"The DPDP Bill achieves a crucial balance between upholding users' rights and encouraging innovation in digital enterprises. Some of its most beneficial elements for business include the abolition of criminal penalties for noncompliance and the facilitation of international data exchanges. On the other hand, it also guarantees a wide range of rights to data principals to establish an open and responsible framework for data governance in the future.

It only applies to the processing of "Digital Personal Data," leaving out non-personal information and information in non-digital media. It applies to the processing of digital personal data on Indian soil. Additionally, where the processing involves any form of profiling or involves providing goods or services to data principals inside of India, it also applies to the processing of digital personal data outside of India. The Lok Sabha was presented with the Digital Personal Data Protection Bill (DPDPB), 2023, which seeks to control personal digital data and address violations.

Features of the Bill

• The bill will apply to the handling of digital personal data processed in India, whether the data is obtained online or offline and then converted to digital form. If the processing is being done to offer products or services in India, it will also apply to processing done outside of India.
   
• Only with the individual's consent and for legitimate purposes may personal data be handled. For certain legal purposes, such as the processing by the state to process applications for permits, licenses, benefits, and services, or the voluntary exchange of data by an individual, consent may not be required.
   
• Data fiduciaries will be required to keep data accurate, safe, and deleted after its purpose has been served.
   
• The bill provides individuals with several rights, including the ability to request information, seek correction and erasure, and file a grievance.
   
• For specific reasons, such as state security, public order, and the prevention of crimes, the central government may exclude government agencies from the bill's restrictions.
   
• The data protection board of India will be established by the national government to make decisions regarding any violations of the bill's requirements.

Critical Points and Analysis

• Data collection, processing, and retention may go beyond what is necessary if the state is given exemptions from processing it for reasons like national security. The fundamental right to privacy may be compromised by this.
   
• The risks of harm resulting from the processing of personal data are not regulated by the bill.
   
• The right to data portability and the right to be forgotten is not granted to the data principal by the bill.
   
• The bill permits the transfer of personal data outside of India, but only to nations that have been authorized. This mechanism might not provide a sufficient assessment of the level of data protection in the nations where the transfer of personal data is permitted.
   
• The members of the Indian data protection board will hold their positions for two years, with the possibility of reappointment. The board's independence may be hampered by the short term and potential for reappointment.

Information that can be used to identify or contact a specific individual is known as personal data. Personal data is processed by both businesses and governmental organizations to supply goods and services. Processing personal data enables comprehension of user preferences, which may be helpful for customization, targeted advertising, and suggestion development.

Law enforcement may benefit from the processing of personal data. unchecked processing may have detrimental effects on people's privacy, which has been acknowledged as a fundamental right. Individuals may suffer harm from it including financial loss, reputational damage, and profiling. India does not currently have separate legislation governing data protection.

By the Information Technology (IT) Act of 2000, the use of personal data is governed. To study concerns about data protection in the nation, the central government established a Committee of Experts on Data Protection in 2017. The committee is chaired by Justice B. N. Srikrishna. In July 2018, the Committee turned in its report. The Personal Data Protection Bill, 2019 was presented in Lok Sabha in December 2019 based on the Committee's recommendations.

A Joint Parliamentary Committee was given the bill, and it delivered its report in December 2021. The Bill was withdrawn from Parliament in August 2022. A Draft Bill was made available for public comment in November 2022. The Digital Personal Data Protection Bill, 2023 was tabled in Parliament in August of that year.

Privacy concerns could be negatively impacted by exemptions to the state.
Many exemptions from the Bill pertain to the State's processing of personal data. The State is defined as the following under Article 12 of the Constitution:

1. the central government;
2. the state government;
3. the local bodies; and
4. the authorities and businesses established by the government.

The Bill might let the State process data without being reviewed, which might violate someone's right to privacy.

In 2017, the Supreme Court ruled that any violation of the right to privacy must be proportionate to the justification for the intrusion. Data collection, processing, and keeping may go beyond what is necessary if the State is granted exemptions. This might not be reasonable and go against people's basic right to privacy.

The Bill gives the central government the authority to exempt processing by government agencies from any regulations when doing so will benefit goals like maintaining public order and state security. Except for data security, no rights of data principals and no duties of data fiduciaries will apply in some circumstances, such as when processing data to prevent, investigate, and prosecute crimes. After the intended purpose of processing has been satisfied, the Bill does not mandate that government entities erase personal data.

Using the aforementioned exceptions, a government agency may gather information on persons to build a 360-degree profile for monitoring on the grounds of national security. For this, it might make use of information stored by various government agencies. This calls into doubt whether these exemptions will pass the proportionality test is brought up by this.

The Supreme Court (1996) established several protections, including:

1. showing necessity,
2. purpose limitation, and
3. storage limitation, for communication interceptions carried out for reasons such as national security.

These are comparable to the duties that data fiduciaries under the Bill, whose applicability has been prohibited, have. The Srikrishna Committee (2018) suggested that obligations other than fair and reasonable processing and security precautions should not apply in cases of processing for reasons like national security and the prevention and prosecution of crimes. It noted that responsibilities like purpose specification and storage restriction, if relevant, would be carried out by a different statute. There is no such legal system in India.

Whether it is appropriate to override consent for objectives like benefits, subsidies, licenses, and certificates.

When the state processes personal data to provide a benefit, service, license, permit, or certificate, the bill takes precedence over an individual's consent. It expressly permits the use of information collected for one of these purposes for another. Additionally, it permits the use of personal information already held by the state for any of these objectives. As a result, it does away with purpose limitation, one of the fundamental ideas guiding privacy protection. Data should only be gathered and utilized for the purposes for which it was originally intended. It is up for debate whether or not these exemptions are necessary.

Profiling of persons may be possible due to the possibility of combining data collected for different purposes. Individuals would, however, have agency and control over the collecting and sharing of their data if consent were required.

No provision is made for the right to data portability or the right to be forgotten.

The right to data portability entitles data principals to receive and transfer their data in a structured, widely accepted, and machine-readable format from a data fiduciary for their use. The data principal has more control over their data as a result. It might make it easier for data to go from one data fiduciary to another.

One potential worry is that it might expose the data fiduciary's trade secrets in so far as it is practicable to disclose the information without disclosing such trade secrets, the right must be guaranteed, according to the Srikrishna committee's (2018) recommendation. The joint parliamentary committee had noted that the right to data portability could only be refused based on technical feasibility and could not be denied based on trade secrets.

The phrase "right to be forgotten" refers to a person's ability to control how much of their personal information is made public online. The right to be forgotten is a concept that seeks to impose memory constraints on an otherwise infinite digital realm, according to the Srikrishna committee (2018). The committee did emphasize that this right could need to be balanced against other rights and interests, though.

The exercise of this right may conflict with another person's freedom of expression and informational rights. Its applicability may depend on elements like the sensitive nature of the restricted personal data, the significance of the data to the public, and the position of the data principal in public.

Adequate protection in cases of data transfer across borders
The protection of Indian individuals' privacy is the main goal of the legislation governing the transfer of personal data outside of India. Data held in another nation that lacks strict data protection legislation may be more susceptible to breaches or unauthorized sharing with both foreign governments and private organizations. According to the 2019 bill, a country should only be permitted to transfer specific types of data if it offers an acceptable level of security.

A new strategy was used in the 2022 draft bill, in which the central government informed nations where any personal data may be transmitted. Both of these procedures call for a case-by-case assessment of the regulations in each nation where data may be transferred. Such an extensive review is not necessary for the system to impose restrictions on certain nations.

Shorter appointment terms could affect the Board's independence.

The data protection board of India's members would operate as an autonomous body, according to the bill. Members shall be appointed for two years and have the option of being reappointed. Short terms with the possibility of reappointment may hinder the board's ability to act independently.

Monitoring compliance, conducting investigations, and determining sanctions are among the board's primary responsibilities. In the issue of tribunals, the Supreme Court (2019) noted that short-term appointments combined with re-appointment rules boost the executive's power and control.

According to their respective acts, regulatory agencies having an adjudicative function, such as the central electricity regulatory commission and the competition commission of India, have a five-year tenure. The period of appointment for TRAI is three years. According to the rules, the appointment to SEBI is for five years.

Conclusion
The bill gives the Supreme Court's historic decision in Justice K. S. Puttaswamy (retd) v. Union of India case (2017) legislative support. According to Article 21 of the Indian constitution, a nine-judge supreme court panel unanimously declared that Indians have a basic right to privacy that is protected by the law. The proposed law can give people significant new rights and give them improved visibility, awareness, decisional autonomy, and control over their data by addressing the issues described above.