(Vikram Jeet Singh, Kalindhi Bhatia & Prashant Data)
In the latest twist in the data privacy saga in India, the Ministry of Electronics and Information Technology has released a new draft Digital Personal Data Protection Bill, 2022 (“2022 Bill”) today (November 18, 2022). The 2022 Bill appears to be a much-simplified version compared to the earlier 2019 iteration (that was heavily ‘inspired’ by EU GDPR). The new bill has comparatively simpler requirements pertaining to data localization, cross-border data transfers, rights of data subjects, etc. On the other hand, this draft proposes fines of up to INR 500 crores (about USD 61 million) for egregious breaches!
The 2022 Bill can be viewed here, and certain explanatory notes are available here. The 2022 Bill is open for comments from stakeholders up to December 17, 2022; the link to submit the comments is yet to be made available.
Some background: You may recollect that India’s data privacy law has been on the brink of an overhaul since the the Indian Supreme Court’s 2017 ruling holding that information privacy is a fundamental right. The first iteration of the proposed law was released in 2018; subsequently, the second iteration, Personal Data Protection Bill, 2019 was referred to a Joint Parliamentary Committee (“JPC”) for its review. The JPC in its report proposed 91 revisions to the 2019 Bill (including a suggestion to include non-personal data within its ambit), following which the 2019 Bill was withdrawn earlier this year.