The Union Cabinet has approved the Digital Personal Data Protection Bill (DPDB) 2022 and is likely to introduce it in the upcoming monsoon session of Parliament. The key highlights of the legislation are presented below:

1. The DPDB Bill will cover only digital personal data, i.e., data collected online, or, if collected offline, is digitised later. Data collected manually is outside the purview of this bill.
2. This bill covers three key stakeholders in the data processing cycle:
   • Data fiduciary: Any person who alone or with others determines the purpose and the means of processing
   • Data processor: Any person who processes personal data on behalf of data fiduciary
   • Data principal: Individual to whom the personal data relates, and in context of children, will include their parents and legal guardian.
3. This bill does not include the special categories of sensitive personal data, or critical data because of which there are no specific requirements that would apply to the processing of sensitive data sets like health, financial biometrics, genetic data, etc.
4. This bill includes the concept of ‘deemed consent’, a broad concept that includes other grounds considered as reasonable grounds for processing personal data.
5. If a person has shared the data voluntarily it means that the person has given the consent for processing their personal data or if the processing is necessary for compliance with any law, or for ensuring public safety and public interest.
6. This bill allows cross border data flow to countries and territories notified by the central government. The government will have the power to specify the countries to which companies can transfer personal data.
7. The DPDP Bill recognises the right to post-mortem privacy. According to this, the data principal is allowed to nominate another individual to exercise his/her rights in case of death or incapacity.
8. This bill provides for the establishment of an independent board, namely the Data Protection Board of India, to function as an adjudicating body to enforce the provisions of the bill and to impose penalty in case of non-compliance.
9. Companies of significant size based on factors such as the volume of data they process, should appoint an independent data auditor to evaluate compliance with provisions of the law.
10. The Data Protection Board can levy financial penalties for non-compliance. Failure of entities to take reasonable security safeguards to prevent data breaches could result in fines of up to Rs. 2.5 billion.
11. Companies will be required to stop retaining user data if it no longer serves the business purpose for which it was collected. Users shall have the right to correction and erasure of their personal data.