The Digital Personal Data Protection Bill, 2022 ("PDP Bill") was framed with an aim to protect the personal data of individuals, to regulate the processing of digital personal data while protecting the rights of the users, and to ensure that the data collected by the data fiduciaries is done so in a free, fair, and transparent manner.

The initial draft of the PDP bill, 2019 was withdrawn by the Ministry stating that a more comprehensive legal framework shall be drafted in the future. In 2022, the current version of the PDP Bill was tabled.

Important Definitions:

• Section 2 (4) of the Bill defines data as "a representation of information, facts, concepts, opinions or instructions in a manner suitable for communication, interpretation or processing by humans or by automated means".
• Section 2 (13) defines Personal Data as "any data about an individual who is identifiable by or in relation to such data".
• Section 2 (14) defines Personal Data Breach as "any unauthorized processing of personal data or accidental disclosure, acquisition, sharing, use, alteration, destruction of or loss of access to personal data, that compromises the confidentiality, integrity or availability of personal data."
• Section 2 (5) defines Data Fiduciary as "any person who alone or in conjunction with other persons determines the purpose and means of the processing of personal data".
• Section 2 (6) defines Data Principal as "the individual to whom the personal data relates and where such individual is a child includes the parents or lawful guardian of such a child".

Applicability of the Bill:

• Section 4 of the Bill specifies that the PDP Bill shall apply to the processing of digital Personal Data within the territory of India if the data so processed are (i) obtained from Data Principals online and (ii) digitized from Personal Data obtained offline.
• The DPDP Bill will also be applicable to processing personal data outside of India if that processing is related to creating Indian-specific profiles of individuals or providing Indian-based Data Principals with products and services. "Any form of processing of Personal Data that analyses or predicts aspects concerning the behaviour, attributes, or interests of a Data Principal" is referred to as profiling in this context.
• Non-automated processing of personal data, offline processing of personal data, processing of personal data by an individual for any domestic or personal purpose, and the presence of personal data about an individual in a record that has been in existence for more than a hundred years are all exempt from the applicability of the bill.

Obligations of the Data Fiduciary:

1. Consent: The Bill provides that the Data Fiduciary can process the data only in accordance with the rules and the guidelines provided in the Bill for a lawful purpose (Section 5). Further, it is mandatory for the data fiduciary to obtain the consent of the data principal before processing the personal data of the data principle (Section 6). Further, the data principle shall give consent to such processing of personal data after obtaining such request for consent from a data fiduciary. The consent sought must not infringe upon any provision of the Bill and such consent request must contain the details of the data protection officer (Section 7 (3)).
    
2. Deemed consent: As per section 8 of the Bill, it shall be deemed that consent was given by the data principle in certain circumstances such as where the personal data is provided voluntarily, compliance with any judgment, responding to a medical emergency, in the public interest, etc (Section 8).
    
3. Withdrawal of the consent: The Data principal shall have the right to withdraw the consent given by her for the purpose of processing the personal data at any time through a consent manager (Section 7(6)).
    
4. Responsibility of the data fiduciary: The data fiduciary is responsible for ensuring that the data given is correct and accurate, protecting the personal data in their possession, and the data fiduciary shall be responsible for the contravention of any of the provisions of the Bill. In case of a data breach, it's the responsibility of the data fiduciary to inform the Board and the data principal (Section 9).

Obligations of data fiduciary in relation to the personal data of children: Section 10 of the Bill states that the data fiduciary shall obtain verifiable consent of the parents or the guardian before processing such data. Further, the fiduciary shall not undertake, tracking or behavioral monitoring of children or process any personal data which may cause harm to the children.

Obligations of Significant Data Fiduciary(SDF): Section 11 of the Bill states that a significant data fiduciary, as notified by the Central Government shall (a) appoint a Digital Protection Officer, who shall be responsible to the Board of Directors, (b) an Independent Data Auditor, who shall evaluate the compliance of SDF with the Act and, (c) undertake such other measures including Data Protection Impact Assessment and periodic audit in relation to the objectives of this Act.
Rights of a Data Principle: A Data Principle has the:

1. Right to information about personal data. (Section 12)
2. Right to correction and erasure of personal data (Section 13)
3. Right to grievance redressal and, (Section 14)
4. Right to nominate (Section 15).

Duties of a Data Principle: A Data Principle has the duty to:

1. Comply with the provisions of the Bill.
2. Not to register a false or frivolous grievance or complaint with a Data Fiduciary or the Board.
3. Not to furnish any false particulars or suppress any material information or impersonate another person.
4. Furnish only such information as is verifiably authentic while exercising the right to correction or erasure under the provisions of this Act.

Transfer of Personal Data outside India: Section 17 of the Bill provides that Central Government has the power to notify such countries to which the data fiduciary may transfer the Personal Data.

Exemptions: The DPDP Bill grants the government the authority to exempt without justification any state instrument in the interests of India's sovereignty and integrity, security, cordial relations with other countries, preservation of public order, etc. The JPC Report recommended having a "just, fair, reasonable, and proportionate" system in place before approving any such exception, although this advice is not considered by the exemptions under the DPDP Bill, which provides the Government broad discretionary powers (Section 18).

Data Protection Board of India: Section 19 of the Bill empowers the Central Government to constitute a Data Protection Board of India, an independent body. The Government can also prescribe the powers, allocation of duties of the members, and terms of the appointment of the members of the Board. Section 20 of the Bill talks about the functions of the Board, which include the determination of non-compliance with the provisions of the board, the power to investigate, conduct an inquiry, give orders, etc (Section 20).

If there is a breach of personal data, the Board has the authority to order the data fiduciary to take immediate action to fix the problem or lessen any damage to the data principals. The independence of such a crucial position holder, however, might come under scrutiny because the Government of India has discretion over issues like the size and makeup of the Board, the appointment and employment terms of the Chief Executive, the Chairperson, and other Board Members(Section 21).

The DPDP Bill also doesn't provide a deadline for the conclusion of an inquiry conducted by the Board. An appeal against an order of the Board shall lie to the High Court (Section 22). Further, the Board may also refer the dispute to Alternate Dispute Resolution mechanisms (Section 23).

Voluntary Undertaking: The Board may accept any voluntary undertaking to take or to refrain from taking a specified action within a reasonable time. Acceptance of the voluntary undertaking by the Board shall constitute a bar on proceedings under the provisions of this Act as regards the contents of the voluntary undertaking (Section 24).
Penalty: The Board has the power to impose such penalty as prescribed in Schedule 1 if the Board is of the opinion that the non-compliance with the Bill is significant after giving the person an opportunity of being heard, however, such penalty cannot be more than five hundred crore rupees in each instance (Section 25).