The Digital Personal Data Protection Bill, 2022, is India’s fourth attempt at formulating a framework for the “processing of digital personal data”. In order to compile and develop a comprehensive set of policies and regulations to advance the Indian privacy laws and regime, several considerations were analysed before allowing for their place in the Digital Personal Data Protection Bill [DPDPB], 2022. This Data Privacy Bill is intended to facilitate the prudent and lawful processing of personal data which keeps the balance between the rights of individuals and the need for processing personal data as per lawful need of the state, alongside incidental activities, if any. This blog shall delve into the DPDP Bill, 2022, in addition to elucidating the implications arising from the 2022 Bill. The genesis of the DPDPB Bill has a chequered history; followed by an unpleasant Personal Data Protection Bill, 2019, which warranted for over 80 amendments and recommendations as prescribed by the Joint Parliamentary Committee, the 2019 Bill was repealed giving way to the newer and much more comprehensive DPDPB, 2022.
Key Differences between the 2019 and 2022 Bill
The Digital Personal Data Protection Bill, 2019 and the Digital Personal Data Protection Bill, 2022 are both aimed at protecting the privacy of individuals by regulating the collection, storage, and usage of personal data by organizations. However, there are some key differences between the two bills:
Changes in definitions and scope: The definitions of personal data and sensitive personal data, as well as the scope of the bill, have been updated in the 2022 bill.
Data protection authority: The 2022 bill establishes a Data Protection Authority, which is responsible for enforcing privacy laws and imposing penalties for non-compliance. The 2019 bill did not have such an authority.
Data localization: The 2022 bill requires certain categories of sensitive personal data to be stored within India, whereas the 2019 bill did not have such a requirement.
Increased penalties: The 2022 bill increases the penalties for violating privacy laws, compared to the penalties outlined in the 2019 bill.
Data protection officers: The 2022 bill requires organizations to appoint a data protection officer, whereas the 2019 bill did not have such a requirement.
With the differences which have been introduced in the DPDPB, it is right to say that, a major step towards a secure and streamlined privacy regime, for India, has been planned. Information limitation requirements included in the Personal Data Protection Bill of 2019 raise serious concerns regarding the security of information created in India but handled or possibly stored in another nation, as well as concerning public safety and influence. Although the legitimate goal of protecting personal data was preserved, the 2022 Bill softened these standards while permitting cross-border data flow.
Implications arising from the DPDP Bill, 2022
Keeping in mind, the streamlined purpose provided to the Bill, it is rightful to learn and understand the implications arising from it. Not only, this Bill marks some maverick shift from GDPR on many aspects, a range of novel and better suited guidelines have been laid out in the Bill. Few of them are:
Increased individual rights: The Bill grants Indian citizens increased control over their personal data, including the right to access, rectify, and erase their data. This was strengthened by means of introducing the concepts of ‘consent’ and ‘deemed-consent’.
Higher standards for data protection: Organizations must implement appropriate technical and organizational measures to secure personal data and demonstrate compliance with the Bill.
Fines for non-compliance: Organizations can face substantial fines for failing to comply with the Bill. In order to boost the compliance framework for the privacy regime, the constitution of Data Protection Board of India has been discussed.
Global reach: This Bill applies to all organizations processing the personal data of Indian citizens, regardless of where the organization is based. By means of the Bill, cross-border usage and processing of Data shall be enabled while mandating the access to data be made available on-demand.
New obligations for data processors: The Bill imposes direct obligations on data processors, in addition to data controllers, with regards to the processing of personal data.