What’s in the Personal Data Protection Bill?

The Joint Committee of Parliament (JCP) on the Personal Data Protection Bill tabled its report in both Houses.

Major recommendations:

Non-Personal Too: The key recommendations that changes the nature of the Bill itself is for inclusion of non-personal data within the larger umbrella. This means that all issues under the new legislation will be dealt with by a single Data Protection Authority (DPA) instead of separate ones for personal and non-personal.

Transition Period: To ensure that all such data aggregators get ample time to comply with the rules under the new Bill, the JCP suggested that up to 24 months be given from the date of notification of the Act.

Social Media Liability: A third major recommendation is that social media platforms that do not act as intermediaries should be treated as publishers, and therefore be held liable for the content they host.

Penalty: The committee has recommended a fine of up to Rs 15 crore or 4% of the total global turnover of the firm for data breaches, and a jail term of up to 3 years if de-identified data is re-identified.

Timely Alert: In case of any data breach, the data aggregator or fiduciary must notify the DPA within 72 hours of becoming aware of it.