11/20/22, 1:39 PM Upto ₹500 crore penalty for non-compliance, easy cross-border data transfer: The new Digital

Digital Personal Data Protection Bill, 2022

News Columns Interviews Law Firms Apprentice Lawyer Legal Jobs हिंदी ಕನ್ನ ಡ

News

Upto ₹500 crore penalty for non-compliance, easy

cross-border data transfer: The new Digital
Personal Data Protection Bill, 2022
While India will finally have a data protection legislation to secure the right to
privacy of its citizens, data protection advocates have raised concerns over the
powers given to the executive.

Digital

Aamir Khan

Published on : 20 Nov 2022 8:19 am 4 min read

https://www.barandbench.com/news/upto-500-crore-penalty-for-non-compliance-easy-cross-border-data-transfer-the-new-digital-personal-data-protect… 1/8
11/20/22, 1:39 PM Upto ₹500 crore penalty for non-compliance, easy cross-border data transfer: The new Digital Personal Data Protection Bill, 2022
Published on : 20 Nov, 2022, 8:19 am 4 min read

The revised Digital Personal Data Protection Bill, 2022 released by the Ministry
of Electronics and Information Technology (MeitY) for public consultation has
proposed fines of up to ₹500 crore for non-compliance and has eased cross-
border transfer of data to certain countries. 

While India will finally have a data protection legislation to secure the
fundamental right to privacy of its citizens in an ever-increasingly cyber-centric
world, data protection advocates have pointed out a few issues with the
proposed legislation, particularly the powers the executive can assume through
it.

A business-friendly legislation?

Existing laws allow data transfer to other countries, provided the receiving
entity follows the same security requirements provided in Indian laws.  

“For a business entity, you have to carry out an assessment of our jurisdiction;
of that entity and then map it against the requirement in your entity. Compare
this to a situation where you have a business in a whitelisted country, you can
send and receive data from, so your life becomes so much easier,” explained
data privacy lawyer and Partner at Khaitan & Co, Supratim Chakraborty.

https://www.barandbench.com/news/upto-500-crore-penalty-for-non-compliance-easy-cross-border-data-transfer-the-new-digital-personal-data-protect… 2/8
11/20/22, 1:39 PM Upto ₹500 crore penalty for non-compliance, easy cross-border data transfer: The new Digital Personal Data Protection Bill, 2022

Supratim Chakraborty

Chakraborty said it was a “leaner, more succinctly drafted” Bill. 

“That’s an achievement. It makes it easy to understand. From my assessment of

this Bill qua the previous one, it is more business-friendly. At the same time, it is
trying to see that personal data is protected,” he said.

The Central government has called cross-border interactions a "defining

characteristic" of the present inter-connected world.

"Recognising this, it has been provided in the Bill that personal data may be
transferred to certain notified countries and territories. An assessment of
relevant factors by Central Government would precede such a notification," the
Bill said.

Data Protection Board for regulation

The draft Bill also stated that the Central government would constitute a Data
Protection Board comprising a government-appointed chief executive and
other members. These officials would, however, face “no suit, prosecution or
other legal proceedings” for anything done in good faith under the provisions of
this law.

The Board would penalise violators for amounts of up to ₹500 crore given the
nature, gravity and duration of the non-compliance of provisions of the
proposed law. If an individual to whom the personal data relates is found in
violation of any of her duties, then a fine of ₹10,000 will be imposed. 

Chakraborty said though these numbers are big, there would be certain criteria
for the actual quantum.

“It was important to send out a message that perhaps you cannot go scot-free if
you are large player, and get away with a meagre penalty. The government is
consciously trying to de-criminalise laws so they are not talking about
imprisonment. When there is no imprisonment, there has to be some stick that
you have attach to the law wherein the people actually be scared,” he said.
https://www.barandbench.com/news/upto-500-crore-penalty-for-non-compliance-easy-cross-border-data-transfer-the-new-digital-personal-data-protect… 3/8
11/20/22, 1:39 PM Upto ₹500 crore penalty for non-compliance, easy cross-border data transfer: The new Digital Personal Data Protection Bill, 2022

Proposed jurisdiction of challenge

Among the various functions, the Board would initiate inquires by acting on
complaints of individuals or references made to it by the Central or state
governments. The Bill states that no civil court would have any jurisdiction over
any appeal arising out of its orders under the proposed law. 

An appeal against any order of the Board shall lie to the High
Court
Data Protection Bill

“An appeal against any order of the Board shall lie to the High Court. Every
appeal made under this section shall be preferred within a period of sixty days
from the date of the order appealed against,” it said.

According to the draft Bill, the Central government, “in the interest of security
and integrity of India,” would exempt State agencies from the provisions of the
Bill.  

“Acknowledging national and public interest is at times greater than the interest
of an individual, a clear grounds-based description of exemptions has been
incorporated in the Bill,” said an explanatory note on the Bill.

Consent and deemed consent

On August 3, 2022, a previous version of the Bill was withdrawn from Parliament
by the Central government after considering the report of the Joint
Parliamentary Committee.  

The new proposed law requires consent of the individual for the processing of
personal data and the individual can withdraw the consent at any point in time
except in situations of public interest, compliance of judicial orders, and other
situations where it would be considered deemed consent.  
https://www.barandbench.com/news/upto-500-crore-penalty-for-non-compliance-easy-cross-border-data-transfer-the-new-digital-personal-data-protect… 4/8
11/20/22, 1:39 PM Upto ₹500 crore penalty for non-compliance, easy cross-border data transfer: The new Digital Personal Data Protection Bill, 2022
s tuat o s w e e t wou d be co s de ed dee ed co se t.  

"Consent should not be perpetual and irrevocable in order for individual to

exercise meaningful control over her personal data. Thus, it has been provided
in the Bill that consent may be withdrawn by the Data Principal," it said.

The Bill also disallows processing of personal data of children, reasoning that
the same could cause harm to a child. 

“A data fiduciary shall not undertake tracking or behavioural monitoring of

children or targeted advertising directed at children,” it added.

Some have, however, raised concerns over the powers proposed to be given to
the executive in terms of framing rules under the legislation.

Digital rights advocacy group Internet Freedom Foundation tweeted about the
“lack of legislative guidance” throughout the Bill. 

“For the 30 clauses, we have noticed the phrase, ‘as may be prescribed’
mentioned 18 times, often without any legislative guidance. This creates vague,
unguided power for the Union Government to frame rules,” it added.

Internet Freedom Foundation (IFF)

@internetfreedom · Follow

Short Statement: MeitY has released the Digital

Personal Data Protection Bill, 2022 (DPDPB) for
public consultation. We encourage wide public
participation and welcome any efforts to legally
recognise data protection but have wide-ranging
concerns. 1/n
2:55 PM · Nov 18, 2022

Read the full conversation on Twitter

252 Reply Share

Read 5 replies

IFF pointed out that the proposed Data Protection Board lacks autonomy and
independence, and would be created and appointed on conditions "as may be
ib d"
https://www.barandbench.com/news/upto-500-crore-penalty-for-non-compliance-easy-cross-border-data-transfer-the-new-digital-personal-data-protect… 5/8
11/20/22, 1:39 PM Upto ₹500 crore penalty for non-compliance, easy cross-border data transfer: The new Digital Personal Data Protection Bill, 2022
prescribed".

"Can such a board reasonably enforce compliance from public authorities?” it

asked.

Mishi Choudhary

Technology activist and online civil rights activist Mishi Choudhary in a

statement issued on Friday said that the Bill ought be called the ‘As May Be
Prescribed By Govt Bill’, as a lot is left to the Rules to be framed by the Centre.

"Rules that the Executive in India has a track record of exploiting to expand its
powers," she pointed out.

Choudhary said that the Bill did not meet the expectations of people protection,
but ensured that the government retained all powers without any checks or
balances.

[Read the Bill and explanatory note]

Attachment

PDF The Digital Personal Data Protection Bill, 2022.pdf

Preview

https://www.barandbench.com/news/upto-500-crore-penalty-for-non-compliance-easy-cross-border-data-transfer-the-new-digital-personal-data-protect… 6/8
11/20/22, 1:39 PM Upto ₹500 crore penalty for non-compliance, easy cross-border data transfer: The new Digital Personal Data Protection Bill, 2022

Attachment

PDF Explanatory Note.pdf

Preview

Central government data privacy MEITY

Digital Personal Data Protection Bill, 2022

Related Stories
High Courts flooded with bail petitions because district judges
hesitant to grant bail due to fear of being targeted: CJI DY
Chandrachud
Debayan Roy 4 hours ago

Bombay High Court grants interim relief to marriage hall

owner to avoid 'heart break' to bride, groom who booked hall for
wedding
Narsi Benwal 4 hours ago

l i h ll f i i i fi hi h
https://www.barandbench.com/news/upto-500-crore-penalty-for-non-compliance-easy-cross-border-data-transfer-the-new-digital-personal-data-protect… 7/8
11/20/22, 1:39 PM Upto ₹500 crore penalty for non-compliance, easy cross-border data transfer: The new Digital Personal Data Protection Bill, 2022

Kerala High Court calls for action against private firm which
offered helicopter service to Sabarimala without permit
Giti Pratap 6 hours ago

POCSO Act overrides Muslim personal law; husband liable for

sex with minor Muslim wife: Kerala High Court

Giti Pratap 7 hours ago

News ⌄

Interviews ⌄
Columns ⌄

Others ⌄
Law Firms ⌄

Follow Us

Subscribe

Terms Of Use | Privacy Policy | Contact Us | Careers | Advertise With Us | About Us

Copyright © 2021 Bar and Bench. All Rights Reserved

Powered By Quintype

https://www.barandbench.com/news/upto-500-crore-penalty-for-non-compliance-easy-cross-border-data-transfer-the-new-digital-personal-data-protect… 8/8