A Dive Into The Digital Personal Data Protection Bill, 2022

• Published date: 08 December 2022
• Subject Matter: Privacy, Compliance, Data Protection
• Law Firm: LexCounsel Law Offices
• Author: Ms Seema Jhingan and Jyoti Vats Mishra

Introduction

After the withdrawal of the earlier Personal Data Protection Bill, 2019 ("PDP Bill"), the Ministry of Electronics and Information Technology has released a new Digital Personal Data Protection Bill, 2022 ("DPDP Bill"), which adopts a more simplified approach to handling 'personal data' in comparison to its predecessor. The DPDP Bill covers several key principles pertaining to lawful usage of personal data, limitation on collection of personal data, data minimisation, data storage and accountability of the person processing personal data.

Key Provisions of the DPDP Bill and our Analysis

The focus of this article is to discuss and analyse some of the key aspects of the DPDP Bill and critically analyse any areas of concern:

• Scope and Application: The DPDP Bill applies to 'personal data' (i.e., any data about an individual who is identifiable by or in relation to such data) which is processed digitally, including the personal data collected online as well as such personal data collected offline which is digitised for processing. However, it does not cover personal data processed manually unlike the earlier PDP Bill that had brought manual processing of data by small entities within its purview. The DPDP Bill extends its scope to processing of digital personal data outside the territory of India if such processing is in connection with any profiling of, or activity of offering goods or services to individuals within the territory of India. While the PDP Bill had categorised personal data into sensitive and critical personal data, the DPDP Bill does not have any such classification and this may oversimplify the criticality of protection of sensitive personal data.
• Obligations of Data Fiduciary: Data fiduciary under the DPDP Bill is a person who alone or together with other persons determines the purpose and means of processing personal data and has been subjected to several obligations including the following:
• 1. Every data fiduciary is required to process personal data for lawful purposes only and with the consent of the data principal i.e., the individual whose personal data is processed. The data fiduciary is required to issue a notice to the data principal regarding the description of each type of personal data sought to be collected and the purposes of processing of such personal data The notice to be issued to users should be in easy and plain language.
  2. When processing personal data of children i.e., users under the age of 18, data fiduciaries are required to obtain verifiable consent from the...