Brief Summary:

India lacked effective data protection laws. The Personal Data Protection Bill 2019, which had been under development for five years, was withdrawn by the government after it was created. The country’s data protection and privacy problems will be governed by this new Digital Personal Data Protection Statute, which is an updated version of the PDP bill.

The Personal Data Protection Bill, 2019 was tabled by the government in the Lok Sabha in 2019. The law was withdrawn in August 2022 because of the insufficiency of provisions in fulfilling international standards for data protection.

The Digital Personal Data Protection Bill, 2022 (DPDPB) was released in November 2022 by the Ministry of Electronics and IT. When the DPDPBbecomes an Act, it will be substantially simpler than its predecessor’sversions and will try to revise and eliminate some of the important elements of the Right to Information Act of 2005 and the (Indian) Information Technology Act, 2000 (IT Act).

How is the DPDPBsignificant?

1. A thorough analysis of comparable legislation in the EU, Singapore, and many other jurisdictions led to the creation of the proposed bill.
2. The proposed legislation would make the law more predictable and provide businesses the chance to adjust their practices with the proposed rules.
3. The new Bill significantly relaxes restrictions on cross-border data transfers, reversing the controversial provision of the old Bill that data be stored locally inside India’s borders.
4. It offers a slightly liberal approach on data localization regulations and streamlines data flow to certain foreign locations, which is anticipated to promote commercial agreements between governments.
5. The new DPDPBrecognizes the data principal’s right to postmortem privacy (Withdraw Consent), which was not the case in the old PDP Bill.

Applicability and non-applicability:

The Bill’s Clause 4 contemplates the application and non-applicability of:

1. Processing of personal information gathered on Indian soil whether it is done online or offline and then converted to digital form.
2. Processing of personal data outside of India, provided that the processing is related to creating Indian consumer profiles or providing Indian consumers with goods and services. “Any kind of processing of personal data that assesses or forecasts elements relating the behavior, qualities, or interests of a Data Principal” is referred to as profiling in this context.
3. Not applicable to:

• Manual processing of personal data
• Individual offline data
• Any processing of personal information by an individual for domestic or personal purposes
• Intimate information about a person that is present in a document that has been around for at least 100 years.

Principles included:

The seven guiding principles of the data economy are the foundation of the Digital Personal Data Protection Bill 2022:

1. Rightful Use: Organizations must use personal data in a way that is lawful, fair and transparent to the individuals involved.
2. Resolute Dissemination: Personal information shall only be used for the intended purposes.
3. Relevant Data Collection: Focusing on Data Minimization requires that only relevant data that is absolutely essential to achieve a goal be gathered.
4. Data Reliability: The information gathered must be true and original at all times.
5. Retention Period: Personal data cannot be stored indefinitely by defaultand should only be kept for a specific amount of time.
6. Authorized processing and collection: Reasonable measures should be taken to guarantee that no personal data is collected or processed unlawfully.
7. Accountability of users: The individual who chooses the scope and mode of processing personal data should be responsible for how the information is used.

Rights of data principal:

Right to Access the information:

This right allows the data principals to be able to access sensitive information in the languages which is included in the 8^th schedule of the Indian Constitution.

Right to consent:

• Before their data is processed, individuals must provide their consent, and every individual should be made aware of what typeof personal data a Data Fiduciary wishes to collect and the aim of collecting and processing.
• Additionally, people have the option to revoke their consent from a data fiduciary.

Right to erase:

This right allow the data principals to delete and request to update the data acquired by data fiduciary.

Right to Nominate:

In the case of their demise or disability, data principals will also have the option of designating a person to carry out these rights on their behalf.

Obligations of a data fiduciary:

1. Consent:

The DPDPB stipulates that consent must be freely provided, explicit, informed, and unequivocal, and must express the data principal’s wishes about processing its personal data for the intended purpose. Every time a data fiduciary asks the data principal for their consent, they must do it in plain, understandable language and include the contact for a data protection officer.

1. Notice:

A data fiduciary is required to give a data principal a notice in a simple language before or at the same time as requesting the data subject’s consent.

1. Breach notifications:

To guarantee adherence to the DPDPB, a data fiduciary must implement the required organizational and technical measures. To prevent any breach of the personal data of the data principal, each data fiduciary and data processor is obligated to adopt appropriate security measures to safeguard any personal data that has been under their control.

1. Children’s processing requirement:

The data fiduciary is obligated to get a verified parental consent or consent of a guardian before processing any child’s personal data.

Data Protection Board:

The DPDPB calls for the creation of an independent board, the Data Protection Board, which will serve as an enforcing authority to carry out the Bill’s provisions and to apply sanctions in situations of non-compliance.

If there is a breach of personal data, the Board has the authority to order the data fiduciary to take immediate action to fix the problem or lessen any damage to the data principals.

The central government appointsthe board members, including the chairperson, the chief executive, officers, and staff that will be responsible for managing the board’s activities, and they will all be regarded as public servants.

For everything done or intended to be done in good faith in accordance with the requirements of this Act, the Board, its chairperson, members, employees, or officers shall not be subject to any legal action, prosecution, or other legal action.

Cross-border Data Transfer:

The bill permits the storage and transfer of data across international borders to “certain recognized nations and territories,” provided that they have an adequate data security environment and that the government has access to such data from within India.

Financial Penalties:

For Data Fiduciary: The law suggests imposing large fines on companies that have data breaches or fail to intimidate customers when breaches occur.The fines would range from 50 crores to 500 crores of rupees.

For Data Principal: A user who provides fraudulent documentation while registering for an e-commerce service or files baseless grievances may be subject to a punishment of up to Rs 10,000.

Exemptions from Applicability:

The DPDPB grants the government the authority to exclude any state agency in the interests of India’s sovereignty and integrity, national security, cordial relations with other countries, upholding public order, etc, without providing a justification.

Conclusion:

For simplicity of comprehension, the definitions have been condensed. The Bill permits the storage and transmission of data across international borders to “certain specified nations and territories,” although it is still unclear to which countries this is allowed. Previous iterations of the bill were criticized for being toocompliance heavy,but the new DPDPB 2022, encourages the start-up companies since it gives the government the power to exempt certain companies from the requirements of the bill based on the volume of the personal data they process along with the users. Additionally, the Bill grants the government the authority to provide exceptions to the requirements of national security and to preserve public order.