Draft:

There have been extensive discussions around the Digital Personal Data Protection Bill 2022. To guarantee that more people become aware of the proposal’s problems, it is crucial to keep the dialogue going. A Data Protection Bill was to be submitted before Parliament in the second part of the Budget Session in 2023, the Solicitor General further announced on January 31, 2023, in a statement made just before the Supreme Court of India. As a result, this plan may become a law in the next few months. To guarantee that our community can have a meaningful conversation about the plan, the brief contains new research that was conducted.

Non-personal data is excluded from the purview of the DPDPB, which only intends to control personal data. The Digital Personal Data Protection Bill 2022 introduced the pronouns “she” and “her” to refer to people regardless of gender for the initial time in India.

Among other definitions, the DPDPB includes new terms like Data Principal (the person with whom the personal information relates, which includes the person’s parents or legal guardians if the person is a child) and Data Fiduciary (the person who, alone or jointly with others, defines the intent and implies of the collection and use of personal data).

The DPDPB revision solely addresses automated or digital data; manual data is not covered. The draft bill provisions are also judged to be ambiguous in other areas. For instance, it is possible to misread what is meant by “in the public interest” and to what extent. The centre is given extra authority by the measure.

The issue of cross-border data movement is another, and maybe one of the most significant, improvements made to the bill in this iteration. The Digital Personal Data Protection Bill 2022 permits the unrestricted flow of data across international boundaries. It allows the cross-nation transmission of data that only the central government would notify.

The DPDPB calls for the establishment of the “Data Protection Board,” a regulating agency. According to this Data Protection Bill, the Board’s main duty is to ascertain if this Act’s provisions have been broken and to impose penalties in accordance with their terms. The law further stipulates that subsequent regulations would be made regarding the composition, strength, incidental qualifications, selection method, periods of appointment, and dismissal of the chairman and other members. The Digital Personal Data Protection Bill 2022 further stipulates that the Central Government would designate the Chief Executive of the Board, and that the Chief Executive’s terms and conditions of employment would be as the Government may choose.

Conclusion

To conclude, in contrast to the old Personal Data Protection Bill 2019, which was criticised by companies and start-ups for just being compliance-intensive, the new version of the bill is an effort by the government to create a streamlined, yet understandable law on data protection. Even though the current draught appears to have addressed issues with localization, a consent-heavy structure, and increased compliance obligations, among others, certain provisions, such as those that offer exemptions to the state’s processing of personal data, insufficient explanation in operational details, and fewer safeguards for data principals, are among the main concerns raised by experts.