According to the bill’s explanatory note, India now has 760 million active internet users, with that figure likely to grow to 1.2 billion in the coming years. The core tenets and expectations of our citizens for transparency, safety, trust, and accountability must thus be the basis for legislation and rules governing the internet. The rights and obligations of data principals, as well as the compliance framework, are mostly covered in this section of the analysis.
- Children’s data – According to the 2022 Law, a “child” is anybody under the age of 18. Data fiduciaries cannot monitor or target advertising at minors and must acquire parental permission before processing children’s data. The central government may, however, impose exceptions to these rules. Data fiduciaries handling children’s data were formerly regarded as significant data fiduciary, this is no longer true-handle children’s data were formerly regarded as significant data fiduciary – this is no longer the case. The 2022 Bill keeps the legal consent age at 18 despite opposition from groups representing civil society and business. To safeguard the online agency and privacy of teens and young adults, stakeholders had argued for lowering the age of consent.
- Significant data fiduciary – Although the definition of a significant data fiduciary is not explicitly stated in the Bill, it seeks to reserve the right of the Central government to define if a data fiduciary handles a significant amount of sensitive personal data, poses a risk of harm to the data principal, and has an impact on India’s sovereignty and integrity, state security, public order, etc. These key data fiduciaries are required to complete a Data Protection Impact Assessment, hire an Independent Data Auditor, and conduct periodic audits to guarantee compliance with the proposed Bill’s requirements.
- Rights of the data principal – The draft Bill seems to put more emphasis on the rights of a data principal this time. These rights include:
a. Right to information – The data principal can get confirmation of the existence of the processing of their personal data, along with information on the quantity and nature of that processing.
b. Right to correction or erasure – The proposed legislation allows the data principal to request the deletion or rectification of their personal data, just like the former PDP Law. Upon receiving a request for correction, the data fiduciary must update the principal’s personal information. Unless it is essential for legal reasons, the data fiduciary must delete any personal information that is no longer needed.
c. Right of grievance redressal – The data principal can file a complaint with the data fiduciary in the first instance (typically the data protection officer but this is not specified in the draft bill), and they can file a complaint with the Board in the event that they receive an unsatisfactory response or no response at all after a maximum of seven days. The draft Bill further specifies the responsibilities of the data principal, including that it must watch out for filing a fraudulent complaint or grievance, giving incorrect or misleading information, or withholding information.
- Cross-border data transfers – Requirements for local storage or localization are not mentioned in the 2022 Bill. Yet, it adds new restrictions for international data transfers. The notification of the nations or territories to whom personal data may be transmitted is now possible by the federal government. The central government may evaluate any circumstances while informing these territories if required. On these aspects, more information is awaited. The 2022 Law restricts the transfer of personal data across borders to those countries that the government has informed. Unlike past iterations, this limitation covers all personal data, not only sensitive personal data and critical personal data. This seems to be comparable to the GDPR’s adequacy method. Contrary to the GDPR, the Bill does not acknowledge other justifications for international transfers, including as common contract provisions, certifications, and others.
- Exemptions – Like the Prior Drafts, the Bill allows for a few basic exclusions. Additionally, the Government has been given broad authority to inform certain Data Fiduciaries that the provisions relating to notice, obligations relating to the processing of accurate information, and data retention will not apply to them (based on the volume and nature of personal data processed by the Data Fiduciaries). Moreover, there are relaxations in place for the State and its agencies with regard to data minimization and data retention, meaning that States are allowed to keep personal data for longer than intended. While the powers of the Central Government include establishing exemptions for the processing of personal data required for research, archiving, or statistical purposes as were provided in the Prior Drafts, the Bill does not do so with regard to exemptions for journalistic purposes as was provided in the Prior Bill.
- Implementation – Timelines for the 2022 Bill’s implementation have not been provided by the government. For certain provisions, the government may designate several start dates.
- Timeline – The Bill permits phased adoption, but unlike some earlier draft it doesn’t offer a precise timetable. A defined implementation schedule will allow businesses to plan, even if this could be less troublesome given the less intricate compliance requirements.
- Penalties – The 2022 Bill stipulates that the maximum fines in each case should be INR 500 crores. Significantly, failure to implement sufficient security precautions to avoid personal data breaches can result in fines of up to INR 250 crores for both data processors and data fiduciaries. Penalties may be changed by the government, although they cannot increase by more than double the amount set forth in the 2022 Law. According to the JPC Law, the government should maintain discretion when deciding on fines by taking fast-advancing technological developments into account. The 2022 Law specifies a maximum amount while still allowing the government to change penalties. Along with being much higher, the penalties under the 2022 Bill are in keeping with previous allegations that the government will impose severe fines for data breaches.
- Rule-making powers of the government – The central government has the authority to create regulations on a variety of topics, including the fair and reasonable justifications for processing personal data without authorization, the format and method for reporting data breaches, and the make-up, qualifications, and choice of DPB members. The planned data protection authority was granted the authority to draft rules under the JPC Bill and the 2019 Bill; this jurisdiction has now been completely transferred to the government. Notwithstanding advice from experts that the government’s vast rule-making powers should be subject to a consultative process, the 2022 Bill does not require stakeholder participation for regulations crafted by the government.
- Overriding effect of the 2022 Bill – If passed, the 2022 Law will take precedence over existing laws in cases when their provisions clash. In addition to current sectoral rules and regulations on data stewardship, it will also apply. If there are any requirements that clash with those of the 2022 Bill, those laws/regulations will take precedence. These industries include banking and finance, health, and others.
The proposed Law intends to safeguard the information and personal data of Indian residents. By enabling its procedure to take place solely in India, it also intends to secure the sensitive personal information of Indian individuals. Thereby, providing provisions for the processing of digital personal data in a way that acknowledges people’s rights to privacy protection, the necessity of processing personal data for legal reasons, and other incidental uses.
Link to An analysis on the Digital Data Protection Bill, 2022 (Part – I)
 Clause 2(6), bill.
 Clause 12, bill.
 Clause 13, bill
 Clause 14, bill.
 Clause 18, bill.
 Clause 26, bill.
Leave a Reply