IT Ministry extends deadline for feedback on Digital Data Bill to Jan 2

The Ministry of Electronics and Information Technology has extended the deadline for submitting feedback on the draft Digital Personal Data Protection Bill, 2022 till January 2, after several stakeholders requested more time to submit comments.

At the time of releasing the draft, the ministry had set December 17 as the deadline for consultations. Many stakeholders have expressed issues with the process of submitting comments. The comments can be submitted only on the MyGov portal instead of the ministry’s official email id.  

The ministry released the fourth version of the much-awaited data privacy law in India on November 18. The document seeks to provide a legal framework for collecting and processing personal digital data in India. After four years of deliberations, the government on August 3 withdrew the Personal Data Protection (PDP) Bill, 2019, and replaced it with a new version providing a ‘comprehensive framework’ and ‘contemporary digital privacy laws.’

Released after over three months after discarding the previous draft, the new draft has eased the data localisation mandate of the previous version, which had alarmed many big multinational technology companies. The central government would, ‘after an assessment of such factors as it may consider necessary’, notify a list of countries or territories outside India to which the transfer of personal data will be allowed.

Several public advocacy groups and industry stakeholders welcomed the new draft for its simpler and progressive language. However, there were concerns over the definition of significant fiduciaries, the list of geographies eligible for the free flow of data, and the appointment of a data protection board as well as the penalties being charged.

Policy advocates and industry stakeholders have raised concerns over excessive exemptions to government bodies, the age of consent for sharing personal data, and uncertainty over trusted geographies for storing personal data during the consultation so far. 

The draft prescribes heavy financial penalties for not complying with data privacy rules. The data fiduciaries may face fines of up to Rs 250 crore for failing to take security safeguards to prevent personal data breaches. Failure to notify the data protection board and affected "data principals" in the event of a personal data breach may invite a penalty of up to Rs 200 crore. 

The draft for the first time included additional obligations in relation to the processing of the personal data of children. Failure to obligations concerning the processing of the personal data of children may also cause the fiduciaries to pay Rs 200 crore in fines.