The government of India has released a new draft of the data protection bill and have invited comments from the public for the same. The bill, known as Digital Data Protection Bill 2022, was described by Rajeev Chandrashekhar, Minister of State, Ministry of Electronics and Information Technology (MeitY), as a modern legislation and is part of a comprehensive framework of laws and rules.
The industry has welcomed this new draft stating that it is in the right direction and that it strikes a balance between supporting innovation and protecting user rights. But some observers have raised concerns as well.
“In particular we note that many obligations applicable to data fiduciaries and processors and mechanisms relating to data processing have been simplified, which will likely enable easier compliance. That said, a significant portion of the rulemaking is likely to occur through rules and guidelines to be issued under the proposed law. We look forward to working with the government in developing these rules and the emerging data protection framework in India and supporting its aim of a $1 trillion digital economy,” said Shahana Chatterji, Partner, Shardul Amarchand Mangaldas & Co.
Echoes Rupinder Malik, Partner, J. Sagar Associates (JSA), a leading national law firm in India. As she noted: “The 2022 DPDP Bill has simplified the proposed data protection regime and done away with some contentious clauses which caused industry pushback in earlier versions." She, however, notes that with regard to some clauses, like the ones dealing with data mirroring, data localisation requirements, and overall compliances, they appear to be limited compared to the previous Bill.
Amit Jaju, Senior Managing Director, Ankura Consulting Group (India), too has raised some concerns, especially related to the provision of transfer of personal data outside India, which, as per the new draft, states that the centre may, after an assessment of such factors as it may consider necessary, notify such countries or territories outside India to which a data fiduciary may transfer personal data, in accordance with such terms and conditions as may be specified.
“The reborn draft is simpler but has some controversial aspects. Data localisation requirement is dropped, which is contradictory from the stance of other regulators such as the RBI. Thankfully non-personal data is removed from the scope," Jaju said.
According to the draft bill released for public consultation, for the failure of data fiduciary (which can be defined as any person who alone or in conjunction with other persons determines the purpose and means of processing of personal data) and data processor (which is any person who processes personal data on behalf of a data fiduciary) or to take reasonable security safeguards to prevent a personal data breach under the act, the government has proposed a penalty of Rs 250 crore.
Copyright©2022 Living Media India Limited. For reprint rights: Syndications Today