India's Legislative Framework for Data Protection in the Digital Age: A Comparative Study with EU and US Laws

During the past few decades, technology has grown rapidly around the world, as the internet has become a ubiquitous presence and has broken down geographical boundaries with regards to information flow. As our daily lives become increasingly connected with data, it has become a critical part of our lives. Data plays a vital role in every aspect of our daily lives, from social media to banking to retail. Individuals must have control over their personal data because of this increased interconnectedness, which comes with new and complex privacy challenges. Various sectors in India are being digitized and the digital India program has been launched, making it one of the largest and fastest growing economies in the world. There have been a number of legislations introduced by the Indian government as a reaction to growing concerns about protection of personal data. A major objective of this bill's preamble is to provide a legislative perspective on the protection of individual privacy rights and individual data in an environment which is rapidly growing in digital technology in India. Using data protection law as a case study, this research investigates how efficient it is and how challenging it is to apply. To determine the scope of improvements based on data protection principles, and to assimilate the nature of the different provisions of the law, the dissertation will also compare Indian law with that of the European Union and the United States. Individuals' rights, accountability measures for data processors, and remedies for data breaches include enforcement mechanisms, individual rights, rights for data processors, and cross-border data transfer provisions. We will try to improvise the Indian legal framework in order to gain insight into the grey area where it may have complex issues, as this is a critical issue in this digital age, and countries must take large steps towards resolving it.


INTRODUCTION
Technology and the internet are being used more and more in India, which is undergoing a digital transformation.Therefore, cyber attacks and data breaches have become more common, making cybersecurity and data protection measures necessary.The Indian internet market is expected to grow rapidly due to its 1.3 billion population and second-largest internet market in the world.As the data protection landscape has expanded, concerns about privacy have arisen and more stringent rules and regulations have been enacted to protect it.The world we live in is changing rapidly, and it has changed dramatically over the past few decades.Modern industrialized societies are dependent on data storage and information storage due to globalization and international trade.Using low-tech methods for storing data, both public and private organizations routinely collect data, which is no longer just a power or a source of information.Due to the internet's never-ending nature, people have always been concerned about their privacy.As a result of the new digital environment, we no longer have the right to privacy that we used to take for granted.The Internet has made it easy for the average person to carry out their routine online activities safely, but security breaches have resulted from unanswered questions about privacy and data security.Individuals and organizations are hesitant to disclose their data and information to third parties.Governments designed to regulate how businesses collect, store, and process client information in light of the increased concern about digital privacy in various sectors are passing new laws.It will be very beneficial for all players in this arena if they invest more resources into cybersecurity programs capable of protecting them against both known as well as new attacks.In the development and implementation of data protection laws and regulations, it is becoming increasingly important to strike the right balance between privacy and innovation.Data breaches are a constant topic of discussion in India.Global Risk Report 2019 published by the WEF World Economic Forum shows that India is the country with the largest data breach.In a report published by the Internet and Mobile Association of India (IAMAI) (IAMAI, 2020), the country's cybersecurity workforce will need 1 million more qualified personnel by 2025 in order to meet the growing demand for digital services and secure data protection.Data protection is also increasingly important because of cyberattacks and breaches nationwide.Because of cyber-attacks in India in 2019, there were over 4 lakh incidents (CERT-In, 2019), a 37% rise from the previous year.Over 1.1 billion Indians' personal information was exposed in the Aadhaar data breach in the same year as the biggest data breach in history (Jain, 2018) due to a security hole in the country's biometric identity system.The outdated Information Technology (IT) Act 2000 governs data protection laws in India, which is too insufficient to cope with the complexities of the modern digital environment.Academics and industry players have criticized the provisions of the IT Act, 2000 as insufficient, even though the Act was updated in 2008 to add provisions for data protection and cybersecurity.As part of the Indian government's effort to ensure complete data protection for Indian residents, the Personal Data Protection Bill 2019 has not been implemented and the new proposed Digital Personal Data Protection Bill, 2022 has not been passed into law.Businesses and governmental organizations will have to adhere to the Digital Personal Data Protection Bill 2022, which regulates the way personal data is acquired, stored, processed, and used.According to the Bill, personal data includes information that identifies an individual.Furthermore, it lays out several guidelines on data protection like purpose restriction, minimization of data, and accountability.In order to enforce the Bill's provisions, an independent regulatory organization called the Data Protection Authority (DPA) must be established.There has been a large amount of effort being made in India to reinforce its data security organization.The Digital Personal Data Protection Act, 2022, has the authority to investigate and punish businesses and government organizations.To support data security and privacy in India, the government launched the in 2015.Applied to society and the economy, the Digital India program was launched by the Ministry of Electronics and Information Technology (MeitY) in 2017.There are several data privacy and security measures covered in the program, such as creating safe digital infrastructure, promoting cybersecurity awareness, and facilitating cybersecurity research and development.Furthermore, a number of bodies have been set up by the government of India to oversee data protection.In terms of data privacy and security, the most renowned organizations are the Data Security Council of India (DSCI) and the Indian Data Protection Authority (IDPA).Data protection policies and legislation are developed by the DSCI in collaboration with the government and other stakeholders, and business data protection advice and certification are provided.There is no comprehensive data protection law in India; the Digital Personal Data Protection Bill 2022 is the fifth instance of the country's attempt to enact a data protection law.

LITERATURE REVIEW
Currently, India, Europe, and the United States have different legal protection frameworks for data protection.

A digital data protection bill for 2022:
It is the ministry responsible for electronic and technological development (MeitY).I In 2022, a bill will be introduced that will protect personal digital data.By highlighting key features and issues in the Digital Data Protection Bill, as well as comparing it with its predecessor, this draft provides a roadmap for the future lawn 2022.A research paper of this type will be of interest to researchers seeking to understand the previous bill and how it might affect data protection under the new bill.

Defining and protecting privacy and data in India
The article discussed how public servants in the name of "Procedure Established by Law "or" Public Duty are threatening privacy.Privacy is important for a peaceful life with dignity and liberty and is essential for human rights.With the increase in digitalization and use of social media and the internet, data protection and privacy become a national issue and obligation.Data protection and privacy are interlinked and crucial in the legal world.

Privacy and Data Protection in India: A Critical Assessment
The paper discussed the conflict between the right to privacy and data protection in India and argues that the current Information Technology (Amendment) Act, 2008 is not sufficient in protecting data.The author suggested the need for separate legislation to protect data and privacy, and aims to initiate a debate on this topic.Which Is used for the reseach to analyse the IT provision and amendment act 2008.

A Comparative Study of Data Protection Laws: Current Global Trends, Challenges and Need of Reforms in India
The article discusses the current global trends, challenges, and the need for reforms in data protection laws in India.It highlights the importance of data security and protection in the increasing digitization of society.The article also raises questions about the ownership, access, and duration of data stored in the virtual world.It further emphasizes the need for an appropriate law to address the worries over digital security, information assurance, and data protection in India.The article also compares the General Data Protection Regulation (GDPR) in the EU and the Personal Data Protection Bill in India.

Navigating Data Protection in India: Key Laws and Regulations for Protecting Personal Information
The article discussed the protection of data and privacy in India.It highlights that the right to privacy is rooted in the doctrine of an individual's right to privacy, which is enshrined in the constitutions of many developed nations.The concerns for privacy and data protection gained prominence during the 1970s with the rise of computerized systems capable of storing and disseminating large amounts of information.While the Indian Constitution does not explicitly guarantee a right to privacy, the courts have interpreted other constitutional rights, such as the right to life and liberty, as encompassing a limited right to privacy.India, as a party to various international instruments, acknowledges privacy protections outlined in the Universal Declaration on Human Rights and the International Convention on Civil and Political Rights.A Soft Tone with a Tiger Claw a Critical Commentary on the Digital Personal Data Protection Bill, 2022.The commentary on the Digital Personal Data Protection Bill, 2022, provides valuable insights into the evolution of the bill from the lengthy Personal Data Protection Bill 2019 to the more concise DPDPB 2022.The commentary examines various important aspects of the bill, including the rights and duties of digital citizens, the rights to privacy of children, and the redressal mechanism for data fiduciaries.Moreover, the commentary thoughtfully analyses ambiguous clauses related to deemed consent, which has been a topic of debate.For the purpose of this research, the commentary will be utilized to thoroughly grab the understanding of the complex concept and to discuss the mentioned concept with comparison.

Twelve Major Concerns with India's Data Protection Bill, 2022. Media
This article discusses the 12 major concerns with the digital data protection bill 2022, which are relevant to researchers who seek to analyze these concerns in a broad manner and assess their relevance to the provisions of the bill.

India's Digital Personal Data Protection Bill, 2022: How Practical is Consent?
The article provides a brief discussion of the concept of consent in relation to the Digital Personal Data Protection Bill, highlighting the key issues related to consent in the bill and emphasizing the relevance of understanding the concept of consent in different countries legislation for research purposes.

Comments on the Draft Digital Personal Data Protection Bill, 2022 Submissions to the Ministry of Electronics and Information Technology.
This report provided recommendations made by the VDIHI Centre that cover several provisions and important definitions of the Digital Personal Data Protection Bill.The report thoroughly analyses the bill and important concepts such as the definition of data principles, deemed consent, and the application of the act.For research purposes, this report is important to understand the current nature of the provisions and the recommendations provided by the VDIHI Centre.Shailesh Gandhi, ten instances show how the digital data protection bill will undermine the RTI Act.Scroll.In ( 2023).This article discussed the two important provisions of the bill and effecting the Right to information act, section 8(1) j to exempt the disclosure of personal information.For the purpose of this research, the article will be utilized to provide more comprehensive information on the Digital personal data protection bill,2022, and Section 8 (1) (j) of the Right to information act 2005.

S. Mehrotra, The Digital Personal Data Protection Bill, SSC online (2022).
This article provides a comparison between the relevant provisions of the Digital Personal Data Protection Bill and the European Union's General Data Protection Regulation.The research will further provide an analysis and comparison of the important provisions of the bill in a broader manner.This is important for understanding the similarities and differences between the two pieces of legislation and their potential impact on data protection.

METHOD
The research methodology incorporates the different strategies and procedures for directing an examination.Research is a specialty of logical examination.In other word research is a logical and orderly look for relevant data on a particular point.The rationale behind mulling over research system is that one can know about the technique and method received for accomplishment of the goal of the project."For the purpose of this research, the author utilized the Doctrinal Research framework method.This framework involves a critical analysis of legal documents and literature, including statutes, case law, and scholarly articles.The author draws on both primary and secondary sources.Primary sources include relevant Indian, European Union, United States, and Canadian regulations, such as the Information Technology Act, of 2000, the Personal Data Protection Bill, of 2019, the General data protection Regulation of 2016, etc as well as case law and judicial decisions.Secondary sources include scholarly articles, books, and reports from relevant organizations and experts in the field of data protection.A Comparative Study method is also employed for analysis of the different topics in the research and to make a comparison between India, European Union and United States, laws.This method involves a comparison of the laws and regulations of India with the European Union, and United States, in terms of data protection, privacy, and enforcement.This allows for a comprehensive analysis of the strengths and weaknesses of India's legal framework and the potential implications of the data protection law, in comparison to other jurisdiction.

Grounds for the Process of Data
• Processing of data on obtaining consent from the data subject.• Processing of data for the performance of a contract • Processing of data for Bill Processing of data for the lawful purpose and which is not forbidden by law legitimate interests and vital interests of the data subject or any natural person.
• Processing of data for compliance with a legal obligation.
• Processing of data for life interest.

Analysis Drawn from Comparison
An extensive picture of countries' data protection laws was offered by the comparison of the two laws.Digital personal data protection is India's proposed legislation for the protection of information privacy in the digital world, and the General Data Protection Regulations, of EU which was adopted and put into force in 2016.The comparison clarifies the following details: however, it also mentioned the Deemed consent for the processing of personal Data.

Exemptions
The GDPR provides the following exemption- • The GDPR contains the protection for sensitive personal data with the convenience of mentioning the definition, whereas the DPDPB, 2022 bill is more of a personal data protection legislation and does not include the protection for sensitive personal data.• The DPDPB, 2022 lacks a clause relating to that data localization, whereas the GDPR made compliance with data localization a requirement for the companies.• The GDPR and the DPDPB, 2022 both recognise consent of individuals as one of the legal bases for processing personal data, the latter has introduced the novel concept of 'consent managers.• The GDPR and the Bill offer new legal bases for handling personal data.A distinguishing feature of the GDPR and the Bill in this regard is that the Bill recognises that a data principal is 'deemed' to have given consent for processing when the data principal voluntarily provides personal data to the data fiduciary and it is reasonably expected that the data principal would provide such personal data.
To clarify this provision, the Bill provides an example in which a person who shares their name and mobile number with a restaurant for the purpose of reserving a table is deemed to have given consent to the restaurant (i.e. the data fiduciary) collecting their name and mobile number for the purpose of confirming the reservation.• The DPDP, 2022 specifies 18 years as the minimum age for children, whereas the GDPR divides the age into two categories, the first of which is 13 years and the second of which is 16 years.The DPDPB, 2022 does not provide a separate set of guidelines for the processing of children's data, whereas the GDPR does.• The GDPR includes the separate supervisory authority for conducting joint operations with members or staff of the supervisory authorities of other Member States, including joint investigations and joint enforcement measures.The DPDPB, 2022 established the Data Protection Authority as the enforcement agency.However, the GDPR includes three different enforcement agencies as well as the supervisory authority.

Definition of Personal Data
The CCPA defines "Personal Information as the " information that identifies directly or indirectly a particular consumer or household.

CONSENT
CCPA mandates that consent compulsory for the process of data by the business.
DPDPB, 2022 Requires free, specific, and unambiguous prior consent for the process of data-by-data Fiduciary These provisions give consumers greater control over their personal data and allow them to make informed decisions regarding their privacy, however, it also mentioned the Deemed consent for the processing of personal Data.

Exemptions
The Analysis drawn from the comparison ➢ An extensive picture of countries' data protection laws was offered by the comparison of the two laws.Digital personal data protection is India's proposed legislation for the protection of information privacy in the digital world, and the California Consumer Privacy Act 2018.The comparison clarifies the following details ➢ Both the CCPA and DPDP Bill are aiming to protect the data privacy of their respective citizens.The two laws require companies to be transparent with their data practices and give individuals control over their personal data.Additionally, both laws have provisions for individuals to request that their data deleted or not shared with third parties.➢ The CCPA and DPDP Bill also impose heavy fines on companies that fail to comply with their regulations, showing the seriousness, of these issues being taken by lawmakers.However, the DPDP imposes a high penalty as compared to CCPA ➢ The DPDP regulates the cross-border flow of data, however, such provision is not shown under the CCPA, it only regulates the data within the US and covers particular business entities.➢ Both CCPA and DPDP include the provision related to children's data collected by the business entities, however, the criteria of the different under the law, where CCPA recognised 13-16 years as children age the DPDP recognised below18 years as the Children age ➢ In terms of rights granted to individuals the CCPA has the much wider scope the DPDP bill grants the limited number of rights to the data principles as mention earlier in the comparison.➢ The CCPA and DPDP bill both made consent mandatory for the process and collection of data even in case of children's data the consent from the lawful guardian or parents are required, however, the CCPA also recognized the special rights under special circumstance under which the business enties can process the children's data without the permission.➢ CCPA establishes a Consumer Privacy Fund (CPF) in the State Treasury's General Fund.The fund covers the AG's office's and state courts' CCPA-enforcement costs.The CPF will get 20% of any AG civil penalties.

CONCLUSIONS
The rapid advancement of technology has made data protection a crucial aspect of privacy in India.As more people use the internet and digital devices, they create lots of data that can be personal or sensitive.Data protection is a very important issue in India right now.Chapter 2 establishes the origin and In India, there is no comprehensive law for data protection, A framework for data management that safeguards people's privacy is intended to be established by the Personal Data Protection Bill, 2018, and its updated version, the Personal Data Protection Bill, 2019.The bill defines important words such as consent, data, data fiduciary, data principal, data processor, personal data, sensitive personal data, and transgender status in addition to including rules for consent, data fiduciary relationships, and enforcement.The bill outlines requirements for data protection, including restrictions on data collection, legal processing, storage limits, and data fiduciary accountability.It establishes distinct legal bases for processing both sensitive and personal data, including that of children, and acknowledges data subjects' rights to things like access, rectification, and erasure.Certain instances of data processing are exempt from the bill.Additionally, it creates a Data Protection Authority to supervise the actions of data fiduciaries, control the transfer of data across international borders, and issue fines and compensation.However, both the proposed bill failed to convert into the act.The Digital Personal Data Protection Bill, of 2022 is a law that would control of personal information in India.The bill requires compliance with its requirements, by all organizations managing personal data belonging to Indian people.All organisations that handle personal data, including governmental bodies, for-profit companies, and non-profit groups, are covered by the measure.The lack of data localization guidelines in the law is probably a result of the trend toward data localization.The measure puts precise obligations on data management and stiff fines on businesses that don't appropriately protect customer data.The proposed legislation is consistent with international standards for data privacy and protection, such as the General Data Protection Regulation (GDPR), which emphasizes the significance of gaining individuals' informed consent before collecting and using their personal information.An important step towards protecting people's privacy is the requirement for the appointment of a Data Protection Officer (DPO).The DPO will manage the organization's data protection policies and procedures and respond to any concerns or questions data principals may have.The right to information ensures accountability and transparency in data processing activities by enabling the data principal to be informed about the collection, processing, and use of their personal data.With a maximum fine of 500 crores, the Board is empowered to impose fines in six main areas under the proposed Data Protection Bill.The Board's ability to conduct investigations is restricted to handling only customer complaints.

RECOMMENDATION
The Suggestions are drawn after the examination of the Personal Data Protection Bill 2018 and 2019, as well as the Digital Personal Data Protection Bill 2022.Additionally, a comparative analysis is conducted between the DPDP Bill 2022 and the General Data Protection Regulation (GDPR), and the California Consumer Privacy Act (CCPA).Based on this analysis, the following recommendations are proposed.Overall, the Digital Personal Data Protection Bill 2022 is a significant step forward in terms of regulating the collection and processing of personal data in the digital sphere.It is intended to give individuals greater control over their personal data and to hold companies accountable for the way they handle and uses that data.The penalty giver under the act is increased as compared with the previous bill and the scope of rights of the data subjects is also given in broad ambit.While the implementation of the bill requires some adjustments, it is ultimately aimed at creating a safer and more secure digital environment for all.
The DPDP bill of 2022 requires a revision of the definition of personal data.This is because the previous bill, as well as the GDPR and CCPA, have provided a comprehensive definition of personal data that specifically outlines the types of information that fall under this category.Data localization is a concept that is gaining popularity, as it allows countries to have complete control over their data.The General Data Protection Regulation (GDPR) includes provisions for data localization, which can be adopted by India to effectively monitor data within the country.
The impact of the internet on children is a growing concern, as determining the appropriate age for online activity is complex from a psychological perspective.both GDPR and CCPA have set the age range for children at 13-16 years old.The DPDP bill has expanded the scope by including children up to the age of 18.Which prohibits the tracking and behavioral monitoring of children, targeted advertising directed at children, and any form of data processing likely to cause harm to children.Exceptions may be prescribed by the government.
The protection of sensitive personal data has become increasingly important in today's world.This type of data includes information such as DNA samples, healthcare records, and credit card information.However, the current DPDP bill does not recognize the significance of sensitive personal data.Therefore, it is necessary to revise the bill to align with the GDPR and CCPA, which both acknowledge the importance of protecting sensitive personal data.
The DPDP bill of 2022 restricts the rights of individuals in comparison to the GDPR and CCPA, indicating a need to review these rights to establish a robust framework for individual rights expansion.The GDPR and CCPA offer various methods of enforcement, while the DPD bill only presents a single board for investigating and prosecuting data breaches appointed by the government.However, this board can be modified to allow for more adaptable enforcement largely be dictated by the government.Time is crucial in the data breach the DPDPB 2022 does not have specific time for the controller to the DPB in case of a breach, however, the other statues have mentioned the time limit for the notification of data breach.Therefore, the data protecion law need to be mentioned the specific time in case of breach.
's power to assess a violation of the CCPA Data Protection Board of India PENALTIES penalty fine up to $7,500 for each intentional violation or $2,500 for each violation, with an additional $7,500 for each violation involving a consumer under 16 years old.provided the penalty of for non-compliance 50 cr, failure to notify the board or non-full filment of obligation 200cr, failure of security measure 250cr, and can exceed up to 500 crore rupees.development of privacy and the right to privacy in India Throughout the analysis it is found that privacy has been a crucial aspect of human life that has been highly valued.It lets people have control over their own lives and keep others from interfering.This means they can speak their minds without being judged or punished.As society and technology have changed, the recognition of privacy as a legal right has also evolved.As per Article 21 of the Constitution of India, the right to privacy is recognized as a fundamental right that ensures that no individual shall be deprived of their personal liberty or life.India is a digitally empowered society and a knowledge-based economy.the Aadhaar card initiative has been a big help in improving identification in India.It gives every citizen a unique ID number and is connected to their biometric information.The program has the MyGov platform that allows citizens to take part in governance and offers a safe and confidential means of communication.The Supreme Court of India acknowledged the right to privacy as a fundamental right under the Constitution in Justice K.S. Puttaswamy (Retd.) and Another v. Union of India and Others.The court noted that the right to privacy encompasses the right to manage one's own personal information.India has acknowledged the significance of data protection and put in place various laws and regulations to ensure the safety of individuals' personal data.

General Data Protection Regulation, 2016/679:
Parliament of the European Union, and Council of the European Union.In 2016.It repeals Directive 95/46/EC (General Data Protection Regulation) on the protection of natural persons regarding the processing of personal data and the free movement of such data.The European Parliament passed Regulation (EU) 2016/679 on 27 April 2016.L 119, p. 1-88, European Union Official Journal.