The Ministry of Electronics and Information Technology (“𝐌𝐞𝐢𝐭𝐘”) published the draft Digital Personal Data Protection Bill, 2022 (“𝟐𝟎𝟐𝟐 𝐁𝐢𝐥𝐥”) on November 18, 2022 for public consultation. The 2022 Bill is open for comments from the public until December 17, 2022.
The previous iterations of the data protection bill have been shortened and revised to bring in some key changes to the data protection regime. Some of the key highlights of the 2022 Bill are as follows:
Applicability: The 2022 Bill has excluded non-personal data from its ambit and it focuses solely on digitised personal data. This excludes the applicability of the proposed draft on non-personal data and data that is not in a digitized format.
Establishment of Data Protection Board of India: As per the 2022 Bill, an independent Data Protection Board (“𝐃𝐏𝐁”) shall be established by the Central Government wherein the DPB will enforce the provisions of the bill and impose penalties for non-compliance. The 2022 Bill, contrary to its previous iterations, does not specify the composition and other details of the board, which shall under the 2022 bill, be prescribed by the central government through rules.
Further, he DPB can impose penalties of up to INR 500 Crores on data processors and data fiduciaries for a significant breach of their obligations like preventing data breaches.
Deemed consent: The concept of ‘deemed consent” has been introduced which considers certain circumstances where the data principal is assumed to have given consent in the absence of explicit consent.
Cross-border data transfer: The 2022 Bill does not contain data localization requirements but imposes restrictive conditions on cross border data transfers wherein inter alia the Central Govt. can notify the territories where personal data can be transferred.
Significant data fiduciaries: The Central Government will have the power to notify significant data fiduciaries (“𝐒𝐃𝐅”) based on volume and sensitivity of data processed by it, risk of harm to data principals, potential national impact and impact on public order.
The MeitY seems to have carefully considered the concerns of stakeholders surrounding the previous drafts, like inclusion of non-personal data, data localization, significant compliance obligations, etc. The obligations imposed on data processors and fiduciaries have been simplified which enables easier compliances which may be beneficial for mid-sized and small businesses. However, the draft 2022 Bill gives Central Government the power to formulate rules and guidelines which brings an air of uncertainty around such open-ended provisions. While the final draft may have some changes, the current Draft Bill seems to be an assortment of hits and misses and we are expecting to for the final turnaround once the public consultation process is completed.