Key Features of Digital Personal Data Protection Bill, 2022 (“Bill”)

  1. No Implementation period specified: The Bill does not specify the date as to when it will come into force. It merely states that its provisions will come into effect on the date(s) appointed by the Government. However, this comes with a rider that different dates may be appointed for different provisions of the Act, thereby leaving scope for a phased introduction of various provisions of the Bill, rather than the Bill being implemented at once.
  2. Data Protection Board of India: The Bill proposes the setting up of a Data Protection Board of India as the over-arching body to oversee the implementation of the DPDP Bill. The Board will be entrusted with the powers to impose penalties on erring entities as well as empower them to direct Data Fiduciaries to adopt urgent measures to respond to Personal Data breaches. The High Courts have been designated as the appellate authority from orders of the Board and appeals have to be filed within 60 days.
  3. Gender parity: The Bill uses the pronouns “her” and “she” for an individual, irrespective of gender under Section 3 (1) 3. This is a step forward from the normative legal drafting which contained “He/Him”.
  4. Covers all digital “Personal Data” while excluding “Non-personal Data”: Personal data has not been categorized into “sensitive” or “critical”, thus putting all kinds of personal data at the same footing. Furthermore, the Bill does not apply to offline Personal Data (that is ‘non-digitized’) or any personal data which is processed by an individual for personal use. Moreover, “non-personal” data is not defined under the Bill, which envisages exclusion of businesses and stakeholders from being governed by this Bill in relation to this aspect.
  5. Territorial and Extra-Territorial Applicability: The Bill only applies as follows:
    • (a)  Territorial – processing of digital Personal Data within India, where:
      • (i)  Personal Data is collected online; or
      • (ii)  Personal Data is collected offline and then digitised.
      • Note: The processing of Personal Data of foreign Data Principals (i.e. data subject by an Indian entity under a contract with a foreign entity) are exempt from the provisions of the Bill dealing with consent under Chapter 2, thereby aiding the functioning of the BPO industry.
    • (b)  Extra-Territorial – processing of digital Personal Data outside India, if it is in connection with profiling of, or offering goods or services to Data Principals within India.
  6. Cross Border Transfer of Data: Cross Border transfer of Dataoutside Indiais not specifically prohibited by the Bill. A Data Fiduciary is permitted to transfer Personal Data outside India to such countries, and in accordance with such terms and conditions as may be notified by the Central Government.
  7. No Criminal Liability: Only monetary penalties are prescribed under the Bill (under Schedule I) for breaches and non- compliances and limits such penalties to breaches/non-compliances that the Data Protection Board determines to be ‘significant’. The Bill has done away with criminal liabilities, as well as penalties that are directly linked to the turn-over or revenue of an erring Data Fiduciary while capping the leviable financial penalty at 500 crores in each instance of breach.
  8. Rights of Data Principals: TheBillgrants DataPrincipalsrights in relation to their Personal Data, such as the right of correction, right of erasure and right to be forgotten along with providing the right to nominate any other individual to exercise the rights of the Data Principal in the event of their death or incapacity.
  9. Duties of Data Principals: Certain duties such asduty to comply with the provisions of “all applicable laws” while exercising their rights, and a duty to furnish only such information as is verifiably authentic while exercising the right to correction or erasure of Personal Data has been provided under the Bill to the Data Principals.
  10. Significant Data Fiduciaries: The Bill retains the concept of a ‘Significant Data Fiduciaries’ (“SDFs”) from the earlier bill and allows the Government to notify an SDF based on a variety of factors such as the volume and sensitivity of Personal Data processed by it, risk of harm to Data Principals, potential national impact and impact on public order.
  11. Concept of Deemed Consent: The Bill introduces the concept of ‘deemed consent’ – enabling processing of Personal Data without explicit consent on a number of grounds, including for purposes related to medical emergencies, during a disaster or any breakdown of public order, employment (including biometric information) and public interest such as debt recovery, and prevention of fraud thereby enabling wider grounds for processing personal data.
  12. Exemptions: Under the Bill, the Central Government has been given the power to exempt any instrumentality of the State from application of the Act in relation to processing of Personal Data along with allowing the Central Government to notify certain Data Fiduciaries or class of Data Fiduciaries based on the volume and nature of personal data processed, to whom certain provisions of the Bill (notice requirements, accuracy of Personal Data, data retention limits etc.) will not apply.
  13. Alternate Dispute Resolution for Complaint Resolution: Resolution of disputes via mediation or other ADR mechanisms has been envisaged under the Bill.
  14. Processing of Personal Data of children: The Bill apart from prohibiting processing of personal data that is likely to cause harm to a child (below 18 years of age), also prohibits tracking or behavioural monitoring of children or targeting advertisements for children.
  15. No requirement of local storage of information: The Bill does not contemplate any requirement for Data Fiduciaries to store any data in India, irrespective of whether or not the data has been shared outside India for any legally valid purposes or not.