The 'Data Protection Bill' refers to legislation or a legal framework that regulates the safeguarding and administration of persons data by businesses and governments.

A Data Protection Bill often works to protect individual's private information by creating guidelines that businesses must adhere to when gathering, keeping, processing, and exchanging personal information.

The personal data protection bill was first drafted in 2018 for privacy as a fundamental right reaffirmed in Justice KS Puttaswamy v. Union of India after which it was revised and in November 2022, Meity releases the draft Digital personal Data Protection Bill (DPDPB) for public consultation.

The purpose of this bill is to provide for the processing of digital personal data in a manner that recognizes both the right of individual to protect their personal data and the need to process the personal data for lawful purposes, and for matters connected therewith or incidental thereto.

Digital Personal Data Protection Bill is one of the four proposed legislations in the IT and Telecom sectors to provide the framework for the rapidly growing digital ecosystem. In Bill there is a provision to a Data protection Board to monitor the provisions of the Act. All online and offline data will fall under the legal domain of this bill. The drafted bill aims to provide consent-based data collection techniques.

Obligation of Data Fiduciary:
A person may process the personal data of a Data Principal only in accordance with the provisions of this Act and Rules made thereunder, for a lawful purpose for which the Data Principal has given or is deemed to have given her consent in accordance with the provisions of this Act.

Personal Data may be processed only for a lawful purpose for which an individual has given consent. Consent may be deemed in certain cases. Data fiduciary will be obligated to maintain the accuracy of the data, keep data secure, and delete once its purpose has been met. Also, must publish the business contact information of the Data Protection Officer or any other authorised person to answer queries of Data Principals.

On or before requesting a Data Principal for her consent, a Data Fiduciary shall give to the Data Principal an itemised notice in clear and plain language containing a description of personal data sought to be collected by the Data Fiduciary and the purpose of processing of such personal data. Where consent given by the Data Principal is the basis of processing of personal data, the Data Principal shall have the right to withdraw her consent at any time. The consequences of such withdrawal shall be borne by such Data Principal.

If a Data Principal withdraws her consent to the processing of personal data, the Data Fiduciary shall, within a reasonable time, cease and cause its Data Processors to cease processing of the personal data of such Data Principal unless such processing without the Data Principal's consent is required or authorised under the provisions of this Act or any other law.

As per section 9 (4) of the bill, Every Data Fiduciary and Data Processor shall protect personal data in its possession or under its control by taking reasonable security safeguards to prevent personal data breach.

As per section 9 (5) of the bill, In the event of a personal data breach, the Data Fiduciary or Data Processor as the case may be, shall notify the Board and each affected Data Principal, in such form and manner as may be prescribed.

The Data Fiduciary shall, before processing any personal data of child, obtain verifiable parental consent in such manner as may be prescribed. It shall not undertake such processing of data that is likely to cause harm to a child as mentioned in Section 10 the bill.

As per section 11 of the bill, the central Government may notify any Data Fiduciary or class of Data Fiduciaries as Significant Data Fiduciary, based on an assessment of relevant factors, including:

1. the volume and sensitivity of personal data processed.
2. risk of harm to the Data Principal.
3. potential impact on the sovereignty and integrity of India.
4. risk to electoral democracy.
5. such other factors as it may consider necessary.

Also, the Significant Data Fiduciary shall appoint a Data Protection Officer who shall represent the Significant Data Fiduciary under the provisions of this Act and be based in India. The Data Protection Officer shall be an individual responsible to the Board of Directors or similar governing body of the Significant Data Fiduciary. The Data Protection officer shall be the point of contact for the grievance redressal mechanism under the provisions of this Act.

As per the Data Protection Bill, companies as a data fiduciary have certain duties and responsibilities when handling personal Data. Some of them are:

1. Consent: Before collecting, keeping, or processing a person's personal data, companies must get that person's express, informed consent. The consent must be freely granted, explicit, unambiguous, and revocable.
    
2. Notice and Transparency: Companies must inform customers in a clear and straightforward manner about the objectives, procedures, and categories of personal data being gathered. The rights people have with relation to their data, such as the ability to view, amend, and delete it, must also be made known to them.
    
3. Data Security: Companies are required to put in place the proper security measures to defend against unauthorised access, disclosure, alteration, or destruction of personal data. Additionally, they must regularly audit and evaluate the way they process data.
    
4. Accountability: Companies must put the required policies, procedures, and systems in place to show that they are in conformity with the PDP Bill's requirements. To manage data protection initiatives, they might also be required to designate a Data Protection Officer (DPO).
    
5. Cross Border Data Transfer: Companies that transmit personal data outside of India must make sure that the receiving country offers an appropriate level of data protection, or they must put in place the necessary protections, like standard contractual terms or getting the data subject's express consent.
    
6. Data Breach Notification: Companies are required to notify the competent authority and the impacted individuals as soon as possible about a data breach that is likely to cause them harm and the steps being taken to lessen the effects.

The companies must have a procedure in place and an effective mechanism to address the grievance of individuals. Companies must publish the business contract information of a Data Protection officer or an authority who would be able to answer queries of individual on the processing of data.

The DPDP bill also imposes certain duties on the Data Principals to prevent misuse of their rights. These include the duty not to furnish false details, suppressing material information, or impersonate another person while providing personal data to data fiduciaries. They are also prohibited from filing false and frivolous complaints with the Data Protection Board of India as prescribed under section 16 of the DPDP bill.

Data Protection Board:
The Bill empowers the Central Government to establish, for the purposes of this Act, a Board to be called the Data Protection Board of India. The allocation of work, receipt of complaints, formation of groups for hearing, pronouncement of decisions, and other functions of the Board shall be digital by design.

The main function of the board is to determine non-compliance with provisions of this Bill and impose penalty under the provisions of this Bill. Also, The Board may, in the event of a personal data breach, direct the Data Fiduciary to adopt any urgent measures to remedy such personal data breach or mitigate any harm caused to Data Principals.

As per section 25 of the Digital Data Protection Bill, 2022 the Board determines on conclusion of an inquiry that non-compliance by a person is significant, it may, after giving the person a reasonable opportunity of being heard, impose such financial penalty as specified in Schedule 1, not exceeding rupees five hundred crore in each instance.

Penalties:
As per the Schedule 1 of the bill the board may comply penalties on the data fiduciary, with subject matter of the non-compliance of:

• Failure of Data Processor or Data Fiduciary to take reasonable security safeguards to prevent personal data breach under sub-section (4) of section 9 of this Act. Penalty up to Rs 250 crore.
• Failure to notify the Board and affected Data Principals in the event of a personal data breach, under sub-section (5) of section 9 of this Act. Penalty up to Rs 200 crore.
• Non-fulfilment of additional obligations in relation to Children; under section 10 of this Act. Penalty up to Rs 200 crore.
• Non-fulfilment of additional obligations of Significant Data Fiduciary; under section 11 of this Act. Penalty up to Rs 150 Crore.
• Non-compliance with section 16 of this Act. Penalty up to Rs 10 thousand.
• Non-compliance with provisions of this Act other than those listed in (1) to (5) and any Rule made thereunder. Penalty up to Rs 50 crore.

GDPR:
It's vital to remember that different nations and locations may have different specific rules and regulations. Several nations have passed thorough data protection legislation to address privacy concerns, including the European Union with the General Data Protection Regulation (GDPR). Other nations have created their own data protection laws, frequently inspired by global frameworks and industry best practises.

The world's strictest privacy law is the General Data Protection Regulation (GDPR). The GDPR, an EU regulation that went into effect on May 25, 2018, established strict security requirements that are punishable by severe fines. The law has a significant and far-reaching influence. By demonstrating its hard stance on data security, the GDPR has pushed other countries to put similar privacy protections in place, making compliance a challenging task.

GDPR was set up to regulate the way companies process and use the personal data they collect from consumers online. It also has rules in the way that information is moved, whether that's partly through automated means.

The data here contain both personal identification data and sensitive personal data, which includes name, identification number, IP Address, Health data, Biometric, Racial or Ethnic, Sexual orientation.

According to GDPR, a business/organisation is responsible for complying with all the data protection principles and is also responsible for demonstrating compliance.

The GDPR applies to any organisation operating within the European Union or any organisation outside of the European Union which offers goods or services to customers or business in the EU.

Basically, it applies to all companies processing and holding the personal data of data subject residing in the European Union, regardless of the company location.

Companies must satisfy at least one of the following six requirements to legally process any person's personally identifiable information (PII), according to GDPR:

• Express consent of the data subject.
• Processing is necessary for the performance of a contract with the data subject or to take steps to enter a contract.
• Processing is necessary for the compliance with a legal obligation.
• Processing is necessary for to protect the vital interest of a data subject or another person.
• Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
• Processing is necessary for the purposes of legitimate interests pursued by the controller or a third party, except where such interests are overridden by the interests, rights, or freedoms of the data subject.

There are various principles laid down by the GDPR relating to processing of personal data:

• Data processed should be: lawfulness, fairness, and transparency.
• Data limitation: Data should be collected only for a specific purpose.
• Data minimisation: only the relevant data should be collected and not otherwise.
• Accuracy: The data collected should be accurate and the be kept up to date.
• Integrity and Confidentiality: The data processed in a manner that ensures appropriate security of personal data, including protection against the damage.

The data processed should be secured for which GDPR ensures data security for processing. As per this the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk.

In addition, companies that conduct data processing or monitor data subjects on a large scale must appoint a data protection officer (DPO). The DPO is the figurehead responsible for Data governance and ensuring the company complies with GDRP. If a company doesn't comply with the GDPR, legal consequences can include fines of up to 20 million euros ($24.26 million) or 4% of annual global turnover (Whichever is more). In addition, the person in this role is responsible for ensuring appropriate data protection principles are applied to the maintenance of personal data.

The GDPR plays a significant role in India. Europe is a significant market for the ITeS, BPO and Pharma sectors in India. Thus, India cannot ignore the rule and regulation followed by these companies and must follow the EU rules.

Also, after the case of Justice KS Puttaswamy v. Union of India, the Supreme court have laid privacy as a fundamental right in India and has made a Srikrishna Committee, which is working on Digital Data Protection Bill in India. After the enactment of this bill the rules for data privacy in India will be more strengthened and powerful.

Similarities and differences between GDPR and DPDPB:

1. Scope of Applicability: Both regulations are applicable to processing of personal data that occurs within the corresponding region (Europe or India, respectively). Both also apply to personal data processing that takes place outside the jurisdiction, though with a slight difference: the DPDP applies to data processing that occurs outside India if anyone within India is receiving services (without mentioning citizenship), whereas the GDPR protects EU citizens' data even while they are elsewhere in the world.
    
2. Legal basis for processing data: Both laws prescribe what information must be revealed to the data subject, including contact information for a data protection officer, and they both demand that data subjects (or "data principals" in the DPDP) be notified about processing activities before or at the time of processing.
    
3. Consent: While "consent" is defined similarly in the GDPR and the DPDP, the DPDP has a wider range of circumstances in which consent is appropriate. The only modification to the GDPR's definition of consent is the use of "data principal" in place of "data subject," which is defined as "any freely given, specific, informed, and unambiguous indication of the data subject's wishes." Both regulations stipulate that giving consent must be as simple to withdraw as giving it, and that receiving services cannot be contingent upon giving consent to data processing that is not required.
    
4. Terminology and Definition: In accordance with the GDPR, the person who chooses the objectives and tools used to process personal data is referred to as the "data controller." In contrast, the "data fiduciary" under the DPDP is the party that chooses the objectives and means of processing personal data. An individual whose personal information is handled under the GDPR and is as a result covered by data protection rules is referred to as a "data subject." While a "data principal" under DPDP is a person whose personal information is processed and is as a result covered by data protection rules.
    
5. Extra territorial data transfer: Personal data may be transferred in accordance with the GDPR (a) to nations with adequacy status (b) if the controller or processor offers suitable, enforceable safeguards (such as Standard Contractual Clauses included in a Data Processing Agreement), or (c) if the transfer complies with a specific derogation for a particular set of circumstances.

Whereas as per section 17, "Transfer of personal data outside India," the DPDP very briefly addresses this topic by stating that the Government may name specific nations to whom data may be transmitted. Protections under contracts or other means of data transfer are not considered.