India has proposed a new data privacy law that will mandate how companies handle data of its citizens, three months after it withdrew the previous one. The nation’s IT ministry published a draft of the proposed rules, called the Digital Personal Data Protection Bill 2022, for public consultation.

It will hear views from the public until December 17, 2022. The draft permits cross-border interactions of data with certain notified countries and territories. The proposal also seeks to give New Delhi (the federal government) the powers to exempt state governments from the law in the interest of national security.

The draft also proposes that companies only use the data they have collected on users for the purpose they obtained them originally. It also seeks accountability from the firms that they ensure that they are processing the personal data for the users for the precise purpose they collected it. It also asks that companies do not store the data perpetually by default.

The draft proposes a penalty of up to USD 30. 6 million in the event a firm fails to provide ‘reasonable security safeguards to prevent personal data breach’. There’s another USD 24.

5 million fine if the firm fails to notify the local authority and users for failure to disclose personal data breach. The withdrawal of the 2019 bill In August, the Indian government withdrew its earlier Personal Data Protection Bill that was unveiled in 2019 after much anticipation and judicial pressure. The earlier proposed rules were touted to help protect the citizens’ personal data by categorising it into different segments based on their nature, such as sensitive or critical.

However, the new version does not segregate data as such. The proposed rules, which are expected to be discussed in the parliament after receiving public consultation, would not bring any changes to select controversial laws in the country that were drafted more than a decade ago. New Delhi is, though, working on updating its two-decade-old IT law that would debut as the Digital India Act.

It will segregate intermediaries and come as the endgame. Similar to Europe’s GDPR and the CCPA (California Consumer Privacy Act) in the US, India’s proposed Digital Personal Data Protection Bill 2022 will apply to businesses operating in the country and to any entities processing the data of Indian citizens. What is the big tech saying? India’s regulatory push comes after the EU passed landmark laws earlier in 2022 that are expected to set the global standard for how large online platforms such as Amazon and Facebook must operate.

The US is among the countries considering similar legislation, as regulators around the world crack down on the market power of the world’s biggest tech groups. Meta, Google, and Amazon were some of the companies that had expressed concerns about some of the recommendations by the joint parliamentary committee on the proposed bill. However, India’s minister of state for electronics and information technology, pushed back against criticism from these technology groups, which had complained about the draft bill’s compliance costs and some of its provisions, including a requirement that companies store data locally in India.

Alongside tech companies’ complaints about the bill, which was drafted in 2019, privacy advocates had warned that it would have given authorities carte blanche to access users’ data in areas deemed matters of national security. .