[ad_1]
The government has proposed a new data privacy bill, Digital Personal Data Protection Bill 2022. It replaces the Personal Data Protection Bill that was withdrawn in August. The government stated that a more “comprehensive legal framework” will be presented soon. The new proposal is the fourth iteration of the proposed bill. A data protection law has been in the works since 2017, when the Supreme Court ruled that privacy is a fundamental right of every Indian citizen. The Ministry of Electronics and Information Technology (MeitY) has invited feedback from the public on the draft Bill by December 17, 2022. The feedback can be submitted on the MyGov website. Here are the 8 biggest key features of the Digital Personal Data Protection Bill 2022.
* The government will have the power to specify the countries to which companies can transfer personal data. This will allow companies to send user data to servers located in countries on that list.
* The government can exempt state agencies from processing data from the proposed law in the interest of national security.
* The government will establish a “Data Protection Board” for ensuring compliance with the proposed law. The board will also hear user complaints. “The Central Government shall, by notification, establish, for the purposes of this Act, a Board to be called the Data Protection Board of India. The allocation of work, receipt of complaints, formation of groups for hearing, pronouncement of decisions, and other functions of the Board shall be digital by design,” says the draft.
* Companies of “significant” size – based on factors such as the volume of data they process – should appoint an independent data auditor to evaluate compliance with provisions of the law.
* The Data Protection Board can levy financial penalties for non-compliance. Failure of entities to take reasonable security safeguards to prevent data breaches could result in fines of up to 2.5 billion rupees ($30.6 million), the draft proposal said.
* Companies will be required to stop retaining user data if it no longer serves the business purpose for which it was collected. Users shall have the right to correction and erasure of their personal data.
* No company or organisation will be allowed to process personal data that is “likely to cause harm” to children, and advertising cannot target children. Before processing any personal data of a child, parental consent will be required.
* The law will cover personal data collected online and digitised offline data. It will also apply to the processing of personal data abroad, if such data involves profiling Indian users or selling services to them.
* The government will have the power to specify the countries to which companies can transfer personal data. This will allow companies to send user data to servers located in countries on that list.
* The government can exempt state agencies from processing data from the proposed law in the interest of national security.
* The government will establish a “Data Protection Board” for ensuring compliance with the proposed law. The board will also hear user complaints. “The Central Government shall, by notification, establish, for the purposes of this Act, a Board to be called the Data Protection Board of India. The allocation of work, receipt of complaints, formation of groups for hearing, pronouncement of decisions, and other functions of the Board shall be digital by design,” says the draft.
* Companies of “significant” size – based on factors such as the volume of data they process – should appoint an independent data auditor to evaluate compliance with provisions of the law.
* The Data Protection Board can levy financial penalties for non-compliance. Failure of entities to take reasonable security safeguards to prevent data breaches could result in fines of up to 2.5 billion rupees ($30.6 million), the draft proposal said.
* Companies will be required to stop retaining user data if it no longer serves the business purpose for which it was collected. Users shall have the right to correction and erasure of their personal data.
* No company or organisation will be allowed to process personal data that is “likely to cause harm” to children, and advertising cannot target children. Before processing any personal data of a child, parental consent will be required.
* The law will cover personal data collected online and digitised offline data. It will also apply to the processing of personal data abroad, if such data involves profiling Indian users or selling services to them.
[ad_2]
Source link