Data Protection Bill Likely To Cap Penalty For Breaches At Rs 250 Crore: Report

The Data Protection Bill which was recently approved, may cap the penalty at Rs 250 crore for data breaches. The earlier proposed amount for data breaches was Rs 500 crore, says a report in The Hindu BusinessLine (HBL). The Digital Personal Data Protection (DPDP) Bill recently received approval from the Union Cabinet and will be presented in the upcoming monsoon session of Parliament. 

The new draft Bill has the provision of penalties ranging up to Rs 250 crore for each incident of data breaches failing to take safeguards to prevent personal data breaches. According to HBL, which has seen the revised Bill, schedule 1 of the Bill specifies the quantum of various penalties, that range from Rs 10,000 to Rs 250 crore depending on the seriousness of the violation.

Also read: Huawei May Return To 5G Smartphones Market With New Mate Series, Overcome US Sanctions

The impetus for the Data Protection Bill came after the Supreme Court's landmark ruling on August 27, recognising the Right to Privacy as a fundamental right. In response, the government withdrew the previous Bill, which was originally introduced in late 2019, and presented a revised version in November 2022.

The draft Bill underwent an extensive consultation process before being presented to the Cabinet. Approximately 21,660 suggestions were received and thoroughly considered. Consultations were held with 48 external organisations and 38 government entities, ensuring a comprehensive approach in finalising the draft. Once enacted, the Bill will require both public and private entities to obtain consent from users for the collection and processing of their data.

Also read: Tata Group Set To Finalise Deal To Acquire Wistron Factory, Become First Indian iPhone Maker: Report

Criticism was directed towards the draft Bill due to concerns regarding the government's power to exempt entities from certain clauses. The draft proposed exemptions for entities notified by the government, relieving them from the obligation to notify citizens about the purpose of data collection and processing. However, the source clarified that exemptions for government or government-notified entities would only apply in special cases, such as pandemics or law and order situations.