The Digital Personal Data Protection (DPDP) Bill, 2022 is the fourth iteration of India's data protection law, coming in after three previous versions from 2018, 2019, and 2021. Over the years, the law has been changed on several aspects, including on data localization within India, the power of government to access personal data, rights of individual data principals, and the understanding of consent, among others. In this members-only video call, we discussed key aspects of the landmark law in India's tech policy, some of which are indicated below. What we discussed Powers of the government Govt has given itself extensive powers to access personal data, with reduced safeguards vis-a-vis previous versions Exemptions created for various state agencies and government "instrumentalities" Personal data can be retained for an unlimited time period Govt can also exempt certain data fiduciaries from specific provisions of the Bill Obligations of fiduciaries and rights of principals Fiduciaries to follow Act even if principal does not comply Fiduciaries to create grievance redressal mechanisms Fiduciaries to implement safeguards against data breaches and notify principals of the same Principals have the right to withdraw consent for processing their data Reduced scope of right to erasure and no separate provision on Right to be Forgotten (for principals) Personal data retention allowed, if necessary for a legal purpose Provision of "deemed consent": What it is and what it could mean for you Provisions for children's data Age of consent at 18 clause may be problematic, ignores development of children Age verification to…
