The Digital Personal Data Protection Bill, 2022 ("DP Bill") draught was made public by the Ministry of Electronics and Information Technology on November 18, 2022, and interested parties were encouraged to offer suggestions and comments.

The much-awaited DP Bill appears to be intended to establish a framework regulating the processing of "digital personal data" in a manner that is commensurate with the Indian users' expectations of having an open, safe, trusted, and accountable internet as India emerges as an economy with over 760 million active internet users. The DP Bill aims to establish a compromise between the Data Principals' right to have their digital personal data protected and the Data Fiduciaries' obligation to process such data.

In order to establish processing standards that strike a balance between an individual's rights to their personal data and the practical necessity of processing personal data for legal purposes, DPDB recovers and restricts the proposed law's focus to digital personal data.

An explanation note is included with DPDB to help with the interpretation of the proposed provisions, although it is stated that it does not form a part of DPDB. The DPDB is organised into 6 chapters and 1 schedule, has illustrations to clarify the intent of certain articles, and is substantially shorter than the prior legislation. It proposes 30 clauses for the regulation of digital personal data processing.

The Ministry of Electronics and Information Technology (MEITY) has released a draft of the Digital Personal Data Protection Bill, 2022 ("The Bill") for public consultations along with an explanatory note for each provision and the underlying principles that guide the draftingThe public consultations are open till December 17, 2022.

The Personal Data Protection Act, 2012 (PDPA) of Singapore serves as an inspiration for the Bill, which is a condensed, concise version of the proposed general data protection legislation that was previously known as the "Previous Drafts," which heavily borrowed from the GDPR of the European Union. The proposed legislation calls for greater accountability and openness in influencing domestic and foreign data exchanges. This Bill came three months after the previous draft version of the bill which was cloistered as a result of widespread criticism over its onerous provisions.

While the Bill offers a more flexible framework for compliance and suggests a number of much-needed reforms (such as the deletion of Non-Personal Data), it also puts forth a number of ideas that have far-reaching implications.

Given the enormous implications that a law on data protection is expected to have on users and the industry, each version has had its fair share of public discussion up to this point. This is the fourth draft of the proposed data protection law in as many years.

Application and Scope:
The Digital Personal Data Protection Bill, 2022 if passed will apply to:
Processing of 'digital personal data' i.e., personal data which is either collected online or offline is digitised, subject to exemptions. Processing carried either manually or by individuals for "personal or domestic purposes" is not included. Additionally, the bill aims to exempt "personal data contained in a record that has existed for at least 100 years."

The processing of data in India was well under the application of previous drafts, but this Bill aims to control data processing even outside of India in relation to the creation of Indian data principals' profiles or the provision of offering goods or services to them. Hence, the scope of the DPDB,2022 has expanded when it comes to territorial scope.

To understand the scope of this Bill and to differentiate this Bill from the previous drafts, it is essential to understand the meaning of "personal data", what exceptions apply to it, and who the major players are throughout the processing lifecycle.

Any information about a person who can be identified by, or in connection with, that information is considered personal data, and this definition will include opinions. However, the DPDB would only protect digital personal data, meaning when it is gathered online or collected offline but then converted to digital form.

Now, processing is the term used to describe automated activities carried out on digital personal data throughout its lifecycles, such as obtaining, recording, gathering, structuring, storing, manipulating, sharing, and transferring data. Any digital process that may operate automatically under predetermined conditions or on its own will fall under automated processing procedures.

DPDB will be applicable to the digital personal data processing but only if its automated. This means that according to the 2022 Bill it won't apply to manual processing methods like structured file systems are not allowed. Additionally, the DPDB will not be applicable to personal data that is processed by an individual for domestic or personal use or that has been kept on file for one hundred years or longer.

There are no provisions for particular classes of sensitive personal data or critical data. Therefore there are no specific guidelines that would apply to the processing of sensitive data sets like financial, biometric, or health information. Gradual consent methods and penalties are made possible by classifying 'sensitive' portions of critical personal data mentioned above, which demand additional security.

Although the goal of establishing a straightforward compliance regime is admirable, the current strategy could have the unintended effect of "treating unequals equally" and force organisations to choose between protecting highly sensitive data and increasing the compliance burden for less important data.

DPDB Bill 2022 will merely apply to 3 stakeholders:

• data fiduciary (akin to controller)
• data processor
• data principal (akin to data subject)

Fundamental Concepts: Global Principles upon which DPDB Bill
The new Bill, put up by the Ministry of Electronics and Information Technology, outlines the obligations to utilise obtained data lawfully as well as the rights and responsibilities of the "Digital Nagrik" (digital citizen). The law is founded on the following tenets, drawing on best practises from nations like Singapore, Australia, and the European Union:

• Lawfulness, fairness, and transparency.
• Purpose limitation.
• Data minimization.
• Accuracy.
• Storage limitation.
• Accountability

Consent and Deemed Consent:
Digital personal data processing must be for a lawful purpose with Consent or Deemed Consent of the data principal. Penalty for violation with Consent or Deemed Consent requirements can be up to INR 500 million (about USD 6.1 million).

The Bill mandates obtaining consent for processing after providing a notice in clear and plain language, "describing" the type of personal data sought to be collected and an "itemised" list of the purposes of processing. This is in stark contrast to the Earlier Bill and the GDPR, which prescribe a granular consent regimeat least for sensitive personal data.

Consent remains the legitimate primary basis for processing, albeit with loosened constraints. According to DPDB, consent must be unrestricted, explicit, informed, and transparent. It must be acknowledged by the data principal through affirmative action and be restricted to the designated purposes. A data fiduciary must provide itemised notice (i.e., presented as a list of individual items) on or before obtaining consent that clearly and plainly explains the personal data sought to be processed and its intended use.

These notification requirements could end up doing both too much and not enough at once. The ability to provide "itemised" list of purposes allows entities to continue collecting "all or nothing" bundled consents, limiting the usefulness of these "fresh" consents to Data Principals. The re-consenting obligation, however, runs the risk of inundating Data Principals with thousands of notices (a phenomenon that was also observed with the GDPR).

Data Principals are given an option of requiring that notice be provided in any of the 22 languages specified in the Eighth Schedule of the Constitution of India.

But here, benefits to Data Principals may be outweighed by the difficulties of translating authoritative versions of dynamic documents into each of these languages, especially if the underlying application or service is only available in a few of them.

Additionally, the data principal has the right to withdraw consent at any time, but only with the understanding that any consequences of doing so will be on the data principal's dime. The data fiduciary will have the burden of proving that processing was done with consent, but under the proposed scheme, this burden would be relatively easy to meet if only the bare minimum of information was included in the notice seeking consent and there was an affirmative response from the data principal indicating consent.

When it comes to deemed consent, it is a concept which is mentioned in Personal Data Protection Act 2012. It has found its way back in the current DPDB Bill, 2022. The absence of safeguards like revocation and the restriction of this permission to specifically stated purposes contrasts with the previous regulation.

When a Data Principal voluntarily gives personal information to the Data Fiduciary and it is "reasonably expected that such data would be given," there is an assumption of deemed consent. As opposed to the Previous Drafts, the Bill does not include a mechanism for the adoption of laws or guidelines for processing based on deemed consent, which could lead to the abuse of this provision, especially given that Data Fiduciaries have the power to gain broad-based consent.

The other possible substitutes of Deemed Consent include a wide range of processing grounds recognised in other jurisdictions, including processing by state or judicial entities, for authorised contract, legitimate interest, benefit of data principle, and repurposing. Future notifications of new grounds is also a choice. The data principal need not be notified beforehand or after the fact under these possibilities, though. Data owners might not know what, why, how, or when their personal data was handled, which undermines the transparency and accountability principles essential for protecting informational privacy.

Cross border data transfer:
Stakeholders have extensively argued the specifics of cross-border data flow under past drafts of this bill, with significant opposition to soft and rigid data localization standards. Such localization standards are eliminated by DPDB,2022, which is a positive development. It stipulates that the central government must inform any countries to which personal data may be transferred, under applicable terms and conditions, following any examination of considerations that it may consider essential.

This suggests that the central government will have complete discretion when deciding whether jurisdictions are appropriate or not, as well as when to set requirements for data transfers. Alternative methods for cross-border transmission, such as legally enforceable business policies, typical contract provisions, and sporadic data transfers, are not included.

Currently, IT Rules only allow cross-border transfers with consent or when such transfers are necessary for the performance of the contract entered into with the data principal. Data transferors are required to assess whether a similar level of data protection will be afforded to the personal data by the data transferee.

As a result, DPDB tends to further relax the restrictions already in place, and it appears that data fiduciaries and processors can freely transfer personal data outside of India as long as there is consent or a basis for deemed consent for such a transfer until such time as transfer-related rules are made.

Obligation of data fiduciary:
The guiding concept is that, despite any contract to the contrary or any action on the part of the data principal, the data fiduciary shall be principally accountable for compliance with DPDB. The IT Rules and other countries' data protection laws permit this common approach.

The duties imposed on all data fiduciaries are as follows:

• Make reasonable measures to keep processed personal data accurate and complete where it may be used to make decisions that impact the data principal or later shared to another data fiduciary.
• implement suitable organisational and technical measures to comply with DPDB
• take reasonable security precautions to safeguard personal information and prevent data breaches; the penalty for non-compliance could be up to INR 2,500,000,000
• Notify the Data Protection Board of India (DPBI), the regulatory agency envisioned under the DPDB, and the impacted data principal of data breach occurrences; the fine for non-compliance could be up to INR 2,000 million (about USD 24.5 million) => This is a positive change from the previous bill, which did not require fiduciaries to tell data principals about breaches without first conducting harm and risk analyses.
• remove identification information from personal data as soon as the purpose for retention is fulfilled or when it is not needed for any other business purposes (opt for pseudonymization or anonymization techniques), business purpose is broad and can be interpreted broadly to allow retention even when processing and legal purposes have been satisfied;
• publish the name and phone number of the authorised person who will respond to the data principal's inquiries.
• create a system and efficient mechanism for grievance redress, and
• With regard to this requirement, it appears that the obligation will not apply where processing is done on a basis of "deemed consent" and only with the data principal's consent and only pursuant to a contract, engaging a data processor, or transferring personal data to another fiduciary.

Rights and Duties of Data Principal:
The DPDB attempts to impose specific obligations on data principals while limiting the scope of their rights in relation to their personal data.

A data principal is entitled to:

• Confirmation of the processing done
• access a list of all the data fiduciaries with whom personal data has been shared, a summary of the processing activities that have been carried out, and any additional information that may be required
• rectification of false or inaccurate personal information
• completing any unfinished personal data
• updating personal information
• 
  erasure of personal data no longer required for processing or for any other legitimate reason. It is important to keep in mind that a fiduciary is allowed to retain personal data if it is required for business purposes. As a result, it is unclear whether the right to erasure will supersede this fiduciary right. Therefore, there is a need for necessary clarification.
• file a complaint with the data fiduciary
• A complain to be directed to DPBI where they receive any unsatisfactory or nil response from the data fiduciary on the grievances that were lodged.

In the event of their death or incapacity, they can designate another person to act on their behalf.

The right to data portability, the right to be forgotten, and the right to object to specific types of processing—automated data processing being the key area of regulation—shall not be granted to the data principal. These rights have been contentious issues around the world. Rules-making will determine the format, timeline, manner, and other specifics of how rights can be exercised.

However, the data principle is required to uphold certain obligations in order to exercise these rights. One of them demands that the data principal abide by the rules of all relevant laws. This is unclear because it could be taken to mean that any violation of any applicable law could invalidate the rights of the data principal, even when there may not be a connection between the violation and the right being sought to be exercised.

For instance, a literal interpretation would imply that a person who has been convicted of a crime lacks the rights of a data principal under DPDB. Who would decide and confirm whether the data principal has been and is in compliance with applicable law is also unknown.

The data principal must also refrain from filing fictitious or pointless complaints with the data fiduciary or making complaints to the DPBI. It appears that data fiduciary and DPBI have the discretion to decide if a complaint or grievance is untrue or frivolous.

Additionally, when applying for any document, service, unique identifier, proof of identity, or proof of address, the data principal is required to provide true and relevant information; additionally, all information provided in order to exercise the right to correction or erasure must be verifiably authentic.

The maximum fine for a data principal who violates their obligations is INR 10,000. (about USD 122). Additionally, failure by the data fiduciary to respect duly exercised data principal rights may result in a fine of up to INR 500 million.

Penalties Imposed On The New Bill: The motivating factor behind guaranteeing compliance with the law, penalties for disobedience, have likewise changed. The EU General Data Protection Regulation served as a model for the bill's earlier iterations, which set a maximum on fines at 4% of the data fiduciary's total annual global revenue to make sure they were proportionate to the scale of the organisation.

The current bill, however, caps the sanctions that can be levied against the data fiduciary at 5 billion rupees ($61 million). The failure to protect the security of personal data may result in a penalty of 2.5 billion rupees (about $30 million) for both the data processor and data controller, while the bill does not specify the compliance criteria that should be enforced on the data processors.

Following are the penalties that have been imposed in the new Bill:

• Clause 9(4) deals with failure to implement reasonable security measures to stop a breach of personal data, where a penalty has been imposed of up to Rs. 250 crore
• Clause 9(5) deals with failure to report a personal data breach to the Board and the impacted Data Principals, where a penalty of up to Rs. 200 crore has been imposed.
• Clause 10 deals with non-compliance with additional obligations relating to the processing of children's data, where penalty has been imposed of up to Rs. 200 crores.
• Clause 11 deals with failure of the Significant Data Fiduciary to fulfil extra requirements, where a penalty has been imposed of up to Rs. 150 crores.
• Clause 16 deals with breach of user obligations, which has made an imposition of fine of up to Rs. 10,000 crores, and
• All the clauses which have not been mentioned, shall deal with a penalty of up to Rs. 50 crores.
   

Viewpoints:
Justice BN Srikrishna, whose presidency the Personal Data Protection Bill, 2019, was under, has stated that the lack of stricter regulations protecting citizens' sensitive personal data does nothing to defend others' fundamental right to privacy.

According to the current version of the Personal Data Protection Bill, the data principal's consent is presumed to have been given whenever the State or any of its agencies performs any legal obligations on their behalf, provides them with a service or benefit, or issues them a certificate, licence, or permit for a particular action or activity.

This indicates that the Bill simultaneously grants the state instrumentality and the private sector equal convenience to gather data under the presumption of assumed consent. The Bill is unclear as to whether the Data Principal can revoke considered permission once it has been assumed to have been given and, if so, what process would be followed. One can question whether this was a tactic to win widespread support for the Bill given that it grants the state and the private sector equal liberties.

The Bill eliminates the burdensome data localization mandate imposed by the 2019 Bill, continuing the pro-business theme. Second, the Bill includes the idea of "voluntary undertaking," which gives the Data Protection Board the option to accept an assurance given by an offending organisation to futuristically comply with the Bill's obligations.

This is similar to how the Companies Act compounds offences. Although the Bill does provide for fines of up to INR 500 crores for violations of the data protection law, there is no provision allowing data principals to seek financial damages for breaking the law. One can't help but question if the private sector was treated too lightly.

Subordinate legislation, such as the Rules to the Bill and other executive orders, is anticipated to give some of the law's provisions teeth and make them operative. However, the Bill does not yet fully address how the right to privacy guaranteed by the Constitutional Right to Life shall be protected by private or public actors, nor does it adequately secure the privacy of digital data of data principals.

Overall, it is not recommended to pass the Bill as constituted. Anyone concerned about their right to digital data privacy should read the bill and voice their concerns to the government before mid-December, when public comments on it will close.

Drawbacks of The Bill:
After facing sharp criticism from Big Tech, the amended Bill has omitted some of the more problematic regulations governing cross-border data transfers. Cross-border data flows were subject to strict restrictions under the bill's previous version. Businesses were required to keep a copy of "sensitive" personal data in India while exporting "critical" personal data was prohibited.

By not placing such demands on businesses, the revised draft represents a substantial shift in perspective on this matter. Companies are not mandated to keep their data only in India. Now, they can send the data to any nation on the government's list. On what basis the government will choose a country is still not clear. Despite this, loosening the regulations on data storage will be welcomed by both Big Tech and the nation's expanding start-up environment.

The Data Protection Board's independence is put into question via this bill. The Board's members and its chairperson shall be appointed by the government. The rules will be also set up the Central Government. It also contains some provisions which curtail the powers of the Board.

The broad exclusions granted to the government and its agencies with few controls are equally disputed. The joint parliamentary committee had recommended that the exemption be granted in accordance with a "just, fair, reasonable, and proportionate method" when discussing the prior version of the bill. But no such changes have been seen in the 2022 Bill. It still gives the exclusive power to exempt any of its entities from particular or all provisions of the Bill on grounds such as national security, public order, etc.

The government is also permitted to keep personal data in its possession indefinitely. Additionally, no government notification is required to process personal data for the prevention, investigation, etc., of crime. These arguably problematic elements, which will give the government more jurisdiction than an independent statutory authority, need to be re-examined in a period of government overreach.

The companies are also not required to disclose much to people about how they use personal data. Unlike earlier Bills, which required businesses to say how long they will store data and whether they will share it with third parties. The notice that must be displayed to users merely needs to state what personal data will be gathered and for what purpose.

Additionally, users must be given notice only when giving consent; presumed consent is not required. Fiduciaries are not required to post privacy rules on their website, as mandated by earlier Bills. It removes explicit mention of purpose specification and limitation. These are core obligations.

Another major cause of worry is the inclusion of "deemed consent" clause. In addition to explicit consent, the Bill also recognises "deemed consent" as a legal basis for processing personal data. The problem that arises is the criteria for what qualifies as deemed consent. They are wide and ambiguous, permitting the processing of personal data without consent for a variety of reasons.

Currently with high regulated data environment, companies in India need to have a stricter compliance strategy to gain positive rewards.

Conclusion:
When the DPDB is passed into law, it is intended to be implemented gradually, thus it will be important for the government to give businesses enough time to strengthen their current data protection procedures. The fundamental idea behind DPDB is to offer broad principles for data protection, and MeitY has done this by including provisions from data protection laws from countries like Australia, Singapore, and the EU.

The government thinks that the draught law, as it stands, provides enough room for adaptation as the digital ecologies change. The start-up community and businesses have expressed optimism about the proposed measures, while others have expressed concerns about the lack of sufficient checks and balances on presidential powers and exclusions. However, the devil is in the details, and that is why delegated legislation has been used. Ultimately, the true effectiveness and impact of DPDB will need to be proven over time.

The DPDP Bill, 2022 has received mixed reviews, but it is a thorough piece of legislation that should be passed shortly. For simplicity of understanding, the definitions have been condensed. The Bill permits the storage and transmission of data across international borders to "certain notified nations and territories," although it is still unclear to which countries this is allowed.

Previous iterations of the bill were criticised for being too "compliance intensive," but the DPDP Bill, 2022, offers encouragement to start-ups because the government has the authority to exempt some companies from the bill's requirements based on the volume of users and personal data they process. In order to preserve public order and India's sovereignty and integrity, the Bill also grants the government the authority to grant exemptions from its requirements.