The Bill regulates the processing of personal data of individuals (data principals) by government and private entities (data fiduciaries) incorporated in India and abroad. Processing is allowed if the individual gives consent, or in a medical emergency, or by the State for providing benefits.
• The data principal has several rights with respect to their data, such as seeking correction or seeking access to their data which is stored with the fiduciary.
• The fiduciary has certain obligations towards the individual while processing their data, such as notifying them of the nature and purposes of data processing.
• The Bill allows exemptions for certain kinds of data processing, such as processing in the interest of national security, for legal proceedings, or for journalistic purposes.
• The Bill requires that a serving copy of personal data be stored within the territory of India. Certain critical personal data must be stored solely within the country.
• A national-level Data Protection Authority (DPA) is set up under the Bill to supervise and regulate data fiduciaries.