Easier cross-border data flow on cards

NEW DELHI: The government on Friday proposed a new data privacy law that allows the transfer and storage of personal data in some countries while raising the penalty for violations.

The draft Digital Personal Data Protection (DPDP) Bill 2022 will be a great relief for Google, Amazon, Facebook and other global firms as it replaces an earlier version that had alarmed big tech companies over its stringent restrictions on cross-border data flows.

The government will “notify such countries or territories outside India to which a data fiduciary may transfer personal data”, according to the draft unveiled on Friday for public feedback. The new draft will become law once Parliament approves it. The proposed legislation stipulates consent before collecting personal data and provides for stiff penalties of as much as Rs 500 crore on persons and companies that fail to prevent data breaches including accidental disclosures, sharing, altering or destroying personal data. Companies are allowed to store the collected data for only specified periods.

The draft also gives powers to the central government to exempt state agencies from provisions of the bill “in the interests of sovereignty and integrity of India” and to maintain public order. With more than 750 million internet users and the second-largest home for mobile phones, India is a big and growing market for tech giants but the previous privacy rules had riled them.

The draft bill covers personal data collected online and digitised offline data. It will also apply to the processing of personal data abroad if such data involves profiling Indian users or selling services to them. “The 2022 DPDP Bill has simplified the proposed data protection regime and done away with some contentious clauses which caused industry pushback in earlier versions. Particularly, data mirroring, data localisation requirements, and overall compliances appear to be limited compared to the previous Bill,” said Rupinder Malik, Partner at law firm JSA.

The legislative intent, he said, appears to be tech and IT business-friendly, focused on facilitating cross-border data flows. The new draft legislation comes in place of the Data Protection Bill, which was withdrawn by the government in August this year. The draft is open for public comment till December 17.