The central government has published a draft of data privacy laws, specifying penalties for security lapses, in order to invite feedback from the public. Credit: Pixel-Shot/Shutterstock The Indian federal government on Friday published a new draft of data privacy laws that would allow personal data transfer to other nations under certain conditions, and impose fines for breaches of data-transfer and data-collection regulations.The proposed legislation has been in the works for about four years. Up until now, the Reserve Bank of India has enacted regulations that make businesses keep transaction data within the country. The government, though, has not issued more general data protection regulations such as the EU’s GDPR (General Data Protection Regulation), so companies have been exporting personal data in the absence of clear privacy rules.“Cross-border interactions are a defining characteristic of today’s interconnected world,” according to an explanatory note from the government accompanying the bill. “Recognising this, it has been provided in the bill that personal data may be transferred to certain notified countries and territories.” The bill itself explains that the federal government will notify the governments of other countries to which data may be exported, noting that there will be specific conditions that must be met in order for data to be transferred. “The Central Government may, after an assessment of such factors as it may consider necessary, notify such countries or territories outside India to which a Data Fiduciary may transfer personal data, in accordance with such terms and conditions as may be specified,” according to the draft.A data fiduciary, according to the draft, could be any person or a group of persons who determines the purpose and means of processing personal data. Conditions for data transfer outside IndiaThe draft Digital Personal Data Protection Bill, for which the ministry of electronics and information technology has invited feedback from the public via a portal till December 17, also lays out the exemptions and conditions that must be considered when considering the transfer of personal data to other nations.Some of these conditions include the need to process personal data to enforce legal rights or claims, or when processing data is in the interest of preventing, detecting or investigating any offence.The draft also specifies certain conditions wherein the government can exempt itself from any of the provisions or statutes under the bill. The note published by the Indian government explained that national and public interest can be greater than the interest of an individual at certain times. Regulations specify conditions for data collectionFurther, the draft specifies that the data collected by any organization or institution should be only used for the purpose it is collected for, and the purpose for which consent to the data collection has been given.Additionally, the explanatory note from the ministry suggests that personal data cannot be stored perpetually by default and should be limited to a duration suited for the purpose it was collected for.In terms of security or safeguarding personal data, the draft specifies that “reasonable safeguards are taken to ensure that there is no unauthorised collection or processing of personal data.” The safeguards, according to the government, are intended to prevent breaches of personal data. The draft suggests the person who is processing personal data will be held accountable in case of a breach.Stringent penalties for security infractionsThe draft bill also proposes stringent penalties on any data processor in case of non-compliance of any of the clauses.In the event of a personal breach where the processor fails to take reasonable security safeguards, the draft proposes a penalty up to US$30.8 million.Additionally, in case the processor or entity fails to notify the government board of a breach, a fine of $24.5 million will be imposed, the draft specified. The maximum penalty imposed in a particular instance of non-compliance would attract a fine up to $61 million, according to the draft.The draft comes at a time when governments around the world are either in the process of planning or implementing personal data privacy laws.India’s data privacy laws, when introduced, are expected to cover any business entities operating within the country or intending to process data of Indian citizens, similar to the GDPR regulations and the California Consumer Privacy Act. Related content news UK government plans 2,500 new tech recruits by 2025 with focus on cybersecurity New apprenticeships and talent programmes will support recruitment for in-demand roles such as cybersecurity technologists and software developers By Michael Hill Sep 29, 2023 4 mins Education Industry Education Industry Education Industry news UK data regulator orders end to spreadsheet FOI requests after serious data breaches The Information Commissioner’s Office says alternative approaches should be used to publish freedom of information data to mitigate risks to personal information By Michael Hill Sep 29, 2023 3 mins Government Cybercrime Data and Information Security feature Cybersecurity startups to watch for in 2023 These startups are jumping in where most established security vendors have yet to go. By CSO Staff Sep 29, 2023 19 mins CSO and CISO Security news analysis Companies are already feeling the pressure from upcoming US SEC cyber rules New Securities and Exchange Commission cyber incident reporting rules don't kick in until December, but experts say they highlight the need for greater collaboration between CISOs and the C-suite By Cynthia Brumfield Sep 28, 2023 6 mins Regulation Data Breach Financial Services Industry Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe