The Indian government released its long-awaited draft data protection regulation on Friday, the fourth such effort since it was first proposed in July 2018.
of Digital Personal Data Protection Bill 2022as it is called, Purpose It seeks user consent in what the draft purports to be in “clear and plain language” that explains the exact types and purposes of information collected while protecting personal data.
The draft is open for public consultation until 17 December 2022.
With over 760 million active internet users in India, data generated and used by online platforms must comply with privacy regulations to prevent misuse and foster accountability and trust.
“This bill establishes a comprehensive legal framework to govern digital personal data protection in India,” the government said. Said“The bill provides for the processing of digital personal data in a manner that recognizes the individual’s right to protect personal data, the social right and the need to process personal data for lawful purposes. .”
Under current law, companies (data processors) are required to protect user information, warn users in the event of a data breach, and stop holding user data if an individual chooses to delete their account. To do so, you must follow adequate security safeguards.
An explanatory note released by India’s Ministry of Electronics and Information Technology (MeitY) states that “storage should be limited to the period necessary for the stated purpose for which personal data was collected.” read.
Companies can face financial penalties of up to 250 crore rupees ($30.6 million) if they fail to take steps to prevent a data breach. The same is true if the entity fails to notify the user of the violation and effectively the total fine would be 500 crore ($61.3 million) for him.
Internet service users may request companies to share categories of personal data provided to other third parties. Or misleading. ”
Additionally, the draft imposes data minimization requirements as well as additional guardrails that businesses must employ to prevent unauthorized collection and processing of personal data.
Also noteworthy is that the law does not mandate data localization. It allows the tech giant to transfer personal data to certain countries and regions outside of India’s geographical borders.
Finally, the new measures aim to establish the Data Protection Commission, a government-appointed body that oversees core compliance efforts.
Nonetheless, the central (aka federal) government must “in the interests of India’s sovereignty and integrity, national security, friendly relations with foreign , are exempt from the provisions of the law’ violations relating to any of these. ”
These vague clauses, in the absence of data protection mechanisms, could grant governments broad powers and effectively facilitate mass surveillance.
According to the Internet Freedom Foundation (IFF), “This could exonerate informed government agencies from the application of the law and could seriously compromise citizens’ privacy.” “This is because these standards are overly vague and broad, making them prone to misunderstanding and misuse.”
The latest development comes after an earlier version of the law, introduced in December 2021, was repealed in August 2022 after dozens of amendments and recommendations.
The Data Protection Act has been in force since 2017. supreme court unanimously reconfirmed The right to privacy as a fundamental right under the Indian Constitution. petition Filed in 2012 by former High Court Judge KS Puttaswamy.