Below are some of the key aspects of the proposed "Digital Personal Data Protection Bill".
* The government will have the power to specify the countries to which companies can transfer personal data. This will allow companies to send user data to servers in countries on that list.
* The government has the power to exempt state agencies processing data from the proposed law in the interest of national security.
* The government will establish a "Data Protection Board" for ensuring compliance with the proposed law. The board will also hear user complaints.
* Companies of "significant" size - based on factors such as the volume of data they process - should appoint an independent data auditor to evaluate compliance with provisions of the law.
* The Data Protection Board can levy financial penalties for non-compliance. Failure of entities to take reasonable security safeguards to prevent data breaches could result in fines of up to 2.5 billion rupees ($30.6 million), the draft proposal said.
* Companies will be required to stop retaining user data if it no longer serves the business purpose for which it was collected. Users shall have the right to correction and erasure of their personal data.
* No company or organisation will be allowed to process personal data that is "likely to cause harm" to children, and advertising cannot target children. Before processing any personal data of a child, parental consent will be required.
* The law will cover personal data collected online and digitised offline data. It will also apply to the processing of personal data abroad, if such data involves profiling Indian users or selling services to them.
(Reporting by Arpan Chaturvedi and Munsif Vengattil; Editing by Aditya Kalra and Tom Hogue)
By Arpan Chaturvedi and Munsif Vengattil
