India released the draft of a new comprehensive data protection bill on Friday, three months after withdrawing a previous bill that had alarmed big technology companies.
Expected to be presented in the next session of parliament, the measure, aimed at protecting digital personal data, seeks to allow transfer of data outside India, and provides for penalties regarding data breaches.
The government plans to set up a panel to ensure compliance with the law, the bill said.
Titled The Digital Personal Data Protection Bill, 2022, the bill says, “The purpose of this Act is to provide for the processing of digital personal data in a manner that recognises both the right of individuals to protect their personal data and the need to process personal data for lawful purposes, and for matters connected therewith or incidental thereto.”
According to the bill, the provisions of the Act will apply to processing of digital personal data within the territory of India where:
(a) such personal data is collected from Data Principals online; and
(b) such personal data collected offline, is digitised.
The provisions of the Act will also apply to “processing of digital personal data outside the territory of India, if such processing is in connection with any profiling of, or activity of offering goods or services to Data Principals within the territory of India.”
On transfer of personal data outside India, the bill says, “The Central government may, after an assessment of such factors as it may consider necessary, notify such countries or territories outside India to which a Data Fiduciary may transfer personal data, in accordance with such terms and conditions as may be specified.”
(With inputs from Reuters)