ET reviewed some portions of the Bill that has been renamed as theBill. It is expected to be released for public consultation in the next few days.
If any organisation, data fiduciary or processor, handling personal data of users fails to “take reasonable security safeguards to prevent personal data breach”, a penalty of up to Rs 200 crore may be levied, according to the draft Bill.
Further, if an organisation fails to “notify the (Data Protection) Board and affected Data Principals (users) in the event of a personal data breach that is likely to result in significant harm to data principals, a penalty of up to Rs 150 crore shall be applicable,” it stated.
A similar penalty may be imposed in case of non-fulfilment of some additional obligations in relation to children. A child has been defined as a person who has not completed 18 years of age.
The proposed Board will be led by a chairperson as well as full and part-time members with varied experience and qualifications. They will be considered civil servants during their tenure with the Board. ET reported on November 16 that the government will allow transfer of data and its storage in “trusted geographies” in the revised draft of theBill, doing away with the data localisation requirement proposed in the earlier version.
The government will define which geographies are “trusted” from time to time.
Criminal penalties proposed on staff of companies involved in data breach may also be scrapped in the new draft, which is likely to be released for public consultation in the next few days.