Date: 26-11-2022

Notes on The Digital Personal Data Protection Bill, 2022

Objective: To discuss the proposed Digital Personal Data Protection Bill, 2022

 What is Data Protection?

 Data protection is the process of safeguarding Personal Data/ Personal information from
corruption, compromise or loss and providing the capability to restore the data to a
functional state should something happen to render the data inaccessible or unusable.
 Data protection assures that data is not corrupted, is accessible for authorized purposes
only, and is in compliance with applicable legal or regulatory requirements. Protected
data should be available when needed and usable for its intended purpose.1
 The importance of data protection increases as the amount of data created and stored
continues to grow at unprecedented rates. There is also little tolerance for downtime
that can make it impossible to access important information.
 Need for Data Protection:
 If the data is not safeguarded, it might get compromised and we might lose the data.
 Curtail financial losses- With the advent of digitization; the cost of the data has
increased many folds. The businesses rely heavily on the data, and if the loose the data
or the protection of the data is breached; they might attract huge financial losses.
 Legal Obligations- Now we have certain laws that are governing data protection across
the globe. For example, GDPR or other national laws of various other nations. To match
with their requirements and to comply with them internationally along with adhering to
data protection best practices, every country needs their own data protection law.
 Customer’s requirement- The companies collect huge data of their customers for
various purposes. These data contain both personal and non personal data of the
customers and therefore the companies need to be extra cautious while collecting,
processing, storing and transferring such data.

1
https://www.snia.org/education/what-is-data-protection

© 2022, All rights reserved, NeGD MeitY

  In a study conducted in this year, the top 3 most expensive industries to experience a
data breach in 2022 are Healthcare, Finance and Technology.
 History of Data Protection Legislation across the Globe:
 1972- The younger committee came into existence in United Kingdom and that initiated
the concern with regard to data protection.
 1978- In UK, a Committee on Data Protection was set up under the chairmanship of
Lindop, which submitted its report in 1978. It contained thorough recommendations
both as to the aims to be achieved and on the substance of future data protection
legislation.
 1980- This year, the OECD Guidelines, which are recognized as the global minimum
standard for privacy and data protection, came into existence.
 1984- The UK Data Protection Act of 1984 came into existence. The objective of this Act
was to regulate the use of automatically processed information relating to individuals
and the provision of services in respect of such information.
 1995- European Union Directive came on the protection of individuals with regard to
the processing of personal data and on the free movement of such data.
 1998- UK enacted The Data Protection Act of 1998 with the objective to make new
provision for the regulation of the processing of information relating to individuals,
including the obtaining, holding, use or disclosure of such information.
 2000- The United State’s Safe Harbour Privacy Principles were introduced, which were
developed between 1998 and 2000 in order to prevent private organizations within
the European Union or United States which store customer data from accidentally
disclosing or losing personal information.
 2016- The General Data Protection Regulations came into existence, with a primary aim
to enhance individuals' control and rights over their personal data and to simplify the
regulatory environment for international business. Post GDPR, many countries have
worked towards including Data Protection Laws in their local legislations.
 2018- The California Consumer Privacy Act (CCPA) came into force with an intention to
enhance privacy rights and consumer protection for residents of California, United
States.
 2022- The Ministry of Electronics and Information Technology (MeitY) on November 18,
2022, has released its much-awaited personal data protection bill, i.e., the Digital

© 2022, All rights reserved, NeGD MeitY

 Personal Data Protection (DPDP) Bill, 2022 (DPDP Bill) for public comments until
December 17, 2022. The DPDP Bill, as compared to its predecessor versions is
significantly a simpler version and once in force, aims to amend and omit some of the
key provisions of the [Indian] Information Technology Act, 2000 (IT Act) and provisions
of the ‘Right to Information Act’ 2005.
 The Digital Personal Data Protection Bill:
 Indian government is now focusing on the digitalization of its economic, social, political
and other related aspect which clearly involves the people of the nation.
 With growing numbers of active internet users in India, it becomes important for such
growing digital economy to protect the digital information by implementing certain
regulations to regularize the rights and the duties of our digital citizen.
 The proposed draft of Digital Personal Data Protection Bill is divided into 6 chapters
consisting general clauses, obligation of data fiduciary, rights and duties of data
principal, special provisions, compliance framework and miscellaneous provisions.
1. Grounds of processing and obligations of Data Fiduciaries:
i. Primary ground of processing is consent of the subject.
ii. Privacy notice to be given in English and Scheduled languages.
iii. In certain specific conditions, especially with respect to public interest, processing is
allowed on grounds of ‘Deemed consent’ by data fiduciary.
iv. Data Protection Board to be established. Any personal data breach to be reported to
Data Protection Board and each affected Data Principal.
v. Significant data fiduciaries (SDF) to be notified.
vi. SDFs are subjected to some additional obligation, such as, DPO, audit, DPIA, etc.
2. Rights of Data Principals:
i. Right to information about processing of data
ii. Right to correction and erasure of personal data.
iii. Right to grievance redressal.
iv. Right of nomination of another individual to exercise rights.
3. Duties of Data Principals:
i. Duty to comply with applicable laws while exercising rights.
ii. Duty to not to register false or frivolous complaints.
iii. Duty to not to furnish false particulars while obtaining services.

© 2022, All rights reserved, NeGD MeitY

 iv. Duty to furnish verifiably authentic information.
4. Cross-border transfers and exemptions:
 Transfer of personal data outside the country’s jurisdiction to other country’s
jurisdiction is called as cross-border transfer.
 The Indian government does not want the personal sensitive data to be transferred to
any other country and was quite rigid about the same earlier. The government focuses
on data localization, which means keeping the data within the jurisdictional limit of the
Country.
 In the present proposed bill, there is a little relaxation with respect to this provision
with certain conditions and exemptions.
5. Data Protection Board and Compliance Framework:
Under the provisions of the bill, the Central government will establish a Data Protection Board
and the board will have following functions:
i. to determine non-compliance with provisions of this Act and impose penalty.
ii. to perform such functions as the Central Government may assign to the Board.
iii. Issues directions with respect to the compliance of the various provisions.
iv. Issues directions for mitigating harm in case of data breach.
v. The board can refer any matter which it seems fit for Alternate Dispute Resolution.
6. Penalties:
i. Significant non compliance attracts financial penalties, maximum of Rs. 500 Crores for
each instance.
ii. Failure to implement security safeguard for preventing data breach, the penalty can go
up to Rs. 200 Crore.
iii. Failure to notify Board and affected Principals of Data Breach can lead to financial
penalty up to Rs. 200 Crore.
iv. In case of Non compliance with obligation regarding children’s data, the penalty can go
up to Rs. 200 Crore.
v. Any other non compliance other than the mentioned above can be decided by board
and can lead to penalty up to Rs. 50 Crore.
vi. In case a data principal non compliance with their duties, a fine of up to Rs. 10,000 can
be levied.

© 2022, All rights reserved, NeGD MeitY

 This is to be noted that the bill is yet to be discussed in the Parliament; one can expect
some changes with respect to the present proposed clauses. One commendable thing to be
noted is that how the government of India is working towards this new dimension of data
security and to ensure the safety of its citizen’s data.

Authors: Chief Investigator and Team CytrainSetu

© 2022, All rights reserved, NeGD MeitY