data protection

This article has been written by Shankar Narayanan, pursuing a Diploma in Law Firm Practice: Research, Drafting, Briefing, and Client Management, and has been edited by Shashwat Kaushik.

This article has been published by Sneha Mahawar.​​


Before we get into this bill, let’s get some basic knowledge about what data protection and data privacy are. Even though our right to privacy is not explicitly mentioned in the Constitution of India, it is still recognised under Article 21. The same goes for data privacy. Data privacy is how much a person can control their data from third-party intervention. Meanwhile, data protection is focused on protecting the personal data of a person from unauthorised access. 

Download Now

Let’s understand this better with an illustration. It’s 2023, and most of us have Instagram on our mobiles. You may have noticed that the app will try to get access to your phone number, location, contacts, E-mail ID, etc. But it is totally up to our discretion whether to allow or deny access. This right to control our data at our will is known as data privacy. Even if we decide to give access to our data, Instagram has the responsibility to secure and protect it at all costs. This is known as data protection.

The 2022 Bill mainly focuses on processing the digital data of an individual in a manner that recognises both the right of individuals to protect their data and the need to process personal data for lawful purposes.

New terms and definitions under the Digital Personal Data Protection Bill, 2022

The current bill has introduced certain new terms, replacing the ones in the previous bill. Like-

Data principal: It refers to an individual to whom the personal data relates.

Data fiduciary: It refers to a person or group of persons who determines the purpose and means of processing an individual’s personal data.

Profiling: It refers to a method of processing the data by which the data fiduciary can predict the behaviour and interests of the data principal.

Have you ever noticed that after you search for a product on Amazon, you get the same “product-related ads” popping up on Google whenever you enter a blog or any other site? Now that’s what’s called profiling.

And in the above-given illustration, you are the data principal, and Amazon and Google are data fiduciaries. 

What is meant by consent 

Consent plays a significant role in data privacy since it is our personal data that we share. The current Bill focuses more on the data principal’s consent, which is one of the good things about this Bill.

The Bill clearly states that the data principal has to, by clear affirmative action, signify to process his data for a specific purpose. For an individual under the age of 18, their consent will be provided by their legal guardian. Additionally, the data principal has the freedom to withdraw his consent at any time, but the consequences of that will be borne by the data principal himself. The Bill further says that the data fiduciary should stop processing the personal data of the data principal once he/she withdraws his/her consent.

Let’s say you have subscribed to a daily news service through email. As part of the subscription, you have given your email and phone number to the service provider. If you later withdraw your consent to process your data, then the service provider must stop processing your data immediately. However, the services will also be terminated.

What is meant by deemed consent

The new Data Protection Bill introduces the concept of deemed consent. It means that there are certain circumstances under which the data principal is deemed to have given consent to the processing of their data. In simple terms, deemed consent means presumed to have consented.

If you order a pizza online, then you will have given your phone number and address so that the company can deliver the pizza to your doorstep. In this case, the pizza company did not explicitly request your consent to let them know your number and address. This is because it is presumed that you gave your consent the moment you provided the information.

Other circumstances under which the data principal is deemed to have given consent to the processing of his data include:

●  For the performance of any function under the law and the benefit of the data principal;

●  For compliance with any judgement or order; or

●  In case of a medical emergency involving a threat to life, etc.

Obligations of data fiduciary

As mentioned previously, a data fiduciary must protect the data acquired from the data principal, but the obligations do not stop there.

Some of the other obligations of the data fiduciary are given below:

  • To make reasonable efforts to ensure that the data they have collected is accurate and precise;
  • To inform the Data Protection Board of India in case of a data breach;
  • To take appropriate measure both technical and organisational;
  • To remove or erase the data principal’s data once the purpose for which the data was collected has been fulfilled. This is known as storage limitation. The concept of storage limitation will not apply in the case of processing by government entities. For example, let’s say you have decided to delete your Facebook account. In this case, Facebook should stop retaining your data after you delete the account; 
  • It is the data fiduciaries duty to comply with the law;
  • It is the data fiduciaries duty to share, transfer, or transmit a personal data to a data fiduciary after taking consent of the data principal
  • If anyone’s data is breached he must inform the board and the principal whose data has been breached;
  • The data fiduciary must take reasonable steps to ensure that a data is kept safely and is not shared with any other data fiduciary or anyone else; and
  • To obtain parental consent before processing the data of a child

Rights of a data principal 

  • Right to information about personal data

There are certain things that can be obtained by the data principal from the data fiduciary upon request. Such as,

  1. A summary of processing activities undertaken by the data fiduciary with the data principal’s data; and
  2. To provide the identities of all the data fiduciaries with whom the data has been shared.
  3. To get the identities of all the data fiduciaries who are handling the data.
  • Right to correction and erasure of personal data

Upon the request of the data principal, the date fiduciary must:

  1. Correct any inaccurate data of the data principal;
  2. Update any new data of the data principal;
  3. Complete a data principal’s incomplete data; and
  4. Erase the personal data of the principal.
  • Right to grievance redressal

In the case of any grievance, the data principal can register the grievance with the data fiduciary. And if the data principal is not satisfied with the data fiduciary’s response, he can approach the data protection board and file a complaint.

  • Right to nominate

The data principal has the right to appoint any individual to exercise the rights of the data principal in case of his death or incapacity.

  • Registering complaint with the Board

If the data principal is not satisfied with the response of the data fiduciary or the response has not been received within the stipulated time period, he/she may register a complaint with the board against him.

Duties of a data principal

Not only the data fiduciary but also the data principal have certain duties to abide by under the new Bill. A data principal has to provide only authentic information and should not try to impersonate another person by providing false data. Non-compliance with these duties will be a punishable offence.

Functions of the Data Protection Board of India

The Central Government will establish a Data Protection Board of India to make sure that people are complying with the Act and to take strict action or impose penalties for non-compliance.

Some of the key functions of the board are given below:

●  Directing the data fiduciary to take necessary steps in case of a data breach;

●  Looking into non-compliance with the Act and imposing penalties; and

●  To conduct proceedings with respect to the complaint filed. 

Every person must comply with the board’s orders, which are enforceable as if they were decrees issued by a civil court.There is no appellate authority, and any appeal against the Board’s order will only lie with the High Court.

Penalties under the Digital Personal Data Protection Bill, 2022

Here’s a tabular representation of the penalties under the new Bill:

S. NoSubject MatterPenalty
1.In case of failure of protection of personal data by the data processor or data fiduciary; under Section 9(4) of the Bill Penalty up to Rs. 250 crore.
2.In case of failure to notify the Board and the affected data principal or principals in case of a personal data breach; under Section 9(5) of the Bill.Penalty up to Rs. 200 crore.
3.In case of non-fulfilment of additional obligations in relation to children; under Section 10 of the ActPenalty up to Rs. 200 crore.
4.In case of non-fulfilment of additional obligations of Significant Data Fiduciary; under Section 11 of the Act.Penalty up to Rs. 150 crore.
5.In case of non compliance with Section 16 of this Act.Penalty up to Rs. 10 thousand.
6.In case of non-compliance with the provisions of the Act other than those listed under (1) and (5) and any rule made thereunder.Penalty up to Rs. 50 crore.

Exemptions provided under the Digital Personal Data Protection Bill, 2022

The new Bill states that there are certain circumstances in which the rights of the data principal and obligations of the data fiduciary will not apply. These circumstances include;

●  Enforcing any legal right or claim;

●  For the performance of any judicial or quasi-judicial function; or

●  For the purpose of investigation or prosecution.

The Central Government also exempts certain activities from the application of the provision, such as in cases when;

●  Processing of data for statistical and research purposes; or

●  Processing our data by the government entities for the interest of sovereignty and integrity of India and to maintain public order.

Key issues and concerns raised

It is true that the bill primarily focuses on the protection of one’s data and imposes huge penalties for non-compliance with the Act. But there are lots of exemptions and vagueness when it comes to data privacy. For instance, Section 18 talks about exemptions under which the rights of the data principal will not apply. The Section gives power to government entities to process one’s data without the consent of the data principal or approval of any judiciary body for the purpose of the security and integrity of the state. Even though it is for a reasonable cause, the Section fails to state what happens to our data after the purpose has been fulfilled. What is the threshold limit for processing one’s data? Whether the government entity retains our data after the purpose has been fulfilled? If the government still retains our data after the purpose has been met, then it violates our right to privacy.

Another issue is the ban on profiling (tracking of one’s behaviour and interests) when it comes to children. Although it is a good initiative, it seems like a blanket ban. This is because it is not possible to recommend specific ads, suggestions, or videos without tracking one’s interests and behaviour. For example, let’s take YouTube Kids or Netflix Kids, which are dedicated to children. These platforms still use tracking mechanisms to recommend media to children.  

The new Bill indirectly gives huge power to the centre. For instance, the composition of the board is not mentioned in a detailed manner, meaning (i) the qualification of members, (ii) the process of selection, (iii) the terms and conditions of appointment and service, and (iv) the removal of members have not been specified. This ultimately means that the Central Government can appoint whomever they want, which makes the board less independent.

And lastly, the Bill has not mentioned anything about our “right to be forgotten” or the “right to data portability.” Even in the recent case, Dr.Krishna Menon vs. High Court Of Kerala (2022), Kerala High Court held that, based on the facts and circumstances of the case and the duration involved in relation to the crime, the right to be forgotten can be invoked. However, the new Bill failed to talk about this.

The Personal Data Protection Bill of 2019 vs The Digital Personal Data Protection Bill, 2022

The 2019 Bill contains 90 sections, while the 2022 Bill has only 30 sections. Also, the new Bill only applies to digital data and not manual data. The current Bill imposes penalties not only on data fiduciaries but also on data principals. If a data principal does comply with his duties as mentioned in the Act, then a penalty of Rs. 10,000 will be imposed.

Another major difference is the cross-border data flow. The current Bill is too vague and has made it easy to transfer personal data outside India. While the 2019 Bill asked for explicit consent from the data fiduciary and further requested an adequate level of protection for such data.


It’s 2023, and everyone is transferring their personal data digitally/online on a daily basis. Like booking a hotel, downloading social media apps, subscribing to an OTT platform, etc. Therefore, the concepts of data protection and privacy become crucial without question.  Overall, the 2022 Bill tries its best when it comes to data protection, but at the same time, the clauses in the Act are too vague when it comes to data privacy. The Bill is not perfect, but it still contains many crucial provisions that are needed for data privacy and protection.


Students of Lawsikho courses regularly produce writing assignments and work on practical exercises as a part of their coursework and develop themselves in real-life practical skills.

LawSikho has created a telegram group for exchanging legal knowledge, referrals, and various opportunities. You can click on this link and join:

Follow us on Instagram and subscribe to our YouTube channel for more amazing legal content.


Please enter your comment!
Please enter your name here