I&B Ministry
Government announces draft bill on personal data protection; proposes penalty of up to Rs 500 cr
Mumbai: The ministry of electronics and information technology (MeitY) has formulated a draft bill, titled “The Digital Personal Data Protection Bill 2022.” In a press release published on Friday, the ministry invited feedback from the public on the draft bill. According to the statement, the draft is open for public comment till December 17.
As expected to be presented in the next session of parliament, the purpose of the draft bill, as stated in the official statement from the ministry, is to provide for the processing of digital personal data in a manner that recognises both the right of individuals to protect their personal data and the need to process personal data for lawful purposes and for matters connected therewith or incidental thereto.
In addition to this, the ministry has further stated that it has raised the penalty amount to up to Rs 500 crore for violating the provisions proposed under the draft bill. The draft bill, released in 2019, proposed a penalty of Rs 15 crore or four per cent of the global turnover of an entity.
The proposed bill comes in place of the Data Protection Bill, which was withdrawn by the ministry in August this year. The draft proposes to set up a Data Protection Board of India, which will carry out functions as per the provisions of the bill.
“The Digital Personal Data Protection Bill”
The Digital Personal Data Protection Bill frames out the rights and duties of the citizen (Digital Nagrik) on the one hand and the obligations to use collected data lawfully of the data fiduciary on the other.
In an explanatory document issued by the MeitY, seven principles around the data economy have been listed on which the bill is based:
The first principle is that organisations must use personal data in a way that is legal, fair to the individuals involved, and transparent to individuals.
The second principle of purpose limitation is that the personal data is used for the purposes for which it was collected.
The third principle of data minimisation is that only those items of personal data required for attaining a specific purpose must be collected.
The fourth principle of accuracy of personal data is that reasonable efforts are made to ensure that the personal data of the individual is accurate and kept up-to-date.
The fifth principle of storage limitation is that personal data is not stored perpetually by default. The storage should be limited to such a duration as is necessary for the stated purpose for which personal data was collected.
The sixth principle requires that reasonable safeguards be put in place to prevent the unauthorised collection or processing of personal data. This is intended to prevent personal data breaches.
The seventh principle is that the person who decides the purpose and means of processing personal data should be accountable for such processing.
These principles have been used as the basis for personal data protection laws in various jurisdictions. The actual implementation of such laws has allowed the emergence of a more nuanced understanding of personal data protection wherein individual rights, public interest, and ease of doing business, especially for startups, are balanced.
Financial penalty:
“If the board determines at the conclusion of an inquiry that non-compliance by a person is significant, it may, after giving the person a reasonable opportunity of being heard, impose such a financial penalty as specified in Schedule 1, not exceeding rupees five hundred crore in each instance,” stated the draft.
Other obligations included are:
The draft bill has proposed a graded penalty system for data fiduciaries that will process the personal data of data owners only in accordance with the provisions of the act.
The same set of penalties will be applicable to the data processor — which will be an entity that processes data on behalf of the data fiduciary.
The draft has proposed a penalty of up to Rs 250 crore in case the data fiduciary or data processor fails to protect against personal data breaches in its possession or under its control.
The draft has also proposed a penalty of Rs 200 crore in case the data fiduciary or data processor fails to inform the board and data owner about the data breach.
Furthermore, in the draft issued by the MeitY, there is a provision to allow entities to transfer the personal data of a citizen outside the country in cases where the processing of personal data is necessary for enforcing any legal right or claim, the performance of any judicial or quasi-judicial function, the investigation or prosecution of any offence, or the data owner is not within the territory of India and has entered into any contract with any person outside the country.
“The central government may, after an assessment of such factors as it may consider necessary, notify such countries or territories outside India to which a data fiduciary may transfer personal data,” it added.
I&B Ministry
MeitY extends deadline for feedback on digital media rules overhaul
Government gives stakeholders more time to respond to proposed changes in intermediary guidelines.
MUMBAI: When the rulebook gets a rewrite, even the internet needs a little extra time to read the fine print. Regulators have extended the deadline for public feedback on a proposed overhaul of India’s digital media and intermediary liability framework, giving stakeholders until April 29 to submit their views. In a notice issued on April 10, the Ministry of Electronics and Information Technology (MeitY) said it was extending the consultation period for draft amendments to the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021, following representations from several stakeholders.
At the heart of the proposals is a significant shift in how social media platforms and other intermediaries must respond to government communications. A new provision would make compliance with official “clarifications, advisories, directions, standard operating procedures and guidelines” a formal part of the due diligence obligations required to retain safe harbour protection under Section 79 of the Information Technology Act.
The amendments would also expand the scope of content oversight under Part III of the rules. The digital media ethics code would now apply not only to publishers but also to intermediaries hosting or transmitting user-uploaded news and current affairs content. This could bring user-generated news more directly under regulatory scrutiny.
Additionally, the Inter-Departmental Committee’s powers would be broadened, allowing it to take up matters referred directly by the ministry rather than waiting for formal complaints. This signals a more proactive approach to content monitoring.
The existing IT Rules already impose strict requirements on intermediaries, including timely removal of unlawful content, grievance redressal mechanisms, and traceability in certain cases. Recent updates have also introduced obligations around labelling synthetically generated content.
Officials have described the amendments as necessary to create an “Open, Safe, Trusted and Accountable Internet” while improving legal clarity and enforceability.
With the extended deadline now set for April 29, the government has given industry bodies, civil society, and digital platforms additional time to respond to changes that could significantly reshape how online platforms operate and are governed in India.
In the fast-scrolling world of digital regulation, a little extra time to read the small print might just prevent bigger headaches down the line.
