Scope of the Bill has been restricted only to the personal data which is already in a digital form, or the personal data collected offline converted into a digital form. [Clause 4(1)]

Extra-territorial application of the Bill has been expanded to processing of digital personal data outside India if processing is in connection with the “profiling of” or “activity of” Data Principals in India who are being offered goods or services. [Clause 4(2)]

An obligation on the Data Fiduciary has been introduced to serve a notice to Data Principal from whom the data is sought to be collected. The description and purpose of processing of such personal data should be clearly mentioned in such notice. [Clause 6]

The Data Fiduciary is bound to provide an option for the Data Principal to access information in relation to notice in languages specified in the Eighth Schedule to the Constitution of India. [Clause 6(3)]

The Bill has introduced a provision for a Data Principal to give, manage, review, and withdraw its consent to a Data Fiduciary through a ‘Consent Manager’. The said “Consent Manager” shall be registered with the Data Protection Board and is accountable to the Data Principal. [Clause 7(6)]

A Data Principal is deemed to have given consent to the processing of her personal data if such processing is necessary: if Data Principal voluntarily provides her personal data; or if the same is required under law; or during any health emergency, disaster, or breakdown of public order; or public interest as specified in the Bill. [Clause 8]

The Bill also provides for regulating the processing of personal data of children (<18 years age) by Data Fiduciaries, such as – taking ‘parental consent’ before processing such personal data; not using such data prejudicial to the children; and not tracking the children for targeted advertisements. [Clause 10]

Additional obligations have been carved out for Significant Data Fiduciaries (SDFs), such as – appointing a Data Protection Officer as a single point of contact for any grievances under the provisions of the Act; appointing an Independent Data Auditor who shall ensure compliance under the Act; and undertaking such measure as may be prescribed. [Clause 11]

A Data Principal can nominate any other individual to exercise the rights vested to her by the provisions of the Act, in the event of her death or incapacity. [Clause 15]

Extra-territorial transfer of personal data: Data-localization is no longer a compulsion as per the provisions of the Act. However, personal data can only be transferred to the notified countries or territories.

The Central government has been vested with the power to notify any ‘instrumentality of the State’ to be exempted from the application of any of the provision of the Act in relation to processing of personal data. [Clause 17]

The Central government has also been vested with the power to notify the ‘Data Fiduciaries’ to whom certain requirements i.e., Clause 6, sub-clauses (2) and (6) of clause 9, clauses 10, 11 and 12 under the Act will not apply. [Clause 18(3)]

The Bill provides for establishment of a ‘Data Protection Board of India’. The allocation of work, receipt of complaints, formation of groups for hearing, pronouncement of decisions, and other functions of the Board shall be digital by design. [Clause 19(1)]

Central government is vested with the power to also decide over composition and functions of this Board in addition to the requirements laid under the provisions of the Act. The Board has been provided with wide powers such as – having all the powers of a Civil Court under CPC; issuing interim orders to prevent the non-compliance of the Act; imposing costs on meritless complains, etc. Further, the jurisdiction of any other Civil Court is barred under the Act. Appeal against the Board may lie to the respective High Court. [Clause 21]

Financial Penalty: Provisions of imposing hefty penalties (<500 Crore Rupees) by the Board has been incorporated in the Act in case of significant non-compliance of any of the provisions of the Act by any person but after affording an opportunity of being heard to such person. The Board has been provided with the discretion to consider certain factors as specified in the Act before imposing any penalty. [Clause 25]

The Bill provides for harmonious construction of the provisions of the Act with other laws. However, in the event of any inconsistency, provisions of this Act shall prevail only to the extent of such conflict. [Clause 29]

The provision of Information Technology Act 2000 providing the compensation to the affected person for failure to protect personal data has been omitted by this Act. [Clause 30(1)]

Under Section 8(1)(j) of the RTI Act, personal information was allowed to be disclosed in the public interest. It has now been broadened to include all ‘personal information’ by the amendment through this Act. This essentially means that there is no obligation to disclose any of the personal information even if it is necessary to be disclosed in the public interest. [Clause 30(2)(a)]

The proviso to Section 8(1)(j) of the RTI Act has been omitted. This essentially means that the information, which cannot be denied to the Parliament or a State Legislature, can now be denied to any person. [Clause 30(2)(b)]