad powers and effectively facilitate mass surveillance.
“This would give notified government bodies immunity from law enforcement, which could result in gross breaches of citizen privacy,” the Internet Freedom Foundation (IFF) said. “This is because these standards are excessively vague and broad, therefore open to misinterpretation and misuse.”
The latest development comes after an earlier version of the law, introduced in December 2021, was rescinded in August 2022 after dozens of amendments and recommendations.
Data protection legislation has been in the works since 2017, when the Supreme Court unanimously reaffirmed the right to privacy as a fundamental right under the Indian Constitution, a landmark verdict that came following a petition filed by retired Supreme Court Justice K.S. Puttaswamy in 2012.