Home » Blog » Data Security » India’s Digital Personal Data Protection Bill 2022: Detailed Analysis

India’s Digital Personal Data Protection Bill 2022: Detailed Analysis

Kiron Mullick ~ Modified: August 9th, 2023 ~ Data Security ~ 9 Minutes Reading

Digital Personal Data Protection Bill 2022, Summary:

India is one of the world’s largest data-generating countries, with over 1.2 billion people connected to the Internet. As a result, there is a growing need for data protection laws in India. In an era defined by digitalization and technological advancements, the protection of personal data has become a critical concern for individuals and governments alike.

In 2019, Indian Government introduced a Digital Personal Data Protection (DPDP) Bill. However, this bill was not passed by the parliament due to various reasons.

Recognizing the need for robust data protection measures, India introduced the Digital Personal Data Protection Bill again in 2022. This landmark legislation aims to safeguard the privacy and security of citizens’ personal data while fostering a conducive environment for digital innovation and economic growth.

Background

As India experienced a significant surge in internet users and digital services, concerns about data breaches, unauthorized access, and misuse of personal information heightened. Existing laws did not adequately address these challenges, leading to the need for comprehensive legislation that could effectively regulate the collection, processing, and storage of personal data.

Key Objectives of Digital Personal Data Protection Bill 2022

The primary objectives of the Digital Personal Data Protection Bill 2022 are as follows:

  • Protecting Privacy: The bill seeks to uphold the fundamental right to privacy of Indian citizens by establishing stringent norms for the processing and handling of personal data.
  • Data Localization: One of the central provisions of the bill is the requirement for data fiduciaries to store sensitive personal data within the borders of India. This data localization mandate aims to enhance data sovereignty and ensure that citizens’ personal information remains subject to Indian laws and jurisdiction. By keeping the data within the country, the government aims to reduce the risk of unauthorized access and potential data breaches.
  • Consent Mechanism: The DPDP bill 2022 places significant emphasis on obtaining informed and explicit consent from individuals before collecting and processing their personal data. Data fiduciaries must provide clear and understandable explanations about the purpose, extent, and recipients of data sharing to ensure that users have full knowledge and control over their data.
  • Rights of Individuals: The legislation grants individuals substantial rights over their personal data. Data principals have the right to access the data held by data fiduciaries, rectify inaccuracies, and request the erasure of data under certain circumstances. This empowers individuals to exercise greater control over their digital identities and correct any inaccuracies that may impact their privacy and security.
  • Data Processing Obligations: The Digital Personal Data Protection Bill 2022 imposes obligations on data fiduciaries, ensuring that they handle personal data responsibly and implement necessary security measures to prevent data breaches.

Key Provisions of DPDP Bill 2022

  • Data Fiduciaries and Data Principals: The bill classifies entities handling personal data as “data fiduciaries,” and the individuals whose data is being processed as “data principals.” This distinction clarifies the responsibilities and rights of both parties.
  • Sensitive Personal Data: The Digital Personal Data Protection Bill 2022 defines personal data as any information that can be used to identify an individual, directly or indirectly. This includes information such as the individual’s name, address, phone number, email address, date of birth, and any other information that could be used to identify them.
  • Data Protection Authority (DPAI): To enforce the provisions of the bill effectively, a specialized regulatory body called the Data Protection Authority of India (DPAI) will be established. The DPAI will have the responsibility of monitoring and regulating data fiduciaries, investigating data breaches, and ensuring compliance with the legislation. This authority will act as the watchdog for data protection in the country, working to uphold citizens’ privacy rights and impose penalties for non-compliance or data breaches.
  • Cross-Border Data Transfer: Recognizing the need for cross-border data transfers for various business purposes and international collaborations, the bill also includes provisions to enable such transfers under specific circumstances. Data fiduciaries must obtain explicit consent from data principals before transferring their personal data outside India. Alternatively, they may also transfer data to foreign jurisdictions that have adequate data protection laws in place or follow the DPAI’s approved standard contractual clauses. This approach strikes a balance between protecting data and facilitating global data flows for legitimate reasons.
  • Balancing Data Innovation and Non-Personal Data: Apart from addressing personal data, the DPDP bill also recognizes the importance of non-personal data in fostering innovation, research, and development. It emphasizes the need to create a framework for sharing non-personal data, making it accessible for businesses, governments, and researchers, while also ensuring that individual privacy is not compromised. The bill aims to strike a balance between data innovation and privacy protection, fostering a data-sharing ecosystem that respects both aspects.
  • Penalty and Compensation: The Digital Personal Data Protection Bill 2022 prescribes stringent penalties and compensation for violations of its provisions. The maximum penalty can be up to INR 500 crores or 5% of the annual turnover of the data fiduciary, whichever is higher. The maximum compensation can be up to INR 1 crore or actual damage caused to the data principal, whichever is higher.
  • Data Sandbox: The DPDP Bill introduces the concept of a data sandbox, which is a testing environment with new technologies or methods of processing personal data, with the approval and oversight of the DPAI. A data sandbox can be used for innovation, research, or development purposes that have the potential to benefit society or the economy.

Various Rights and Obligations for Data Principals and Data Fiduciaries

  • Right to Information: The owner of the data has the right to receive information about what personal data is being processed. Along with that, there is a right to receive summary of personal data that is being processed.
  • Right to Access and Correction: Data principals have the right to access their personal data and request correction or update of any inaccurate or incomplete data.
  • Right to Erasure: Data principals have the right to request erasure of their personal data that is no longer necessary for the purpose for which it was collected or processed.
  • Right to Portability: Data principals have the right to receive their personal data in a structured, commonly used, and machine-readable format and to transmit it to another data fiduciary.
  • Right to Restrict Processing: Data principals have the right to restrict or limit the processing of their personal data in certain circumstances, such as when they contest the accuracy or lawfulness of the data or when they object to the processing.
  • Right to Object: Data principals have the right to object to the processing of their personal data for certain purposes, such as direct marketing, profiling, or automated decision making.
  • Right to Nominate: The data principals have the right to choose or nominate a person who they want to exercise their rights in case of death or incapacity.
  • Obligation to Provide Notice: Data fiduciaries have the obligation to provide a clear, concise, and transparent notice to data principals before collecting or processing their personal data, which should include information such as the purpose, duration, manner, source, recipients, rights, and grievance redressal mechanism of the processing.
  • Obligation to Obtain Consent: Data fiduciaries have the obligation to obtain free, informed, specific, clear, and revocable consent from data principals before collecting or processing their personal data, unless an exemption applies.
  • Obligation to Ensure Quality: Data fiduciaries have the obligation to ensure that the personal data they collect or process is accurate, complete, up-to-date, relevant, and not excessive for the purpose of the processing.
  • Obligation to Ensure Security: Data fiduciaries have the obligation to implement appropriate technical and organizational measures to protect the personal data they collect or process from unauthorized or unlawful access, use, disclosure, alteration, or destruction.
  • Obligation to Notify Breach: Data fiduciaries have the obligation to notify the Digital Personal Data Protection Authority (DPDPA), which is the regulatory body established by the DPDPB, and the affected data principals of any breach of personal data that is likely to cause harm within a reasonable time.

Potential Impact of the Digital Personal Data Protection Bill 2022

  • Increased Transparency: The DPDP Bill will require organizations to be more transparent about how they collect and use personal data. This will give individuals more information about how their data is being used, and it will help to build trust between individuals and organizations.
  • Increased Security: The bill will require organizations to take steps to protect personal data from unauthorized access, use, or disclosure. This will help to reduce the risk of data breaches and other security incidents.
  • Increased Accountability: The Digital Personal Data Protection Bill will create a more accountable environment for data protection. Organizations that violate the law will be subject to fines and other penalties. This will help to deter organizations from engaging in risky or unethical data practices.
  • Increased Innovation: It will create a more secure and predictable environment for data-driven innovation. This will help to attract investment and create jobs in the Indian digital economy.

Criticism

Although this DPDP Bill 2022 is a step forward for data protection laws in India, the bill has been criticized by for being too restrictive. For example, the bill prohibits the transfer of personal data outside of India without the consent of the individual. This could make it difficult for Indian companies to do business with international partners.

Latest Update: The Lok Sabha passed the Digital Personal Data Protection Bill on 7th August 2023. If any entity is found violating the norms, the bill will impose a maximum fine of Rs 250 crore and a minimum fine of Rs 50 crore.

Conclusion

India’s Digital Personal Data Protection Bill 2022 is a comprehensive and ambitious piece of legislation aimed at safeguarding the privacy and security of personal data in the digital age. By addressing key challenges such as data localization, consent, individual rights, and non-personal data, the bill seeks to create a robust data protection framework that protects citizens’ privacy while encouraging digital innovation and economic growth. As the bill’s implementation progresses and the DPAI assumes its regulatory role, its impact on data governance and privacy practices in India will undoubtedly shape the nation’s digital landscape for years to come.