The Digital Personal Data Protection Bill, 2022 ("PDP Bill") was framed with an
aim to protect the personal data of individuals, to regulate the processing of
digital personal data while protecting the rights of the users, and to ensure
that the data collected by the data fiduciaries is done so in a free, fair, and
The initial draft of the PDP bill, 2019 was withdrawn by the Ministry stating
that a more comprehensive legal framework shall be drafted in the future. In
2022, the current version of the PDP Bill was tabled.
- Section 2 (4) of the Bill defines data as "a representation of information, facts, concepts, opinions or instructions in a manner suitable for communication, interpretation or processing by humans or by automated means".
- Section 2 (13) defines Personal Data as "any data about an individual who is identifiable by or in relation to such data".
- Section 2 (14) defines Personal Data Breach as "any unauthorized processing of personal data or accidental disclosure, acquisition, sharing, use, alteration, destruction of or loss of access to personal data, that compromises the confidentiality, integrity or availability of personal data."
- Section 2 (5) defines Data Fiduciary as "any person who alone or in conjunction with other persons determines the purpose and means of the processing of personal data".
- Section 2 (6) defines Data Principal as "the individual to whom the personal data relates and where such individual is a child includes the parents or lawful guardian of such a child".
Applicability of the Bill:
- Section 4 of the Bill specifies that the PDP Bill shall apply to the processing of digital Personal Data within the territory of India if the data so processed are (i) obtained from Data Principals online and (ii) digitized from Personal Data obtained offline.
- The DPDP Bill will also be applicable to processing personal data outside of India if that processing is related to creating Indian-specific profiles of individuals or providing Indian-based Data Principals with products and services. "Any form of processing of Personal Data that analyses or predicts aspects concerning the behaviour, attributes, or interests of a Data Principal" is referred to as profiling in this context.
- Non-automated processing of personal data, offline processing of personal data, processing of personal data by an individual for any domestic or personal purpose, and the presence of personal data about an individual in a record that has been in existence for more than a hundred years are all exempt from the applicability of the bill.
Obligations of the Data Fiduciary:
- Consent: The Bill provides that the Data Fiduciary can process the data only in accordance with the rules and the guidelines provided in the Bill for a lawful purpose (Section 5). Further, it is mandatory for the data fiduciary to obtain the consent of the data principal before processing the personal data of the data principle (Section 6). Further, the data principle shall give consent to such processing of personal data after obtaining such request for consent from a data fiduciary. The consent sought must not infringe upon any provision of the Bill and such consent request must contain the details of the data protection officer (Section 7 (3)).
- Deemed consent: As per section 8 of the Bill, it shall be deemed that consent was given by the data principle in certain circumstances such as where the personal data is provided voluntarily, compliance with any judgment, responding to a medical emergency, in the public interest, etc (Section 8).
- Withdrawal of the consent: The Data principal shall have the right to withdraw the consent given by her for the purpose of processing the personal data at any time through a consent manager (Section 7(6)).
- Responsibility of the data fiduciary: The data fiduciary is responsible for ensuring that the data given is correct and accurate, protecting the personal data in their possession, and the data fiduciary shall be responsible for the contravention of any of the provisions of the Bill. In case of a data breach, it's the responsibility of the data fiduciary to inform the Board and the data principal (Section 9).
Obligations of data fiduciary in relation to the personal data of children:
Section 10 of the Bill states that the data fiduciary shall obtain verifiable
consent of the parents or the guardian before processing such data. Further, the
fiduciary shall not undertake, tracking or behavioral monitoring of children or
process any personal data which may cause harm to the children.
Obligations of Significant Data Fiduciary(SDF): Section 11 of the Bill states
that a significant data fiduciary, as notified by the Central Government shall
(a) appoint a Digital Protection Officer, who shall be responsible to the Board
of Directors, (b) an Independent Data Auditor, who shall evaluate the compliance
of SDF with the Act and, (c) undertake such other measures including Data
Protection Impact Assessment and periodic audit in relation to the objectives of
Rights of a Data Principle:
A Data Principle has the:
Duties of a Data Principle:
- Right to information about personal data. (Section 12)
- Right to correction and erasure of personal data (Section 13)
- Right to grievance redressal and, (Section 14)
- Right to nominate (Section 15).
A Data Principle has the duty to:
- Comply with the provisions of the Bill.
- Not to register a false or frivolous grievance or complaint with a Data Fiduciary or the Board.
- Not to furnish any false particulars or suppress any material information or impersonate another person.
- Furnish only such information as is verifiably authentic while exercising the right to correction or erasure under the provisions of this Act.
Transfer of Personal Data outside India: Section 17 of the Bill provides that
Central Government has the power to notify such countries to which the data
fiduciary may transfer the Personal Data.
Exemptions: The DPDP Bill grants the government the authority to exempt without
justification any state instrument in the interests of India's sovereignty and
integrity, security, cordial relations with other countries, preservation of
public order, etc. The JPC Report recommended having a "just, fair, reasonable,
and proportionate" system in place before approving any such exception, although
this advice is not considered by the exemptions under the DPDP Bill, which
provides the Government broad discretionary powers (Section 18).
Data Protection Board of India: Section 19 of the Bill empowers the Central
Government to constitute a Data Protection Board of India, an independent body.
The Government can also prescribe the powers, allocation of duties of the
members, and terms of the appointment of the members of the Board. Section 20 of
the Bill talks about the functions of the Board, which include the determination
of non-compliance with the provisions of the board, the power to investigate,
conduct an inquiry, give orders, etc (Section 20).
If there is a breach of personal data, the Board has the authority to order the
data fiduciary to take immediate action to fix the problem or lessen any damage
to the data principals. The independence of such a crucial position holder,
however, might come under scrutiny because the Government of India has
discretion over issues like the size and makeup of the Board, the appointment
and employment terms of the Chief Executive, the Chairperson, and other Board
The DPDP Bill also doesn't provide a deadline for the conclusion of an inquiry
conducted by the Board. An appeal against an order of the Board shall lie to the
High Court (Section 22). Further, the Board may also refer the dispute to
Alternate Dispute Resolution mechanisms (Section 23).
Voluntary Undertaking: The Board may accept any voluntary undertaking to take or
to refrain from taking a specified action within a reasonable time. Acceptance
of the voluntary undertaking by the Board shall constitute a bar on proceedings
under the provisions of this Act as regards the contents of the voluntary
undertaking (Section 24).
Penalty: The Board has the power to impose such penalty as prescribed in
Schedule 1 if the Board is of the opinion that the non-compliance with the Bill
is significant after giving the person an opportunity of being heard, however,
such penalty cannot be more than five hundred crore rupees in each instance