· Data Principal: the individual to whom the personal data relates and where such individuals is a child includes the parents or lawful guardian of such a child.

· Data Processor: any personal who processes personal data on behalf of the Data Fiduciary under a valid contract, for offering of goods and services to the Data Principal. Under the 2022 Bill, Data Processors has a right to further engage another Data Processor for processing of personal data, however the Act remains silent regarding disclosure of personal data to such third Data Processors.

· Personal Data: any digital data about an individual who is identifiable by or in relation to such data.

· Personal Data Breach: an unauthorised processing of personal data or accidental disclosure, acquisition, sharing, use, alteration, destruction of or loss of access to personal data, that compromises the confidentiality, integrity or availability of personal data.

· Processing: The Act extends the scope to ‘wholly or partly’ automated processing, which means that the non-automated processing is excluded from the scope of processing of personal data.  

The Data Fiduciary is required to process personal data for lawful purposes for which the Data Principal has given its consent. The consent can be sought from the Data Principal in the form of a physical or electronic notice in clear and plain language containing an itemised list describing the nature of the personal data collected and the purpose of processing such Data.

· Privacy Notice

a. The Data Fiduciary shall not process personal data of Data Principal without her consent. At the time or before processing of personal data, the Data Fiduciary must send a privacy notice in clear and plain language containing the following details: (i) nature of personal data; (ii) purpose for which it is being processed; (iii) right to withdraw her consent; (iv) right to grievance redressal; and (v) right to raise a complaint with the Board.

b. If the consent is already provided prior to this Act, then the Data Fiduciaries shall send such a privacy notice to those Data Principals as well.

· General obligations

The Data Fiduciary shall:

a. be responsible to comply with the provisions under the Act while processing of any personal data by it or a data processor.

b. undertake reasonable efforts to ensure the accuracy and completeness of the personal data processed.

c. share personal data of the Data Principal with one or more Data Processors only with the consent of the Data Principal under a valid contract. However, it is responsibility of the Data Fiduciary to protect the personal data processed by it and on behalf of the Data Processor, as opposed to the 2022 Bill, where the responsibility was shared between the Data Fiduciary and Data Processor.

d. implement appropriate technical and organizational measures to ensure effective adherence with the provisions of the Act.

e. undertake reasonable security safeguards for protection of personal data breach.

f. notify the Board in case of any personal data breach and the affected Data Principal.

g. cease to retain personal data once the purpose associated to the collection of personal data is complete, unless required to be retained under applicable laws.

h. publish details of the data protection officer or such other person answerable on behalf of the Data Fiduciary to the grievances and queries.

i. create a grievance redressal mechanism.

· The consent for processing of personal data is provided for a specific purpose.

· The Data Principal has the option to access the consent request in English or any language specified in the Constitution of India.

· The Data Principal has the right to withdraw her consent at any time, however the consequence of such withdrawal shall be borne by such Data Principal.

· The Data Principal can withdraw, give, manage, review her consent through a Consent Manager. A Consent Manager is a Data Fiduciary accountable to the Data Principal and can act on behalf of the Data Principal. All the Consent Managers must be registered with the Board.

· Lastly, is it the obligation of the Data Fiduciary to prove the existence of consent and the request notice in the event of any dispute or questions regarding the processing of personal data.

· Further, it also includes processing of personal data in several instances such as: (i) medical emergency; (ii) compliance with applicable law, court order, judgement; (iii) safety of the Data Principal during disasters or threat to public order; (iv) in course of employment of the Data Principal; (v) voluntary disclosure of personal data by the Data Principal and so on.

· Prior to processing of any personal data belonging to a child or person with disability (such person having a legal guardian), the Data Fiduciary must obtain verifiable parental consent from a parent or lawful guardian of the child (as the case may be).

· The Data Fiduciary is refrained from tracking or behavioural monitoring of children’s data or use such data for targeted advertisements or process such data in such a manner which is likely to cause harm to the child. However, the Central Government has the right to prescribe exemptions to these obligations, if the Central Government is satisfied with the security measures undertaken by the Data Fiduciary.

· Penalty for any non-compliance under this provision may extend to INR 200 crores.

· These Significant Data Fiduciary are subject to additional obligations such as:

a. appointment of a Data Protection Officer (“DPO”). The DPO must be based in India and is responsible to the board of directors or such similar governing body of the Significant Data Fiduciary. Further, the DPO is the point of contact for the grievance redressal mechanism.

b. appointment of an independent auditor to evaluate if the Significant Data Fiduciary is in compliance with the Act.

c. undertake data protection impact assessment and periodic audit.

· Penalty for any non-compliance under this provision may extend to INR 150 crores.

· Right to correction and erasure: Much like the right to be forgotten under the 2019 Bill, the Data Principal can request the Data Fiduciary to correct any incomplete or inaccurate personal data in their records and/or to erase the personal data of the Data Principal as soon as the purpose of processing the said personal data is complete, unless the retention of such personal data is necessary for legal purposes.

· Right to grievance redressal: In case of any grievance, the Data Principal has the right to register such grievance with the Data Fiduciary or the Consent Manager. If the Data Principal does not receive a satisfactory response from the Data Fiduciary within the prescribed number of days, the Data Principal has the right to register a complaint with the Data Protection Board of India, established under Section 18 of the Act (“Board”). However, the Data Principal must approach the Board only after exhausting all the opportunity to redress her grievances by the Data Fiduciary.

· Right to nominate: In the event of death or incapacity of the Data Principal, the Data Principal has the right to appoint a nominee to act on its behalf.

However, the 2022 Bill 2022 entrusted the right to Central Government to evaluate the necessary factors for the transfer of personal data outside the territory of India and notify such countries and territories outside of India where the personal data of the Data Principal may be transferred, allowing a free movement of personal data within notified territories.

a. enforcement of legal rights or claims;

b.  compliance with applicable law, court order, judgement;

c. prevention, detention, prosecution or investigation for contravention of any law;

d. processing data of a data principal who is outside India;

e. implementation of scheme of compromise or merger or amalgamation;

f. debt recovery;

g. in the interests of security, sovereignty and integrity of India, as notified by the Central Government;

h. necessary for research, archiving or statistical purposes, provided if the personal data is not to be used to take any decision specific to a Data Principal.

· In addition to the above, the Central Government has the power to notify certain Data Fiduciary or class of Data Fiduciary who shall be exempted from compliance under certain provisions the Act.

· The Central Government has the power to determine the conditions of appointment of the members of the Board and their composition, qualifications, process of selection and various other matters.

· The Board is empowered to conduct hearing providing reasonable opportunity to be heard, so as to determine non-compliance with provisions of the Act, if any. In the event of any non-compliance or data breach, the Board shall issue directions in writing suggesting corrective measures to remedy such data breach or mitigate the harm caused to the Data Principal.

· In addition to above, the Board has the right to impose penalty on the defaulting party not exceeding INR 500 crores in each instance. While determining the financial penalty to be imposed, the Board shall consider the following matters: (i) nature of the non-compliance; (ii) type of the personal data affected; (iii) repetitive nature of the non-compliance; (iv) any gain or avoidance of loss due to the result of non-compliance; (v) actions undertaken to mitigate the effects and consequences if the non-compliance or the absence thereof; (vi) whether the financial penalty to be imposed is proportionate and effective to the non-compliance; (vii) likely impact of imposing a financial penalty on a person.

· Any order passed by the Board is binding and is treated as par with the orders issued by a Civil Court and the Board has the powers granted to a Civil Court in India.

· The Appellate Tribunal is a Telecom Disputes Settlement and Appellate Tribunal established under the Telecom Regulatory Authority of India.

· All the appeals made to the Appellate Tribunal must be disposed off within the period of 6 (six) months from the date on which it was presented on. In the event the Appellate Tribunal is unable to pass an order within the prescribed period of 6 (six) months then it shall provide a reason in writing regarding such delay.

· Any party aggrieved by orders of Appellate Tribunal shall be dealt with provisions of Section 18 of Telecom Regulatory Authority of India Act, 1997.