The data protection bill was introduced on December 11, 2019. It was referred to a standing committee on December 11,2019. The standing committee sent its recommendations in a report on December 16,2021.

The features of the bill are:

• Applicability : The bill governs the processing of personal data by:

1. Government
2. Companies incorporated in India
3. Foreign companies dealing with personal data of individuals in India

• Obigations of data fiduciary : A data fiduciary is an entity or individual who decides the means and purpose of processing personal data. Such processing will be subject to certain purpose, collection and storage limitations. All data fiduciaries must undertake certain transparency and accountability measures
• Grounds for processing personal data : The Bill allows processing of data by fiduciaries only if consent is provided by the individual. However, in certain circumstances, personal data can be processed without consent :

1. If required by the state for providing benefits to the individual
2. For legal proceedings
3. To respond to a medical emergency

• Social media intermediaries : The bill defines these to include intermediaries which enable online interaction between users and allow for sharing of information. All such intermediaries have users above a notified threshold and whose actions can impact electoral democracy or public order, have certain obligations, which include providing a voluntary user verification mechanism for users in India.
• Transfer of data outside India: Sensitive personal data may be transferred outside India for processing if explicitly consented to by the individual. However, such sensitive data should continue to be stored in India
• The bill also amends the Information technology act, 2000 to delete the related provisions to it.

The bill sets up a data protection authority which may

1. Take steps to protect interests of individuals
2. Prevent misuse of personal data
3. Ensure compliance with the bill

• Composition : It will consist of a chairperson and six members with at least 10 years expertise in the field of data protection and information technology.

Orders from the authority can be appealed to an appellate tribunal. Appeals from the tribunal will go to the supreme court

The most contentious feature of the bill was:

• Sharing of non-personal data with the government : The central government may direct data fiduciaries to provide it with any

1. Non-personal data
2. Anonymised personal data (where it is not possible to identify data principal) for better targeting of services.

• Exemptions: The central government can exempt any of its agencies from the provisions of the Act

1. In interest of security of state, public order, sovereignty and integrity of India and friendly relations with foreign states
2. For preventing incitement to commission of any cognizable offense
3. Processing of personal data is also exempted from provisions of the bill for certain other purposes such as:
   -Prevention, investigation or prosecution of any offense
   -Personal, domestic or journalistic purposes

Offenses under the bill include:

• Processing or transferring personal data in the bill, punishable with a fine of Rs 15 crore or 4% of the annual turnover of the fiduciary, whichever is higher
• Failure to conduct a data audit, punishable with a fine of Rs 5 crore or 2% of the annual turnover of the fiduciary, whichever is higher
• Re-identification and processing of de-identified personal data without consent is punishable with imprisonment upto 3 years or fine or both

Data protection legislation had been in the works since 2018 based on Justice BN Srikrishna Committee recommendations.
Government announced the withdrawal of the personal data protection bill, 2019 in the Lok sabha suggesting that another refreshed bill will be brought soon for the following reasons:

• Joint committee of Parliament on the personal data protection bill had submitted a 542 page report with overall 93 recommendations and 81 amendments to the bill in december, 2021
• Another panel had also recommended about 97 corrections and improvements to the bill

The core recommendations of the committee were:

• Need for a broader data protection : No need for segregation into personal and non personal data
• Social media are not just intermediaries but they should be defined as content publishers.
• They should be liable for content
• Provisions relating to regulation of social media to be included
• Use of only trusted hardware
• Data localization norms for storage
• Too many exemptions to the centre
• Compensation for data compromise
• Provisions for data relating to children and data of the deceased party
• Data protection should be in line with right to privacy judgment

According to IT ministry sources, the government is targeting the winter session 2022 of the Parliament to introduce the new data protection legislation.
The new bill will incorporate the broader ideas of data protection as recommended by the Joint committee of parliament and will be in line with the Supreme court’s landmark judgment in KS Puttaswamy case 2017 which held right to privacy as a fundamental right.