On reading the Digital Personal Data Protection Bill, 2022 (DPDP Bill, 'he Bill, 'ill)[1] it was clear that it is majorly based on the General Data Protection Regulation (GDPR)[2] which was adopted by the European Union in 2018, except for its provisions concerning multiple supervisory authorities and their cooperation owing to it being a multi member/nation union.

Also, this act is different from the Digital India Act/Bill's draft which is yet to be published.

Here is the synopsis of the important provisions under the DPDP Bill:
(The word 'the Act' or 'Act' is interchangeably used with the word 'Bill' for simplicity, although as of the date of this article it has not been passed by the Parliament)

Definitions

Firstly, let's establish meaning for certain terms used in the Act –

• Data Fiduciary: The entity/company/anyone who collects data and decides the means and purpose for processing such data, while also hiring maybe other entities for the processing work. Data Fiduciary is the entity with whom the User enters into an agreement.
• Data Processor: Entities hired by Data Fiduciary to process Users' data. This is important as further the act also provides that a user may ask for her data from the fiduciary along with whom it was shared or who processed it.
• Data Principal (Users): Simply means the user whose data it is and includes child's guardian/parents.
• Processing of Data: It mainly means dealing with the data in such way as is agreed between the Data Principal and Fiduciary. It does include storage, structuring, recording, collection, alteration, use, alignment or combination, sharing, disclosure, etc.
• Data Protection Board of India ('Board'): The Act establishes an independent authority namely the Data Protection Board of India. Where the Users can complain about non-compliance of the Act, it will act as a Quasi-Judicial Adjudicating Authority. The Board will function entirely ONLINE. It will be a total DIGITAL OFFICE. Companies (Data Collectors/Fiduciaries) will have to report each and every Data Breach. The Board will also notify Significant Data Fiduciaries (SDFs).
• Data Protection Officer: An Officer to be designated by Significant Data Fiduciaries, whose contact details are provided to the users for making a grievance/complaint.
• Independent Data Auditor: The act also provides for appointment of an Independent Data Auditor in SDFs.
• Harm: Bodily harm, theft or distortion, harassment or prevents lawful gain or causes significant losses.
  For instance, a person may be attacked by a mob on the basis of data unlawfully published by Data Fiduciary or shared or accidental distribution, similarly in case of online harassment, distortion or theft of identity on the basis of illegal dissemination of data by fiduciary.
• Personal Data Breach: Means unauthorized processing, acquisition, storage, use, alteration, destruction of or loss of access to data from the user, which ultimately compromises confidentiality or integrity or availability of data; or accidental disclosure of data.
   

Applies to:

• Only Individuals i.e. Natural Persons are protected under this act/bill.
   

To Whom the Act Applies:

• Data (Online/Digitized Data) Processed of any user in India from India.
• Data Processed from outside India of a User in India: when related to profiling (processing that analyses or predicts the behavior/attributes/interests of a Data Principal) or activity of offering goods or services.
   

To Whom the Act Doesn't Apply:

• Non-automated Processing
• Offline data
• Personal data processed by individuals for personal/domestic purpose
• Data more than 100 years old
• Data processing of Data Principal outside India pursuant to a contract entered between a person outside India, where such data is processed by Indian Entity.

Notice
Notice about what data can be collected and for what. (Privacy Policy)

Although this act provides for giving a notice to the user by the data fiduciary in a form of a list containing the data to be collected and the purpose and use, but it further provides that such notice can be in form of or part of the same document/form collecting the data thus it can just mean ticking a privacy notice checkbox which mostly already is present in possibly every platform owing to international common laws like the GDPR. Thus, although it provides that a notice is necessary before requesting the data, the explanation to the provision in a sense liberalizes the fiduciary from strictly giving a clear and separate list of data requested and its purpose.

The same section gives the User the power to ask for information till now processed and collected by the fiduciary, thus the Data Fiduciary has to provide such option.

Even though it may seem like a provision, but liberalized, this might change if the rules under this act make it more rigid and strict.

Consent

• Agreement by the User for the Data requested.
• Consent means freely, specific, unambiguous indication given by a user, thus signifying the agreement to the processing.
  • Consent for an act forbidden by this act is invalid.
  • The subsection reads: "indication of the Data Principal wishes by which the Data Principal, by a clear affirmative action signifies agreement to processing of her personal data..."
  • Clear affirmative action rules out pre-ticked boxes, opt-out boxes; consent must be given through Opt-In boxes.
  • Platforms cannot claim consent based on browsing behavior alone.
• The consent request must also include:
  • Contact details of the Data Protection Officer (or other officer if DPO not designated).
• Data Principal must:
  • Be provided the option to withdraw consent as easily as it was given.
  • Know that withdrawal does not affect data processed during active consent.
  • Be assured that upon withdrawal, processing must stop within a reasonable time.
• Consent management shall be handled by a Consent Manager:
  • Consent Manager provides accessible, transparent, interoperable platform.
  • Acts on behalf of the Data Principal.
  • Must be registered with the Board.
  • (Details may be prescribed by future rules.)

Validity of Conditional Performance

• Consent for collecting unnecessary data as a condition to perform a contract is invalid.
  • Example: A photo editor app demanding access to health data to function.

Deemed Consent

• Consent is deemed and request not needed if:
  • User voluntarily provides data (e.g., uploads document or fills form).
  • Data necessary for user to avail services or comply with law, by State or its instrumentality.
  • Compliance with a judgment/order.
  • Responding to a medical emergency.
  • Ensuring safety during disasters or public order issues.
  • Employment-related purposes for the employee.
  • Public interest, such as:
    • Fraud prevention
    • Credit scoring
    • Search engine operations on publicly available data

Child's Guardian's Consent

• Fiduciary must obtain verifiable parental consent before processing child's data.
• Fiduciary must not:
  • Track or behaviorally monitor children.
  • Conduct targeted advertising to children (except as prescribed).

Obligations of Data Fiduciary

• Responsible for actions of Data Processors.
• Ensure data is true and complete if it affects user decisions or is disclosed to others.
• Implement reasonable safeguards to prevent data breaches.
• Inform Board and users in case of a breach.
• Have a mechanism for redressing grievances of users.
• May share/transfer/transmit personal data under valid contract and consent.

Obligations of Significant Data Fiduciary

• Designated by Central Government based on:
  • Volume and sensitivity of data.
  • Risk of harm to Data Principals.
  • Impact on sovereignty and integrity of India.
  • Risk to electoral democracy.
  • Security of the State and public order.

Obligations of SDF:

• Appoint a Data Protection Officer acting as SDF under this act and point of contact between users and SDF and BOD, Governing Body of SDF.
• Appoint Independent Data Auditor for evaluating compliance by SDF.
• Undertake Data Protection Impact Assessment, Periodic Audit.
   

Rights of Users:

1. Right to information about personal data:
   • Confirmation whether DF is processing or processed the data.
   • Personal data being processed or processed by DF.
   • List of identities of all other DFs with whom and what category of data has been shared.
2. Right to Correction and Erasure of Personal Data: DP may request DF for correction or erasure of data except in cases where data cannot be erased due to legal compliance.
3. Right of Grievance Redressal: A DP shall have the right to register a grievance with DF. Such grievance shall be replied to by DF within 7 days or less as prescribed. If not satisfied with response or not received response, DP may register a complaint with the Board.
4. Right to Nominate: DP shall have the right to nominate an individual who may exercise such rights in case of death or incapacity of DP.
    

Sharing of Data to Outside India (Section 17):

The Central Government would prescribe and notify countries to whom data may be transferred.
 

Exemptions:

• Chapter 2 (Notice, Consent, Consent of Guardian, and Obligations of DF/SDF) except that security safeguard for data breach must be complied with.
• Chapter 3 (Rights of Users) and Section 17 shall not apply in the following cases:
  • Processing for enforcing any legal right/claim.
  • Processing by Court/Tribunal/Any other such body for Judicial or Quasi Judicial Function.
  • Processing for prevention/detection/investigation/prosecution of any offence/contravention of any other law.
  • Processing of data of a DP outside India by a person in India pursuant to a contract entered into by the DP and Person outside India.
• CG may exempt any Instrumentality of the State and use of data for research, archiving or statistical purposes if:
  • The data is not used to deal specifically with a DP.
  • The processing is according to prescribed standards.
• CG may also exempt such DF or Class of them on notification from:
  • Section 6 (Notice)
  • Sub-section 2 & 6 of Section 9 (Ensuring Data Processed is accurate, Cessation from retaining data after end of purpose)
  • Section 10 (Consent of Guardians)
  • Section 11 (Obligations of SDF)
  • Section 12 (Right to Information)
     

Establishment of Data Protection Board of India (DPBI):

The DATA PROTECTION BOARD OF INDIA will be by design entirely digital with respect to allocation of work, receipt of complaints, hearings, pronouncement of decisions, etc. It shall function as a DIGITAL OFFICE.

Penalties:

Maximum Penalty at one time is INR 500 Crores, notwithstanding if the multiple offences' cap on penalty together taken exceeds INR 500 Crores.

• Failure to have reasonable security safeguards to prevent breach: up to INR 250 Cr.
• Non-fulfillment of Section 10 (Related to Child's Data Processing and Guardian's Consent): up to INR 200 Cr.
• Failure to notify affected users and Board about Data Breach: up to INR 200 Cr.
• Non-fulfillment of Section 11 (Obligations of SDFs): up to INR 150 Cr.
• Penalty for offences other than above: up to INR 50 Cr.

Thoughts:
As I said in the Overview above that the Act/Bill is majorly based on General Data Protection Regulations 2018 of the European Union, from the point of view of service providers or data fiduciaries or data processors nothing much is changing except that the privacy policy, notice, terms of service may contain some specifications regarding the act and Data Protection Officer specifically.

One of the things which changes is the Jurisdiction of such complaints or grievances, now all the Data Protection and Breach related matters will come under one roof that is the Data Protection Board of India. Now rather than no legislation or regulatory measures there would be due to this act as the Data Fiduciaries will now be answerable to the Data Principals and the Government of India through direct jurisdiction, the act in a way fortifies the Right to Privacy and Information and other Fundamental Rights in matters related to Data Processing, Breach, Illegal Disclosure, etc.

Do share your thoughts too on any additional provisions required as compared to other more strict laws of other countries!

End-Notes:

1. The Digital Personal Data Protection Bill, 2022; Ministry of Electronics & Information Technology, Government of India. [2] The General Data Protection Regulation; European Union.