The central government has published a draft of data privacy laws, specifying penalties for security lapses, in order to invite feedback from the public. Credit: Pixel-Shot/Shutterstock The Indian federal government on Friday published a new draft of data privacy laws that would allow personal data transfer to other nations under certain conditions, and impose fines for breaches of data-transfer and data-collection regulations.The proposed legislation has been in the works for about four years. Up until now, the Reserve Bank of India has enacted regulations that make businesses keep transaction data within the country. The government, though, has not issued more general data protection regulations such as the EU’s GDPR (General Data Protection Regulation), so companies have been exporting personal data in the absence of clear privacy rules.“Cross-border interactions are a defining characteristic of today’s interconnected world,” according to an explanatory note from the government accompanying the bill. “Recognising this, it has been provided in the bill that personal data may be transferred to certain notified countries and territories.” The bill itself explains that the federal government will notify the governments of other countries to which data may be exported, noting that there will be specific conditions that must be met in order for data to be transferred. “The Central Government may, after an assessment of such factors as it may consider necessary, notify such countries or territories outside India to which a Data Fiduciary may transfer personal data, in accordance with such terms and conditions as may be specified,” according to the draft.A data fiduciary, according to the draft, could be any person or a group of persons who determines the purpose and means of processing personal data. Conditions for data transfer outside IndiaThe draft Digital Personal Data Protection Bill, for which the ministry of electronics and information technology has invited feedback from the public via a portal till December 17, also lays out the exemptions and conditions that must be considered when considering the transfer of personal data to other nations.Some of these conditions include the need to process personal data to enforce legal rights or claims, or when processing data is in the interest of preventing, detecting or investigating any offence.The draft also specifies certain conditions wherein the government can exempt itself from any of the provisions or statutes under the bill. The note published by the Indian government explained that national and public interest can be greater than the interest of an individual at certain times. Regulations specify conditions for data collectionFurther, the draft specifies that the data collected by any organization or institution should be only used for the purpose it is collected for, and the purpose for which consent to the data collection has been given.Additionally, the explanatory note from the ministry suggests that personal data cannot be stored perpetually by default and should be limited to a duration suited for the purpose it was collected for.In terms of security or safeguarding personal data, the draft specifies that “reasonable safeguards are taken to ensure that there is no unauthorised collection or processing of personal data.” The safeguards, according to the government, are intended to prevent breaches of personal data. The draft suggests the person who is processing personal data will be held accountable in case of a breach.Stringent penalties for security infractionsThe draft bill also proposes stringent penalties on any data processor in case of non-compliance of any of the clauses.In the event of a personal breach where the processor fails to take reasonable security safeguards, the draft proposes a penalty up to US$30.8 million.Additionally, in case the processor or entity fails to notify the government board of a breach, a fine of $24.5 million will be imposed, the draft specified. The maximum penalty imposed in a particular instance of non-compliance would attract a fine up to $61 million, according to the draft.The draft comes at a time when governments around the world are either in the process of planning or implementing personal data privacy laws.India’s data privacy laws, when introduced, are expected to cover any business entities operating within the country or intending to process data of Indian citizens, similar to the GDPR regulations and the California Consumer Privacy Act. Related content news analysis Marriott admits it falsely claimed for five years it was using encryption during 2018 breach Marriot revealed in a court case around a massive 2018 data breach that it had been using secure hash algorithm 1 and not the much more secure AES-1 encryption as it had earlier maintained. By Evan Schuman Apr 29, 2024 6 mins Data Breach Encryption Legal brandpost Sponsored by Palo Alto Networks Is your hybrid/multicloud strategy putting your organization at risk? For all the flexibility and cost management upsides to hybrid/multicloud infrastructure, there is a major trade-off: Complexity can breed security risks. By Pete Bartolik Apr 29, 2024 4 mins Security news UK’s revamped surveillance rules become law despite industry opposition A new law expanding the Investigatory Powers Act, the UK’s already-controversial surveillance and data access rules, became law last week. By John Leyden Apr 29, 2024 4 mins Government Mobile Security Security feature Finding the perfect match: What CISOs should ask before saying ‘yes’ to a job Sometimes it's not really clear why a company wants to hire a CISO or the role lacks authority. There are some key questions that CISOs can ask to avoid taking a job with too many red flags. By Aimee Chanthadavong Apr 29, 2024 8 mins CSO and CISO Careers PODCASTS VIDEOS RESOURCES EVENTS SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe