Editor's Pick: Centre offers revised data protection bill

The Centre’s significantly shortened and revised draft Bill on personal data protection proposes a hefty increase in penalty amounts up to ₹500 crore, while also easing rules on cross-border data flows, in a big relief for large tech firms. The revised draft — now called The Digital Personal Data Protection Bill, 2022 — comes just over three months after its earlier avatar was withdrawn from Parliament by the Central government. The new draft Bill, on which stakeholder comments have been invited till December 17, also narrows down the scope of the data protection regime to personal data protection, leaving out non-personal data from its ambit — a move welcomed by industry. “The Digital Personal Data Protection Bill (DPDPB), 2022, has been uploaded for public consultation today… We have made sure that all the principles of privacy which have been laid down by the Honourable Supreme Court in various judgments [have been] included…,” Minister of Electronics and Information Technology Ashwini Vaishnaw said. The Bill gives the power to the government to offer exemption from its provisions “in the interests of sovereignty and integrity of India” and to maintain public order. The personal data protection bill has been in the works for about five years. The first draft of the Bill was presented by an expert panel headed by Justice B.N. Srikrishna in July 2018, after a year-long consultation process. That draft was revised, and a final Bill was tabled in Parliament in December 2019. However, it was soon referred to a joint parliamentary committee, which submitted its report in December 2021. The Ministry of Electronics and IT withdrew the Bill from Parliament this August, and stated that a new bill would be presented, which fit into the “comprehensive legal framework”. On Friday, the Minister added that the government has ensured that the startup ecosystem and small businesses are not encumbered by huge compliance burdens. “We have tried to create a digital by design framework… The compliance framework is designed right from the beginning in a digital way so that it becomes a simple, easily accessible way for implementing the Bill,” he said. Experts say the data bill may need multiple iterations before becoming practical. (Data bill may need multiple iterations before becoming practical: experts) As per the draft, the Data Protection Board — a new regulatory body to be set up by the government — can impose a penalty of up to ₹500 crore if non-compliance by a person is found to be significant. The Bill proposes six types of penalties for non-compliance, including up to ₹250 crore for failure to take reasonable security safeguards, up to ₹200 crore for failure to notify the Board and affected users in the event of a personal data breach, and up to ₹200 crore for non-fulfilment of additional obligations related to children. The government, which is hopeful of introducing the Bill in the Budget session of Parliament in February 2023, has introduced the concept of ‘Consent Managers’ in the Bill. Pointing out that it is not always possible to keep track of the instances in which one has given consent to the processing of personal data, the government said that a consent manager platform will enable an individual to have a comprehensive view of her interactions with Data Fiduciaries and the consent given to them. The Bill requires the consent of the individual to be the basis for processing of their personal data, except in certain circumstances where seeking the consent of the Data Principal is “impracticable or inadvisable due to pressing concerns”. Every request for consent will need to be presented to the Data Principal in a clear and plain language, and an option to access such a request for consent in English or any language specified in the Eighth Schedule to the Constitution of India. While the earlier version of the draft Bill had recommended that a Data Protection Authority be set up to prevent misuse of personal information, the revised Bill has proposed a Data Protection Board of India which will be notified by the Central government. The Hindu’s Editorials Malady and remedy: On the collegium system of judicial appointments All eyes on Qatar: On 2022 FIFA World Cup The Hindu’s Daily News Quiz The Lok Sabha in 1972 briefly considered a suggestion to rename Andaman and Nicobar Islands as Shaheed Dweep and Swaraj Dweep. Which historic personality suggested these names? Bal Gangadhar Tilak Jawaharlal Nehru Subhas Chandra Bose Sardar Vallabhai Patel To know the answer and to play the full quiz, click here. [logo] Editor's Pick 19 NOVEMBER 2022 [The Hindu logo] In the Editor's Pick newsletter, The Hindu explains why a story was important enough to be carried on the front page of today's edition of our newspaper. [Arrow]( [Open in browser]( [Mail icon]( [More newsletters]( Centre offers revised data protection bill The Centre’s significantly shortened and revised draft Bill on personal data protection proposes a hefty increase in penalty amounts up to ₹500 crore, while also easing rules on cross-border data flows, in a big relief for large tech firms. The revised draft — now called [The Digital Personal Data Protection Bill, 2022]( — comes just over three months after its earlier avatar was [withdrawn from Parliament]( by the Central government. The new draft Bill, on which stakeholder comments have been invited till December 17, also narrows down the scope of the data protection regime to personal data protection, leaving out non-personal data from its ambit — a move welcomed by industry. “The Digital Personal Data Protection Bill (DPDPB), 2022, has been uploaded for public consultation today… We have made sure that all the principles of privacy which have been laid down by the Honourable Supreme Court in various judgments [have been] included…,” Minister of Electronics and Information Technology Ashwini Vaishnaw said. The Bill gives the power to the government to offer exemption from its provisions “in the interests of sovereignty and integrity of India” and to maintain public order. The personal data protection bill has been in the works for about five years. The first draft of the Bill was[presented by an expert panel headed by Justice B.N. Srikrishna]( in July 2018, after a year-long consultation process. That draft was revised, and a final [Bill was tabled in Parliament]( in December 2019. However, it was soon referred to a joint parliamentary committee, which [submitted its report in December 2021](. The Ministry of Electronics and IT withdrew the Bill from Parliament this August, and stated that a new bill would be presented, which fit into the “comprehensive legal framework”. On Friday, the Minister added that the government has ensured that the startup ecosystem and small businesses are not encumbered by huge compliance burdens. “We have tried to create a digital by design framework… The compliance framework is designed right from the beginning in a digital way so that it becomes a simple, easily accessible way for implementing the Bill,” he said. Experts say the data bill may need multiple iterations before becoming practical. ([Data bill may need multiple iterations before becoming practical: experts]( As per the draft, the Data Protection Board — a new regulatory body to be set up by the government — can impose a penalty of up to ₹500 crore if non-compliance by a person is found to be significant. The Bill proposes six types of penalties for non-compliance, including up to ₹250 crore for failure to take reasonable security safeguards, up to ₹200 crore for failure to notify the Board and affected users in the event of a personal data breach, and up to ₹200 crore for non-fulfilment of additional obligations related to children. The government, which is hopeful of introducing the Bill in the Budget session of Parliament in February 2023, has introduced the concept of ‘Consent Managers’ in the Bill. Pointing out that it is not always possible to keep track of the instances in which one has given consent to the processing of personal data, the government said that a consent manager platform will enable an individual to have a comprehensive view of her interactions with Data Fiduciaries and the consent given to them. The Bill requires the consent of the individual to be the basis for processing of their personal data, except in certain circumstances where seeking the consent of the Data Principal is “impracticable or inadvisable due to pressing concerns”. Every request for consent will need to be presented to the Data Principal in a clear and plain language, and an option to access such a request for consent in English or any language specified in the Eighth Schedule to the Constitution of India. While the earlier version of the draft Bill had recommended that a Data Protection Authority be set up to prevent misuse of personal information, the revised Bill has proposed a Data Protection Board of India which will be notified by the Central government. The Hindu’s Editorials [Arrow][Malady and remedy: On the collegium system of judicial appointments]( [Arrow][All eyes on Qatar: On 2022 FIFA World CupÂ]( The Hindu’s Daily News Quiz The Lok Sabha in 1972 briefly considered a suggestion to rename Andaman and Nicobar Islands as Shaheed Dweep and Swaraj Dweep. Which historic personality suggested these names? - Bal Gangadhar Tilak - Jawaharlal Nehru - Subhas Chandra Bose - Sardar Vallabhai Patel To know the answer and to play the full quiz, [click here](. Today’s Best Reads [[Revised personal data protection bill proposes hefty fines, eases cross-border data flow] Revised personal data protection bill proposes hefty fines, eases cross-border data flow]( [[Dynasty rules on both sides of Gujarat politics] Dynasty rules on both sides of Gujarat politics]( [[New Twitter policy is freedom of speech, but not freedom of reach: Elon Musk] New Twitter policy is freedom of speech, but not freedom of reach: Elon Musk]( [[Air bubbles in Delhi’s dystopia] Air bubbles in Delhi’s dystopia]( Copyright @ 2022, THG PUBLISHING PVT LTD. If you are facing any trouble in viewing this newsletter, please [try here]( If you do not wish to receive such emails [go here](