ET reviewed some portions of the Bill that has been renamed as the Digital Data Protection Bill. It is expected to be released for public consultation in the next few days.
The Data Protection Board of India, slated to operate as an independent body and function as a “digital office,” will be empowered to adjudicate on deciding the quantum of any such penalties.
If any organisation, data fiduciary or processor, handling personal data of users fails to “take reasonable security safeguards to prevent personal data breach”, a penalty of up to Rs 200 crore may be levied, according to the draft Bill.
Further, if an organisation fails to “notify the (Data Protection) Board and affected Data Principals (users) in the event of a personal data breach that is likely to result in significant harm to data principals, a penalty of up to Rs 150 crore shall be applicable,” it stated.
A similar penalty may be imposed in case of non-fulfilment of some additional obligations in relation to children. A child has been defined as a person who has not completed 18 years of age.
The proposed Board will be led by a chairperson as well as full and part-time members with varied experience and qualifications. They will be considered civil servants during their tenure with the Board. ET reported on November 16 that the government will allow transfer of data and its storage in “trusted geographies” in the revised draft of the data protection Bill, doing away with the data localisation requirement proposed in the earlier version.
The government will define which geographies are “trusted” from time to time.
Criminal penalties proposed on staff of companies involved in data breach may also be scrapped in the new draft, which is likely to be released for public consultation in the next few days.