top of page

A General Overview of India’s Digital Personal Data Protection Bill, 2022

The Digital Personal Data Protection Bill, 2022, commonly known as the DPD Bill, aims to regulate the collection, storage and processing of personal data of individuals by both government and private entities and protect the privacy and personal data of individuals, ensure transparency and accountability in data processing, and establish a framework for the digital economy in India.

The DPD Bill is based on the landmark judgment of the "Puttaswamy" Judgment delivered by the Hon’ble Supreme Court of India on August 24, 2017 that recognized the right to privacy as a fundamental right under the Constitution of India. This draft DPD Bill, 2022 was released by the Indian Government on November 18, 2022 following the withdrawal of the Personal Data Protection Bill, 2019.

The following are the key highlights of the DPD Bill, 2022.

1. Applicability: The DPD Bill defines personal data as any data about an individual who is identifiable by or in relation to such data and applies to the processing of digital personal data within the territory of India that is either (i) collected online, or (ii) collected offline and later digitized. DPD Bill will also apply to the processing of personal data outside India, if it is for offering goods or services or profiling individuals in India.

2. Notice: The DPD Bill provides that the Data Fiduciary should provide itemized notice of the personal data to be collected and purpose of processing such personal data; and obtain consent from the Data Principal on or before processing such personal data. The languages of the notice should be clear and plain. The Data Fiduciary shall give the Data Principal the option to access the information in English or any language specified in the Eighth Schedule to the Constitution of India.

3. Consent and Deemed Consent: The DPD Bill states that consent should be free, specific, informed and unambiguous. The Bill further adds that the Data Principal is deemed to have given consent to the processing of their personal data if such processing is necessary for: (i) performance of any function under a law, (ii) provision of service or benefit by the State, (iii) medical emergency, (iv) employment purposes, and (v) specified public interest purposes such as national security, fraud prevention, and information security. For individuals below 18 years of age, consent will be provided by the legal guardian.

4. Rights and duties of Data Principal: A Data Principal, whose data is being processed will have the right to:

i. confirmation whether the data fiduciary is processing or has processed personal data of the data principal;

ii. a summary of the personal data being processed or that has been processed and the processing activities;

iii. identities of all the Data Fiduciaries with whom the personal data has been shared along with the categories of personal data so shared;

iv. any other information as may be prescribed by the Central Government,

v. correction and erasure of personal data,

vi. seek grievance redressal, and

vii. nominate any other individual to exercise the above-mentioned rights under the Proposed Law in the event of the death of the data principal.

The DPD Bill also provides that violation of duties will be punishable with a penalty of up to Rs 10,000/-.

5. Obligations of Data Fiduciaries: A Data Fiduciaries processing the data of a Data Principal, must:

i. make reasonable efforts to ensure the accuracy and completeness of data,

ii. protect personal data in its possession or under its control by taking reasonable security safeguards to prevent personal data breach, and

iii. notify the Board and each affected Data Principal in the event of a breach of personal data.

6. Transfer of Personal Data Outside India: The central government will notify countries where a data fiduciary may transfer personal data.

7. Exemptions: The central government may, by notification, exempt certain activities from the application of provisions of the DPD Bill. These include: (i) processing by government entities in the interest of the security of the state and public order, and (ii) research, archiving, or statistical purposes.

8. Data Protection Board of India: The central government will establish the Data Protection Board of India. Key functions of the Board include: (i) monitoring compliance and imposing penalties, (ii) directing data fiduciaries to take necessary measures in the event of a data breach, and (iii) hearing grievances made by affected persons. The central government will prescribe: (i) composition of the Board, (ii) selection process, (iii) terms and conditions of appointment and service, and (iv) manner of removal.

9. Penalties: The schedule to the DPD Bill specifies penalties for various offences such as: (i) up to Rs 200 crore for non-fulfilment of obligations for children and (ii) up to Rs 250 crore for failure to take security measures to prevent data breaches. Penalties will be imposed by the Board after conducting an inquiry and after giving the person a reasonable opportunity of being heard. The DPD Bill has entirely omitted any kind of criminal penalty for non-compliance with the provisions of the DPD Bill.




Follow LexTalk World for more news and updates from International Legal Industry




bottom of page