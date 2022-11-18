The Indian government on Friday proposed new version of data privacy law dubbed as the Digital Personal Data Protection Draft Bill after withdrawing the initial proposal back in August this year. While withdrawing the Personal Data Protection Bill from Parliament at the time, the Union Minister for Electronics and Information Technology, Ashwini Vaishnaw had said that the joint parliamentary committee had suggested a total of 81 changes to the Data Protection Bill, which eventually led the government to withdraw it completely. The committee said a new bill will soon replace it. Now, nearly three and a half months later, the government had reintroduced the Digital Personal Data Protection draft bill. Also Read - Apple to employ 60,000 people in India, ramps up manufacturing capabilities near Bengaluru

This new draft bill will allow companies to transfer users' personal data to certain countries abroad, which could be specified by the government. Similarly, the government could also specify territories outside India to which entities managing data can transfer personal data of users.

"Cross-border interactions are a defining characteristic of today's interconnected world … Personal data may be transferred to certain notified countries and territories," the government said in a statement.

In addition to this, the new draft bill also proposes financial penalties on companies for incident related to data breaches. It also says the central government would have powers to exempt state agencies from provisions of the bill in the interest of national security.

The Digital Personal Data Protection Bill is open for public consultation, Vaishnaw said on Twitter, without giving a deadline.

Seeking your views on draft Digital Personal Data Protection Bill, 2022. Link below: https://t.co/8KfrwBnoF0 — Ashwini Vaishnaw (@AshwiniVaishnaw) November 18, 2022

Here are the key highlights from the new Digital Personal Data Protection draft bill

>> Under the new law, companies will have to give an itemised list in clear and plain language containing a description of personal data sought to be collected by it to the user along with the purpose of using the collected data.

>> Users will be able to withdraw consent given for processing their personal data at any point. “The consequences of such withdrawal shall be borne by such Data Principal,” the draft bill says.

CONSENT MANAGER

>> The draft bill also calls for appointing a ‘Consent Manager’ who will interact with the users to give, manage, review or withdraw her consent to the company. The Consent Manager will be accountable to the users and they will act on behalf of the users in communicating their requests to the company.

EXCEPTIONS

>> The draft bill also makes provision of ‘deemed consent’ or a condition wherein companies will not have to seek explicit consent from the users. These conditions are:

— in a situation where the user voluntarily provides their personal data to the company, and it is expected that they would provide such personal data.

— for performing any function under any law.

— for compliance with any judgment or order issued under any law.

— for responding to a medical emergency involving a threat to the life or immediate threat to the health of the user or any other individual.

for taking measures to provide medical treatment or health services to

any individual during an epidemic, outbreak of disease, or any other threat to

public health.

— for taking measures to ensure safety of or provide assistance or services to any individual during any disaster, or a public emergency.

— for the purposes related to employment, including prevention of corporate espionage, maintenance of confidentiality of trade secrets, intellectual property, classified information, recruitment, termination of

employment, provision of any service or benefit sought by the user.

— in public interest for: prevention and detection of fraud, mergers, acquisitions, any other similar combinations or corporate restructuring transactions in accordance with the provisions of applicable laws, network and information security, credit scoring, operation of search engines for processing of publicly available personal data, processing of publicly available personal data and recovery of debt.

>> The new draft bull says that a company should cease to retain personal data or remove the means by which the personal data can be associated with particular user when the purpose for which the personal data was collected is no longer being served by its retention or the retention is no longer necessary for legal or business purposes.

KIDS’ DATA

>> As far as kids’ data is concerned, the draft bill says that companies need to obtain parents’s consent before processing any personal data of a child. The draft bill also forbids the companies from tracking or behavioural monitoring of children or targeted advertising directed at children.

DATA PROTECTION OFFICER and MORE

>> The draft bill requires tech companies to appoint a Data Protection Officer who will represent them in India. “The Data Protection Officer shall be an individual responsible to the Board of Directors or similar governing body of the Significant Data Fiduciary,” the draft bill days. The Data Protection officer will also be the point of contact for the grievance redressal mechanism under the draft bill.

>> Companies are also required to appoint an Independent Data Auditor who will evaluate the compliance of the company under various provisions of the data protection law.

>> Additionally, companies need to publish Data Protection Impact Assessment and periodic audit periodically.

RIGHTS

>> Right to information about personal data: Under this, users have the right to obtain from companies confirming they are processing or have processed their personal data, a summary of the personal data of the user being processed or that has been processed, and identities of all the companies with whom the personal data has been shared along with the categories of personal data so shared.

>> Right to correction and erasure of personal data: Under this, users have the right to correct and erase their

personal data. This right also makes it mandatory for the companies to comply with a user’s requests if their data is inaccurate or misleading, incomplete, needs updation, or no longer serves the purpose it was sought for.

SPECIAL PROVISIONS

>> The draft bill also makes some exceptions regarding the storage of data. The draft bill says that the government may allow companies to store users’ data in countries or territories outside India when it is necessary for enforcing any legal right or claim, ‘the processing of personal data by any court or tribunal or any

other body in India is necessary for the performance of any judicial or quasi-judicial function’, personal data is processed in the interest of prevention, detection, investigation or prosecution of any offence or contravention of any law and the cases where the personal data of a user not within the territory of India is processed pursuant to any contract entered into with any person outside the country by any person based in India.

DATA PROTECTION BOARD and PENALTY

>> The draft bill calls for the formation of a Data Protection Board of India by the Central Government for determining non-compliance with this law and imposing penalty under various provisions of this bill.

>> This board will have the right to impose financial penalty not exceeding Rs five hundred crore in each

instance.

>> The penalty can be improved in case of non-compliance; based on the type and nature of the personal data affected by non-compliance; and repetitive nature of the non-compliance among others.