{"id":12391,"date":"2022-11-23T06:47:29","date_gmt":"2022-11-23T06:47:29","guid":{"rendered":"https:\/\/swaritadvisors.com\/blog\/?p=12391"},"modified":"2022-11-23T08:21:09","modified_gmt":"2022-11-23T08:21:09","slug":"digital-personal-data-protection-bill-2022","status":"publish","type":"post","link":"https:\/\/swaritadvisors.com\/blog\/digital-personal-data-protection-bill-2022\/","title":{"rendered":"Digital Personal Data Protection Bill, 2022 \u2013 A Complete Analysis"},"content":{"rendered":"\n<p>The Digital Personal Data Protection Bill 2022 (Data Protection Bill, 2022) has been published by the government for public consultation. The Digital Personal Data Protection Bill 2022, is the most recent iteration in the Data Protection laws of the country. Following the landmark judgement of Justice K.S Puttaswamyv Union of India, 2017, which upheld the Right to Privacy as a Fundamental Right under Article 21 of the Constitution of India, the Ministry of Electronics and Information Technology (MeitY) introduced the first draft of the law called the Personal Data Protection Bill, 2018. After two more revised drafts, namely the Personal Data Protection Bill, 2019 and the <strong>Joint Parliament Committee\u2019s<\/strong><sup><a class=\"text-primary\" href=\"https:\/\/en.wikipedia.org\/wiki\/Joint_parliamentary_committee#:~:text=Joint%20Parliamentary%20Committee%20is%20formed,form%20the%20joint%20parliamentary%20committee.\"><strong>[1]<\/strong><\/a><\/sup> Data Protection Bill, 2021 (JPC Bill,2021), both of which were withdrawn amid extreme criticisms from various stakeholders, the government has published the new draft of the Data Protection Bill, 2022. The new draft aims at achieving a balance between the right of privacy of the citizens, the right of citizens over their personal data and the right of the private and government entities to use and process the data. This blog aims to provide an overview of the extant draft Digital Personal Data Protection Bill, 2022.<\/p>\n\n\n\n<div id=\"ez-toc-container\" class=\"ez-toc-v2_0_65 counter-hierarchy ez-toc-counter ez-toc-light-blue ez-toc-container-direction\">\n<p class=\"ez-toc-title\">Table of Contents<\/p>\n<label for=\"ez-toc-cssicon-toggle-item-6a3a1fc1de433\" class=\"ez-toc-cssicon-toggle-label\"><span class=\"\"><span class=\"eztoc-hide\" style=\"display:none;\">Toggle<\/span><span class=\"ez-toc-icon-toggle-span\"><svg style=\"fill: #999;color:#999\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" class=\"list-377408\" width=\"20px\" height=\"20px\" viewBox=\"0 0 24 24\" fill=\"none\"><path d=\"M6 6H4v2h2V6zm14 0H8v2h12V6zM4 11h2v2H4v-2zm16 0H8v2h12v-2zM4 16h2v2H4v-2zm16 0H8v2h12v-2z\" fill=\"currentColor\"><\/path><\/svg><svg style=\"fill: #999;color:#999\" class=\"arrow-unsorted-368013\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"10px\" height=\"10px\" viewBox=\"0 0 24 24\" version=\"1.2\" baseProfile=\"tiny\"><path d=\"M18.2 9.3l-6.2-6.3-6.2 6.3c-.2.2-.3.4-.3.7s.1.5.3.7c.2.2.4.3.7.3h11c.3 0 .5-.1.7-.3.2-.2.3-.5.3-.7s-.1-.5-.3-.7zM5.8 14.7l6.2 6.3 6.2-6.3c.2-.2.3-.5.3-.7s-.1-.5-.3-.7c-.2-.2-.4-.3-.7-.3h-11c-.3 0-.5.1-.7.3-.2.2-.3.5-.3.7s.1.5.3.7z\"\/><\/svg><\/span><\/span><\/label><input type=\"checkbox\"  id=\"ez-toc-cssicon-toggle-item-6a3a1fc1de433\"  aria-label=\"Toggle\" \/><nav><ul class='ez-toc-list ez-toc-list-level-1 ' ><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"https:\/\/swaritadvisors.com\/blog\/digital-personal-data-protection-bill-2022\/#Major_Principles_behind_the_Digital_Personal_Data_Protection_Bill_2022\" title=\"Major Principles behind the Digital Personal Data\nProtection Bill, 2022\">Major Principles behind the Digital Personal Data\nProtection Bill, 2022<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-2\" href=\"https:\/\/swaritadvisors.com\/blog\/digital-personal-data-protection-bill-2022\/#Applicability_%E2%80%93_Digital_Personal_Data_Protection_Bill_2022\" title=\"Applicability\n&#8211; Digital Personal Data Protection Bill, 2022\">Applicability\n&#8211; Digital Personal Data Protection Bill, 2022<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-3\" href=\"https:\/\/swaritadvisors.com\/blog\/digital-personal-data-protection-bill-2022\/#Cross-Border_Data_Transfers\" title=\"Cross-Border Data Transfers\">Cross-Border Data Transfers<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-4\" href=\"https:\/\/swaritadvisors.com\/blog\/digital-personal-data-protection-bill-2022\/#Consent_and_Deemed_Consent\" title=\"Consent and Deemed Consent\">Consent and Deemed Consent<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-5\" href=\"https:\/\/swaritadvisors.com\/blog\/digital-personal-data-protection-bill-2022\/#Obligations_on_Data_Fiduciaries_and_Data_Processors_%E2%80%93_Digital_Personal_Data_Protection_Bill_2022\" title=\"Obligations on Data Fiduciaries and Data Processors\n&#8211; Digital Personal Data Protection Bill, 2022\">Obligations on Data Fiduciaries and Data Processors\n&#8211; Digital Personal Data Protection Bill, 2022<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-6\" href=\"https:\/\/swaritadvisors.com\/blog\/digital-personal-data-protection-bill-2022\/#Significant_Data_Fiduciaries\" title=\"Significant Data Fiduciaries\">Significant Data Fiduciaries<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-7\" href=\"https:\/\/swaritadvisors.com\/blog\/digital-personal-data-protection-bill-2022\/#Rights_and_Duties_of_Data_Principals_%E2%80%93_Digital_Personal_Data_Protection_Bill_2022\" title=\"Rights and\nDuties of Data Principals &#8211; Digital Personal Data Protection Bill, 2022\">Rights and\nDuties of Data Principals &#8211; Digital Personal Data Protection Bill, 2022<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-8\" href=\"https:\/\/swaritadvisors.com\/blog\/digital-personal-data-protection-bill-2022\/#Data_Protection_Board_of_India\" title=\"Data Protection Board of India\">Data Protection Board of India<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-9\" href=\"https:\/\/swaritadvisors.com\/blog\/digital-personal-data-protection-bill-2022\/#Powers_of_the_Government\" title=\"Powers of the Government\">Powers of the Government<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-10\" href=\"https:\/\/swaritadvisors.com\/blog\/digital-personal-data-protection-bill-2022\/#Conclusion\" title=\"Conclusion\">Conclusion<\/a><\/li><\/ul><\/nav><\/div>\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Major_Principles_behind_the_Digital_Personal_Data_Protection_Bill_2022\"><\/span>Major Principles behind the Digital Personal Data\nProtection Bill, 2022<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p>The following are some major\nprinciples behind the Digital Personal Data Protection Bill, 2022:<\/p>\n\n\n\n<ul><li>The usage of personal data by organizations must be done in a fair, lawful, and transparent manner<\/li><li>The usage of personal data shall be limited to the purpose it was taken for.<\/li><li>Data Minimization: only those aspects of personal data required to fulfil the specific purpose ought to be collected.<\/li><li>Reasonable effort is to be made to ensure that the data collected is accurate and complete.<\/li><li>Personal data should not be stored in perpetuity and not retained beyond what is required to achieve the specific purpose<\/li><li>To prevent a breach of personal data, reasonable safeguards ought to be in place to prevent accidental disclosure or unauthorized use<\/li><li>To ensure accountability, data fiduciaries (defined below) must be held accountable for the processing of data.<\/li><\/ul>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Applicability_%E2%80%93_Digital_Personal_Data_Protection_Bill_2022\"><\/span>Applicability\n&#8211; Digital Personal Data Protection Bill, 2022<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p>Unlike the previous drafts, the new bill only applies on \u201cDigital Personal Data\u201d, which is collected from Data Principals (individual to whom the personal data is related to and if such individual is a child, shall include parents or lawful guardian of the child) online or when the personal data is collected offline but is digitized. <\/p>\n\n\n\n<p>The Digital Personal Data Protection Bill, 2022 excludes from its purview \u201cnon-personal data\u201d and personal data which is collected manually. In the previous bills, only manual data collected by small entities was excluded. It also categorically excludes non-automated processing of personal data, personal data processed by individuals for domestic or individual purposes, and records of personal data of an individual which has been in existence for at least one hundred years.<\/p>\n\n\n\n<p>It\nalso provides no distinction between the types of personal data, namely,\nCritical Personal Data(CPD) and Sensitive Personal Data (SPD). The JPC\nBill,2021 and the 2019 Bill did include non-personal data within its purview.<\/p>\n\n\n\n<p>It\napplies to processing digital data within the territory of India and to\nprocessing of digital personal data outside India if it is for providing goods\nor services to Data Principals in India.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Cross-Border_Data_Transfers\"><\/span>Cross-Border Data Transfers<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p>As per the previous iterations, personal data collected was to be stored in India and only transferred according to the contract or intra-group scheme approved by Data Protection Policy and only after obtaining consent from the Data Principal. The Data Protection Bill, 2022 does not refer to local storage but has provided new parameters for cross-border transfers. The extant 2022 Bill restricts the cross-border transfer of all personal data only to jurisdictions which have been approved and notified by the central government. There are certain exceptions in the bill where cross-border transfer to jurisdictions not notified by the government is allowed, namely, to enforce a legal right or prevent contravention of law or prosecution of an offence or to conduct other judicial and quasi-judicial functions.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Consent_and_Deemed_Consent\"><\/span>Consent and Deemed Consent<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p>Like the previous draft bills, consent still is the primary prerequisite to process the personal data of the Data Principals. Data Principals need to provide clear and unequivocal consent for having their data used for a &#8220;specific purpose.\u201dIf the Data Principal wishes to withdraw the consent given, the Data Fiduciaries (persons who determine the purpose and means of the processing of personal data)ought to instruct Data Processors to stop processing that person\u2019s personal data, unless it is otherwise authorized under the extant bill or it is a necessity to process such personal data without consent. Such withdrawal of consent can be given through Consent Managers registered with the Data Protection Board. The Data Fiduciary only needs to provide notice to the Data Principal before processing personal data based on consent and not with respect to the processing of personal data with deemed consent. This notice should clearly provide for the specified purpose.<\/p>\n\n\n\n<p>The Digital Personal Data Protection Bill, 2022has introduced the concept of \u201cdeemed consent\u201d. It provides for certain situations and circumstances where consent of the data principal is not required to process personal data. This applies to data provided voluntarily by the data principal or when such data is required to meet the demands of law or for \u201cpublic interests\u201d to prevent fraud or for information security, or for any fair and reasonable grounds which shall be determined by the government. Earlier draft bills placed the onus of determining \u201cfair and reasonable purpose\u201d on the Data Protection Authority.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Obligations_on_Data_Fiduciaries_and_Data_Processors_%E2%80%93_Digital_Personal_Data_Protection_Bill_2022\"><\/span>Obligations on Data Fiduciaries and Data Processors\n&#8211; Digital Personal Data Protection Bill, 2022<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<ul><li><strong>Inform Data Protection Board of the Personal Data Breach<\/strong><\/li><\/ul>\n\n\n\n<p>\u201cPersonal data breach\u201d includes accidental disclosures, unauthorized use, sharing and processing of data. Data fiduciaries &amp; data processors can be penalized up to Rupees 250 Crore for not following reasonable security safeguards for data protection and can be penalized up to Rupees 200 Crore for not reporting a personal data breach to the Data Protection Board. The 2022 Bill has placed the obligation on data processors as well to report breach of personal data. The maximum penalty which has been provided under the 2022 Bill is Rupees 500 Crore.<\/p>\n\n\n\n<p>Data fiduciaries must maintain the completeness and accuracy of the data processed by them, remove data for which processing has been completed and establish a grievance redressal mechanism. They are to appoint a person to answer the data principal&#8217;s questions as to the processing of personal data.<\/p>\n\n\n\n<ul><li>If\nthe Data Principal wishes to withdraw the consent given, the data fiduciaries must\ninstruct Data Processors to stop processing that person\u2019s personal data, unless\nit is otherwise authorized under the extant bill or it is a necessity to\nprocess such personal data without consent.<\/li><li>Data\nfiduciaries must obtain parental consent while processing children\u2019s (individuals\nunder the age of 18) data and cannot target or track advertisements to children<\/li><\/ul>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Significant_Data_Fiduciaries\"><\/span>Significant Data Fiduciaries<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p>The government can notify entities which would be significant data fiduciaries based on the amount and sensitivity of the personal data they deal with, the risk to data principal and to electoral democracy, and the potential impact on the sovereignty and integrity of India. In addition to the obligations placed on data fiduciaries, the significant data fiduciaries have additional obligations to conduct data protection impact assessments, appoint an independent data auditor to assess compliance with the 2022 Bill, and appoint a data protection officer based in India. <\/p>\n\n\n\n<p>Unlike the previous draft bills. Digital Personal Data Protection Bill, 2022 does not automatically consider social media platforms with a considerable number of users or data fiduciaries dealing with children\u2019s data as significant data fiduciaries. Also, earlier, only those significant data fiduciaries involved in large-scale profiling or the use of new technologies or using SPD were obligated to conduct data protection impact assessments. Now all significant data fiduciaries must conduct them.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Rights_and_Duties_of_Data_Principals_%E2%80%93_Digital_Personal_Data_Protection_Bill_2022\"><\/span>Rights and\nDuties of Data Principals &#8211; Digital Personal Data Protection Bill, 2022<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p>Under\nthe Digital Personal\nData Protection Bill, 2022, data principals have the right to:<\/p>\n\n\n\n<ul><li>Obtain information as to personal data being processed, processing activities of identities of data fiduciaries<\/li><li>Withdraw consent given to process personal data for a specific purpose<\/li><li>Correction and erasure of data<\/li><li>Nominate an individual on their behalf in case of death or incapacitation of the data principal<\/li><li>Grievance Redressal<\/li><\/ul>\n\n\n\n<p>The  JPC, 2021 Bill and 2019 Bill  provided for the right of data portability from one service provider to another. However, the Digital Personal Data Protection Bill, 2022 does not provide the same.<\/p>\n\n\n\n<p>Unlike the previous draft bills, the Digital Personal Data Protection Bill 2022 places duties on the data principal to comply with the provisions of the Bill while exercising the rights provided thereunder, refrain from placing false or frivolous grievances against data fiduciaries, not furnish false particulars but provide authentic information.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Data_Protection_Board_of_India\"><\/span>Data Protection Board of India<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p>The data protection board shall be established by the central government, which will have the power to determine the composition, qualification and experience, selection terms of appointment, and salary of the board. Even though the Digital Personal Data Protection Bill 2022 categorically states the independence of the board, unlike the previous draft bills, the central government clearly holds significant powers in the board\u2019s functioning. The board is to enforce the provisions of the Bill, impose penalties, conduct hearings, summon, and enforce attendance, and examine on oath but cannot prevent access to premises or detain equipment required in the functioning of the entity under inquiry. The 2022 Bill introduces the concept of voluntary undertakings by entities subject to the board\u2019s proceeding from agreeing to do or abstain from doing certain things. This ensures compliance and facilitates timely acceptance of violations.<\/p>\n\n\n\n<p>The Digital Personal Data Protection Bill 2022 reduces the functions of the board, which are now restricted to adjudication and enforcement purposes only. The previous bills allowed the data protection authority to formulate regulations. However, the power to issue rules only vests with the central government as per the extant 2022 Bill.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Powers_of_the_Government\"><\/span>Powers of the Government<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p><strong>Rule Making Power<\/strong><\/p>\n\n\n\n<p>The Digital Personal Data Protection Bill, 2022gives wide rule-making and various other powers to the central government. The Central Government of India has the power to make rules determining &#8220;fair and reasonable&#8221; purposes to process personal data without the data principal\u2019s consent, the power to appoint and make rules with respect to the functioning of the data protection board and frame regulations which was earlier the prerogative of the data protection authority, decide the form and manner of reporting data breaches.<\/p>\n\n\n\n<p><strong>Power to Grant Exemptions<\/strong><\/p>\n\n\n\n<p>The 2022 Bill also provides the power to the government to exempt state agencies from the application of the bill for reasons pertaining to the &#8220;interest of sovereignty &amp; integrity of India, security of the state, friendly relations with foreign states, maintenance of public order or to prevent incitement of offences related to these\u201d. It also has the power to exempt certain classes of data fiduciaries. This Digital Personal Data Protection Bill, 2022has removed the subjection of \u201cjust, fair and reasonable procedures\u201d provided for in the JPC Bill while granting exemption to state agencies, thus expanding the powers of the government to provide such exemption.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Conclusion\"><\/span><strong>Conclusion<\/strong><span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p>The Digital Personal Data Protection Bill, 2022 is the latest in the iterations brought out with a view to draft a comprehensive data protection law for India. The 2022 Bill is comprehensive yet concise when compared to the previous bill, which had 90 Sections as opposed to the 30 Sections in the 2022 Bill. <\/p>\n\n\n\n<p>When compared with the previous draft bills, it is clear that the 2022 Bill gives overarching powers to the central government for the appointment of data protection officials under the data protection board and in granting exemptions to state agencies based on ambiguous and vague parameters like \u201cnational security\u201d and \u201cpublic order\u201d. Experts have stated that there stands a grave threat of misuse as the government can collect and process data without following the provisions of the Bill while justifying it by saying that \u201cnational and public interest is at times greater than interests of an individual.\u201d With respect to the penalties provided under the Bill, in contrast to the  previous drafts where the penalty imposed was 4 % of the entity\u2019s annual turnover, the maximum penalty under the 2022 Bill is Rupees Five Hundred Crore. This may lead to data principals\u2019 personal data being bought by entities with large turnovers. Many analysts have also spoken against the relaxation of data localization as this can make the data of citizens vulnerable and make it difficult to detect and punish non-compliance and breaches under the Bill in foreign jurisdictions. The Bill has received praise as well as criticisms from various stakeholders from the industry and civil society. <strong><em>The Bill is open for receipt of public comments till the 17th of December 2022<\/em><\/strong>.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>The Digital Personal Data Protection Bill 2022 (Data Protection Bill, 2022) has been published by the government for public consultation. The Digital Personal Data Protection Bill 2022, is the most recent iteration in the Data Protection laws of the country. Following the landmark judgement of Justice K.S Puttaswamyv Union of India, 2017, which upheld the [&hellip;]<\/p>\n","protected":false},"author":14,"featured_media":12397,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[50,1],"tags":[],"acf":[],"_links":{"self":[{"href":"https:\/\/swaritadvisors.com\/blog\/wp-json\/wp\/v2\/posts\/12391"}],"collection":[{"href":"https:\/\/swaritadvisors.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/swaritadvisors.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/swaritadvisors.com\/blog\/wp-json\/wp\/v2\/users\/14"}],"replies":[{"embeddable":true,"href":"https:\/\/swaritadvisors.com\/blog\/wp-json\/wp\/v2\/comments?post=12391"}],"version-history":[{"count":5,"href":"https:\/\/swaritadvisors.com\/blog\/wp-json\/wp\/v2\/posts\/12391\/revisions"}],"predecessor-version":[{"id":12399,"href":"https:\/\/swaritadvisors.com\/blog\/wp-json\/wp\/v2\/posts\/12391\/revisions\/12399"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/swaritadvisors.com\/blog\/wp-json\/wp\/v2\/media\/12397"}],"wp:attachment":[{"href":"https:\/\/swaritadvisors.com\/blog\/wp-json\/wp\/v2\/media?parent=12391"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/swaritadvisors.com\/blog\/wp-json\/wp\/v2\/categories?post=12391"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/swaritadvisors.com\/blog\/wp-json\/wp\/v2\/tags?post=12391"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}