New Delhi, Nov 18: In a relief for Big Tech, the IT Ministry on Friday proposed a new draft of
digital personal data protection bill that will allow cross-border transfer of some users' data with
"certain notified countries and territories".
The government in August withdrew the contentious Personal Data Protection (PDP) Bill that
saw 81 amendments in the past three years, aiming to introduce a new, sharper bill that fits into
the comprehensive legal framework and protects the data of billions of citizens.
"The Central government may, after an assessment of such factors as it may consider necessary,
notify such countries or territories outside India to which a Data Fiduciary may transfer personal
data, in accordance with such terms and conditions as may be specified," the new draft bill read.
The new PDP bill has also proposed harsh penalties of as much as Rs 250 crore on people and
companies that fail to prevent data breaches.
"Failure of Data Processor or Data Fiduciary to take reasonable security safeguards to prevent
personal data breach under sub-section (4) of section 9 of this Act" will cost a maximum penalty
of Rs 250 crore.
"Personal data breach" means any unauthorised processing of personal data or accidental
disclosure, acquisition, sharing, use, alteration, destruction of or loss of access to personal data,
that compromises the confidentiality, integrity or availability of personal data," the draft bill said.
The bill is now open for public consultation and the IT Ministry will hear views from the public
until December 17.
"The purpose of this Act is to provide for the processing of digital personal data in a manner that
recognises both the right of individuals to protect their personal data and the need to process
personal data for lawful purposes, and for matters connected therewith or incidental thereto,"
said the draft.
On data storage, the draft bill requires consent before calling data and said that "the storage
should be limited to such duration as is necessary for the stated purpose for which personal data
was collected".
Similar to Europe's GDPR, the proposed Indian bill will apply to companies operating in the
country and to any entities processing the data of Indian citizens.
Rupinder Malik, Partner at law firm JSA, said that the draft bill has simplified the proposed data
protection regime and done away with some contentious clauses which caused industry pushback
in earlier versions.
"Particularly, data mirroring, data localisation requirements, and overall compliances appear to
be limited compared to the previous Bill. The legislative intent appears to be tech and IT
business friendly, focused on facilitating cross-border data flows," said Malik.
Abhishek Malhotra, Managing Partner, TMT Law Practice, said that the draft bill has watered
down the objective of a data privacy and protection framework.
"It appears to give a simpler framework for people to be able to adopt it seamlessly.
Unfortunately, the scope and applicability provisions have also been curtailed and limited to
where collection is online or digitised and where Indians are targeted for profiling," said
Malhotra.
