INDIA’S COMMITMENT TO DIGITAL PRIVACY:

AN ANALYSIS ON THE DIGITAL PERSONAL DATA PROTECTION BILL, 2022

by

Muhmina
B.Com LL.B (Hons) Student
Mount Zion Law College, Kadammanitta, Pathanamthitta. Kerala

Submitted to AGISS RESEARCH INSTITUTE

In fulfillment of the Requirement for the Internship
April 2023
ABSTRACT
The upcoming Digital Personal Data Protection bill of 2022 is set to revolutionize data collection
and usage, prioritizing individual’s privacy and security in the digital space. The bill empowers
individuals with greater control over their personal data, mandating explicit consent for
collection, storage and use by companies. The Bill defines sensitive personal data, such as
financial, health, sexual orientation, biometric and genetic data, which require higher level of
security and protection. To regulate data-related issues and ensure compliance, a Data Protection
Authority (DPA) will be established.

I. INTRODUCTION
The Digital Personal Data Protection bill or the Data Protection and Digital Privacy bill is a
crucial piece of legislation aimed at safeguarding our personal information in an increasingly
digitalized world. With the rise of technology and digital platforms, our personal data has
become more vulnerable than ever before. The DPDP bill sets forth guidelines and regulations to
protect our data and ensure that it is not misused or mishandled by individuals or organizations.
This bill provides individuals with greater control over their personal information and empowers
them to make informed decisions about how their data is collected, stored and used. With the
DPDP bill, we can take significant steps towards safeguarding our digital privacy and securing
our personal information in the digital age.

II. EVOLUTION
The bill is based on the principles of data protection that were introduced in the European
General Data Protection Regulation (GDPR). These principles include the right of individuals to
access, correct and erase their personal data, the obligation of data controllers to obtain consent
before processing data, and the right of individuals to have their personal data transferred to
another provider.
This is the fourth iteration of data protection law in India. The first draft of the law ‘The Personal
Data Protection Bill, 2018 was conceived by the esteemed Justice Srikrishna Committee setup by
the Ministry of Electronics and Information Technology (MeitY) to develop an ironclad set of
data protection laws for the country. After carefully reviewing the initial draft, the government
made a series of revisions and updated it to the PDB Bill, 2019. The Lok Sabha was eager to
dive into the details and quickly passed a motion to send it to a joint committee of the both the
Houses of Parliament. However, due to the unforeseen delays caused by the pandemic, it wasn’t
until December 2021 that the joint Committee on the PDB Bill, 2019 (JPC) finally submitted it’s
report on the Bill after two long years. The JPC’s recommendations were accompanied by a new
draft bill, the Data Protection Bill, 2021, which incorporated all of their findings. But when we
thought everything was smooth sailing, the government surprisingly withdrew the PDB bill in
August 2021. This decision was made on the “extensive changes” that the JPC made to the 2019
Bill.

III. ANALYSING THE KEY PROVISIONS OF THE DPDP BILL

This article aims to delve into and explore the critical aspects of the DPDP Bill, examining any
pertinent areas of concern with a discerning eye:
 Scope and Application: The Digital Personal Data Protection (DPDP) Bill pertains to
the handling of "personal data" which refers to any information related to an identifiable
individual processed digitally, including data collected online or offline that was later
digitized. It does not, however, encompass manual processing of this data by small
entities, unlike the earlier Personal Data Protection (PDP) Bill. Furthermore, the DPDP
Bill's jurisdiction extends beyond India if the digital personal data is involved in the
profiling or the offering of goods or services to individuals within India. The PDP Bill
categorized personal data as sensitive or critical, but the DPDP Bill does not make this
distinction, which may oversimplify the importance of protective measures for sensitive
personal data.
 Obligations of Data Fiduciary: Under the Digital Personal Data Protection (DPDP) Bill,
a data fiduciary is responsible for determining the purpose and means of processing
personal data and must meet a number of obligations, including the following:
 Processing personal data only for lawful purposes with the consent of the data
principal, i.e., the individual whose data is being processed.
 Issuing a clear and concise notice to the data principal regarding the collection and
processing of personal data, including a description of the data being collected.
 Obtaining verifiable consent from parents when processing the personal data of
children under 18 years of age.
  Facing a penalty of up to ₹200,00,00,000/- in case of non-compliance with respect to
the processing of personal data of children.
 Immediately ceasing processing of personal data of any data principal who withdraws
consent, unless such processing is authorized by the DPDP Bill or any other law.
 Reporting personal data breaches promptly to the Data Protection Board and affected
data principals, although no timeframe has yet been prescribed for such notification.
 Ensuring reasonable security safeguards to prevent personal data breaches, with
penalties ranging up to ₹250,00,00,000/-.
These strict obligations reflect the importance of data protection and the severe consequences
companies face for non-compliance with the DPDP Bill.
 Rights of Data Principal: The bill outlines specific rights for data principals, the individuals
to whom personal data relates. These rights include:
 The right to confirmation from the data fiduciary on whether their personal data is being
processed, a summary of their personal data being processed, and the identities of all data
fiduciaries that have received their data.
 The right to request correction, completion, updating or erasure of personal data that is no
longer necessary for the purpose for which it was processed.
 The right to nominate an individual who may exercise these rights in case of death or
incapacity.
 The right to lodge a grievance with the data fiduciary or register a complaint with the
Board if dissatisfied with the response or lack thereof.
However, the bill fails to include a "right of portability", preventing individuals from
systematically transferring personal data between data fiduciaries, thus hindering the spirit of
consumer welfare and competition. It's important for individuals to know their rights and for
companies to uphold their end of the bargain, fostering a safe and secure environment for all.
 Duties of Data Principal: It has outlined certain duties for Data Principals, or
individuals to whom personal data relates. These include:
 Avoiding registering false or frivolous complaints with a data fiduciary or the Board.
 Providing accurate and complete personal information while applying for documents,
services, unique identifiers, and proof of identity or address.
  Providing verifiably authentic information when exercising the right to correction or
erasure.
It's important to note that failure to comply with these duties could result in a penalty of up to
₹10,000/- (Rupees Ten Thousand). Upholding these obligations ensures the safety and accuracy
of personal data, promoting transparency and trustworthiness among all parties involved.
 Data Protection Board: The DPDP Bill aims to establish an independent Data
Protection Board to serve as an adjudicating body for the enforcement of its provisions
and the imposition of penalties for the non-compliance. The Board is empowered to
direct data fiduciaries to take urgent measures to address personal data breaches and
mitigate harm to data principals. However, the DPDP Bill has left the composition,
appointment, and service conditions of the Board’s chief executive, chairperson and
members at the discretion of the Government of India, which raises concerns regarding
the Board’s independence. Additionally, the bill does not specify any time limit for the
completion of inquiries by the Board, and an appeal against its orders would be made to
the High Court, following the elimination of an Appeal Tribunal. In select cases, the
Board may direct an alternative dispute resolution to resolve disputes between relevant
parties.
 Financial Penalties: The Data Protection Board will determine the financial penalty
based on the gravity, nature, and duration of the non-compliance, as well as the type and
impact of the personal data affected. If the non-compliance is significant, the Board
impose a penalty of up to ₹500,00,00,000/- (Rupees Five Hundred Crore), as long as the
person in question has had a reasonable opportunity to present their case.
 Cross-border of Transfer of Personal data: It has made significant strides in relaxing
the localization of data as per the JPC Report. It empowers data fiduciaries to transfer
personal data swiftly to nations outside India, deemed trustworthy by Central
Government. While this supports a seamless business experience, there exist vagueness
on the selection criterion for identifying such nations, authorized to access every category
of personal data of Indian Nationals.
 Exemptions from Applicability: the Government is authorized to exempt any state
instrumentality if it serves the interest of India’s sovereignty, security, foreign relations,
or public order, without proving any justification. However, these exemptions come with
 broad discretionary powers and don’t align with the JPC Report’s call for a ‘just, fair,
reasonable, and proportionate’ procedure to regulate such exemptions.

IV. CHALLENGES OF DIGITAL PERSONAL DATA PROTECTION BILL, 2022

The Digital Personal Data Protection Bill, 2022 poses several challenges that need to be
addressed before it can be fully implemented. Some of these challenges include:
 Data Localization: The bill requires all personal data to be stored in India, which poses
challenges for multinational companies due to increased cost and complexities.
 Data Processing Requirements: The bill sparks concerns in marketing industry over
explicit consent for personal data collection.
 Increased Compliance and Reporting: The bill brings tough penalties for non-
compliance, posing a challenge for smaller businesses to keep up with regulations and
reporting data breaches in time.
 Burden on Law Enforcement Agencies: The bill establishes regulatory bodies to
oversee compliance, possibly stretching law enforcement agencies thin and redirecting
their focus from crucial matters.
 Cost of Implementation: It mandates High-Tech compliance measures, potentially
deterring SMEs and stifling business investments in India.
Overall, while the Digital Personal Data Protection Bill, 2022 seeks to ensure the privacy and
protection of personal data, it also poses several challenges that need to be addressed to enable
smooth implementation.
Further critics also states that the Digital Personal Data Protection Bill, 2022 does not satisfy the
Supreme Court’s Puttaswamy principles. 1

V. CONCLUSION
Overall, the Digital Personal Data Protection Bill, 2022 is a significant development in the area
of personal data protection in India. The bill is a step forward in protecting the rights of
individuals and providing a secure environment for the processing of personal data in India. The
digital revolution has made it easier than ever for organizations to collect and store personal data.
1
Digital Personal Data Protection Bill, 2022 does not satisfy the Supreme Court’s Puttaswamy principles, Internet
Freedom Foundation, available at: https://internetfreedom.in/the-digital-personal-data-protection-bill-2022-does-
not-satisfy-the-supreme-courts-puttaswamy-principles/ (last visited on April 16, 2023)
However, it is also essential to ensure that the individuals who provide this information have
control over how it is used.
The bill is currently being debated in the Indian Parliament, and it is expected to be passed soon.
Once it becomes law, it will provide much-needed protection to individuals and help to mitigate
the risks associated with unauthorized access and misuse of personal data.

VI. REFERENCE
1. Dr. Anusuya Yadav, Gaurav Yadav, “Data Protection In India In Reference To Personal Data Protection
Bill 2019 And IT Act 2000” 8 international advanced research journal in science, engineering and
technology254(2021)
2. Trishee Goyal, “How Different Is The New Data Protection Bill?”, The Hindu, Nov.21, 2022.
3. Seemajhingan, Jyoti Vats Mishra, “A Dive Into The Digital Personal Data Protection Bill, 2022”, Montaq
Connecting Knowledge & People, available at: https://www.montaq.com/india/data-protection/1259392/a-
dive-into-the-digital-personal-data-protection-bill-2022 (last visited on April 16, 2023)
4. The digital personal data protection bill, 2022, India, available at:
http://www.meity.gov.in/writereaddata/files/The%20Digital%Personal%20Data%20Protection%20Bill%2
C%202022_0.pdf (last visited on April 16, 2023)