This Cybersecurity Awareness Month, Grab the best offers before


DPDPB: The Flag bearer of domestic data regulation regime 2022

DPDPB: the flag bearer of domestic data regulation regime 2022

DPDPB: The Flag bearer of domestic data regulation regime 2022

  • Brief Summary:India lacked effective data protection laws. The Personal Data Protection Bill 2019, which had been under development for five years, was withdrawn by the government after it was created. The country’s data protection and privacy problems will be governed by this new Digital Personal Data Protection Statute, which is an updated version of the PDP bill.The Personal Data Protection Bill, 2019 was tabled by the government in the Lok Sabha in 2019. The law was withdrawn in August 2022 because of the insufficiency of provisions in fulfilling international standards for data protection.The Digital Personal Data Protection Act, 2022 (DPDPB) was released in November 2022 by the Ministry of Electronics and IT. When the DPDPBbecomes an Act, it will be substantially simpler than its predecessor’sversions and will try to revise and eliminate some of the important elements of the Right to Information Act of 2005 and the (Indian) Information Technology Act, 2000 (IT Act).
  • How is the DPDPBsignificant?
    1. A thorough analysis of comparable legislation in the EU, Singapore, and many other jurisdictions led to the creation of the proposed bill.The proposed legislation would make the law more predictable and provide businesses the chance to adjust their practices with the proposed rules.The new Bill significantly relaxes restrictions on cross-border data transfers, reversing the controversial provision of the old Bill that data be stored locally inside India’s borders.It offers a slightly liberal approach on data localization regulations and streamlines data flow to certain foreign locations, which is anticipated to promote commercial agreements between governments.The new DPDPBrecognizes the data principal’s right to postmortem privacy (Withdraw Consent), which was not the case in the old PDP Bill.
  • Applicability and non-applicability:
  • The Bill’s Clause 4 contemplates the application and non-applicability of:
    1. Processing of personal information gathered on Indian soil whether it is done online or offline and then converted to digital form.Processing of personal data outside of India, provided that the processing is related to creating Indian consumer profiles or providing Indian consumers with goods and services. “Any kind of processing of personal data that assesses or forecasts elements relating the behavior, qualities, or interests of a Data Principal” is referred to as profiling in this context.Not applicable to:Manual processing of personal dataIndividual offline dataAny processing of personal information by an individual for domestic or personal purposesIntimate information about a person that is present in a document that has been around for at least 100 years.
  • Principles included:The seven guiding principles of the data economy are the foundation of the Digital Personal Data Protection Bill 2022:
    1. Rightful Use: Organizations must use personal data in a way that is lawful, fair and transparent to the individuals involved.Resolute Dissemination: Personal information shall only be used for the intended purposes.Relevant Data Collection: Focusing on Data Minimization requires that only relevant data that is absolutely essential to achieve a goal be gathered.Data Reliability: The information gathered must be true and original at all times.Retention Period: Personal data cannot be stored indefinitely by defaultand should only be kept for a specific amount of time.Authorized processing and collection: Reasonable measures should be taken to guarantee that no personal data is collected or processed unlawfully.Accountability of users: The individual who chooses the scope and mode of processing personal data should be responsible for how the information is used.
    Rights of data principal:Right to Access the information:This right allows the data principals to be able to access sensitive information in the languages which is included in the 8th schedule of the Indian Constitution.Right to consent:
    • Before their data is processed, individuals must provide their consent, and every individual should be made aware of what typeof personal data a Data Fiduciary wishes to collect and the aim of collecting and processing.Additionally, people have the option to revoke their consent from a data fiduciary.
    Right to erase:This right allow the data principals to delete and request to update the data acquired by data fiduciary.Right to Nominate:In the case of their demise or disability, data principals will also have the option of designating a person to carry out these rights on their behalf.
  • Obligations of a data fiduciary:
    1. Consent:
    The DPDPB stipulates that consent must be freely provided, explicit, informed, and unequivocal, and must express the data principal’s wishes about processing its personal data for the intended purpose. Every time a data fiduciary asks the data principal for their consent, they must do it in plain, understandable language and include the contact for a data protection officer.
    1. Notice:
    A data fiduciary is required to give a data principal a notice in a simple language before or at the same time as requesting the data subject’s consent.
    1. Breach notifications:
    To guarantee adherence to the DPDPB, a data fiduciary must implement the required organizational and technical measures. To prevent any breach of the personal data of the data principal, each data fiduciary and data processor is obligated to adopt appropriate security measures to safeguard any personal data that has been under their control.
    1. Children’s processing requirement:
    The data fiduciary is obligated to get a verified parental consent or consent of a guardian before processing any child’s personal data.
  • Data Protection Board:The DPDPB calls for the creation of an independent board, the Data Protection Board, which will serve as an enforcing authority to carry out the Bill’s provisions and to apply sanctions in situations of non-compliance.If there is a breach of personal data, the Board has the authority to order the data fiduciary to take immediate action to fix the problem or lessen any damage to the data principals.The central government appointsthe board members, including the chairperson, the chief executive, officers, and staff that will be responsible for managing the board’s activities, and they will all be regarded as public servants.For everything done or intended to be done in good faith in accordance with the requirements of this Act, the Board, its chairperson, members, employees, or officers shall not be subject to any legal action, prosecution, or other legal action.
  • Cross-border Data Transfer:The bill permits the storage and transfer of data across international borders to “certain recognized nations and territories,” provided that they have an adequate data security environment and that the government has access to such data from within India.
  • Financial Penalties:For Data Fiduciary: The law suggests imposing large fines on companies that have data breaches or fail to intimidate customers when breaches occur.The fines would range from 50 crores to 500 crores of rupees.For Data Principal: A user who provides fraudulent documentation while registering for an e-commerce service or files baseless grievances may be subject to a punishment of up to Rs 10,000.
  • Exemptions from Applicability:The DPDPB grants the government the authority to exclude any state agency in the interests of India’s sovereignty and integrity, national security, cordial relations with other countries, upholding public order, etc, without providing a justification.
  • Conclusion:For simplicity of comprehension, the definitions have been condensed. The Bill permits the storage and transmission of data across international borders to “certain specified nations and territories,” although it is still unclear to which countries this is allowed. Previous iterations of the bill were criticized for being toocompliance heavy,but the new DPDPB 2022, encourages the start-up companies since it gives the government the power to exempt certain companies from the requirements of the bill based on the volume of the personal data they process along with the users. Additionally, the Bill grants the government the authority to provide exceptions to the requirements of national security and to preserve public order.



Share On

Upcoming Events

Build Your Privacy Career | Webinar

Eager to kickstart a successful career in data privacy? Don’t miss our exclusive “Build Your Privacy Career” webinar, providing vital insights into India’s data laws.


18th Nov, 5:30 PM IST

DPDPA – Conducting Effective Privacy Impact Assessment | Demo Session Other Events

Unlock the secrets of Effective Privacy Impact Assessments in our Exclusive DPDPA Demo Session.

21st Nov, 5:30 PM IST

Start in Data Privacy

Supercharge your career as a well-paid Privacy Professional with our Exclusive Webinar. Gain essential skills in data privacy, network with experts, and enhance your expertise.

28th Nov, 5:30 PM IST

Other Blogs

Get In Touch !

By submitting this form, you give consent to the Privacy Statement

Get In Touch !

Get Free Consultation!