The Digital Personal Data Protection Bill, 2022 ("DP Bill")
draught was made public by the Ministry of Electronics and Information
Technology on November 18, 2022, and interested parties were encouraged to offer
suggestions and comments.
The much-awaited DP Bill appears to be intended to establish a framework
regulating the processing of "digital personal data" in a manner that is
commensurate with the Indian users' expectations of having an open, safe,
trusted, and accountable internet as India emerges as an economy with over 760
million active internet users. The DP Bill aims to establish a compromise
between the Data Principals' right to have their digital personal data protected
and the Data Fiduciaries' obligation to process such data.
In order to establish processing standards that strike a balance between an
individual's rights to their personal data and the practical necessity of
processing personal data for legal purposes, DPDB recovers and restricts the
proposed law's focus to digital personal data.
An explanation note is included with DPDB to help with the interpretation of the
proposed provisions, although it is stated that it does not form a part of DPDB.
The DPDB is organised into 6 chapters and 1 schedule, has illustrations to
clarify the intent of certain articles, and is substantially shorter than the
prior legislation. It proposes 30 clauses for the regulation of digital personal
The Ministry of Electronics and Information Technology (MEITY) has released a
draft of the Digital Personal Data Protection Bill, 2022 ("The Bill") for public
consultations along with an explanatory note for each provision and the
underlying principles that guide the draftingThe public consultations are open
till December 17, 2022.
The Personal Data Protection Act, 2012 (PDPA) of Singapore serves as an
inspiration for the Bill, which is a condensed, concise version of the proposed
general data protection legislation that was previously known as the "Previous
Drafts," which heavily borrowed from the GDPR of the European Union. The
proposed legislation calls for greater accountability and openness in
influencing domestic and foreign data exchanges. This Bill came three months
after the previous draft version of the bill which was cloistered as a result of
widespread criticism over its onerous provisions.
While the Bill offers a more flexible framework for compliance and suggests a
number of much-needed reforms (such as the deletion of Non-Personal Data), it
also puts forth a number of ideas that have far-reaching implications.
Given the enormous implications that a law on data protection is expected to
have on users and the industry, each version has had its fair share of public
discussion up to this point. This is the fourth draft of the proposed data
protection law in as many years.
Application and Scope:
The Digital Personal Data Protection Bill, 2022 if passed will apply to:
Processing of 'digital personal data' i.e., personal data which is either
collected online or offline is digitised, subject to exemptions. Processing
carried either manually or by individuals for "personal or domestic purposes" is
not included. Additionally, the bill aims to exempt "personal data contained in
a record that has existed for at least 100 years."
The processing of data in India was well under the application of previous
drafts, but this Bill aims to control data processing even outside of India in
relation to the creation of Indian data principals' profiles or the provision of
offering goods or services to them. Hence, the scope of the DPDB,2022 has
expanded when it comes to territorial scope.
To understand the scope of this Bill and to differentiate this Bill from the
previous drafts, it is essential to understand the meaning of "personal data",
what exceptions apply to it, and who the major players are throughout the
Any information about a person who can be identified by, or in connection with,
that information is considered personal data, and this definition will include
opinions. However, the DPDB would only protect digital personal data, meaning
when it is gathered online or collected offline but then converted to digital
Now, processing is the term used to describe automated activities carried out on
digital personal data throughout its lifecycles, such as obtaining, recording,
gathering, structuring, storing, manipulating, sharing, and transferring data.
Any digital process that may operate automatically under predetermined
conditions or on its own will fall under automated processing procedures.
DPDB will be applicable to the digital personal data processing but only if its
automated. This means that according to the 2022 Bill it won't apply to manual
processing methods like structured file systems are not allowed. Additionally,
the DPDB will not be applicable to personal data that is processed by an
individual for domestic or personal use or that has been kept on file for one
hundred years or longer.
There are no provisions for particular classes of sensitive personal data or
critical data. Therefore there are no specific guidelines that would apply to
the processing of sensitive data sets like financial, biometric, or health
information. Gradual consent methods and penalties are made possible by
classifying 'sensitive' portions of critical personal data mentioned above,
which demand additional security.
Although the goal of establishing a straightforward compliance regime is
admirable, the current strategy could have the unintended effect of "treating
unequals equally" and force organisations to choose between protecting highly
sensitive data and increasing the compliance burden for less important data.
DPDB Bill 2022 will merely apply to 3 stakeholders:
Fundamental Concepts: Global Principles upon which DPDB Bill
- data fiduciary (akin to controller)
- data processor
- data principal (akin to data subject)
The new Bill, put up by the Ministry of Electronics and Information Technology,
outlines the obligations to utilise obtained data lawfully as well as the rights
and responsibilities of the "Digital Nagrik"
(digital citizen). The law
is founded on the following tenets, drawing on best practises from nations like
Singapore, Australia, and the European Union:
Consent and Deemed Consent:
- Lawfulness, fairness, and transparency.
- Purpose limitation.
- Data minimization.
- Storage limitation.
Digital personal data processing must be for a lawful purpose with Consent or
Deemed Consent of the data principal. Penalty for violation with Consent or
Deemed Consent requirements can be up to INR 500 million (about USD 6.1
The Bill mandates obtaining consent for processing after providing a notice in
clear and plain language, "describing" the type of personal data sought to be
collected and an "itemised" list of the purposes of processing. This is in stark
contrast to the Earlier Bill and the GDPR, which prescribe a granular consent
regimeat least for sensitive personal data.
Consent remains the legitimate primary basis for processing, albeit with
loosened constraints. According to DPDB, consent must be unrestricted, explicit,
informed, and transparent. It must be acknowledged by the data principal through
affirmative action and be restricted to the designated purposes. A data
fiduciary must provide itemised notice (i.e., presented as a list of individual
items) on or before obtaining consent that clearly and plainly explains the
personal data sought to be processed and its intended use.
These notification requirements could end up doing both too much and not enough
at once. The ability to provide "itemised" list of purposes allows entities to
continue collecting "all or nothing" bundled consents, limiting the usefulness
of these "fresh" consents to Data Principals. The re-consenting obligation,
however, runs the risk of inundating Data Principals with thousands of notices
(a phenomenon that was also observed with the GDPR).
Data Principals are given an option of requiring that notice be provided in any
of the 22 languages specified in the Eighth Schedule of the Constitution of
But here, benefits to Data Principals may be outweighed by the difficulties of
translating authoritative versions of dynamic documents into each of these
languages, especially if the underlying application or service is only available
in a few of them.
Additionally, the data principal has the right to withdraw consent at any time,
but only with the understanding that any consequences of doing so will be on the
data principal's dime. The data fiduciary will have the burden of proving that
processing was done with consent, but under the proposed scheme, this burden
would be relatively easy to meet if only the bare minimum of information was
included in the notice seeking consent and there was an affirmative response
from the data principal indicating consent.
When it comes to deemed consent, it is a concept which is mentioned in Personal
Data Protection Act 2012. It has found its way back in the current DPDB Bill,
2022. The absence of safeguards like revocation and the restriction of this
permission to specifically stated purposes contrasts with the previous
When a Data Principal voluntarily gives personal information to the Data
Fiduciary and it is "reasonably expected that such data would be given," there
is an assumption of deemed consent. As opposed to the Previous Drafts, the Bill
does not include a mechanism for the adoption of laws or guidelines for
processing based on deemed consent, which could lead to the abuse of this
provision, especially given that Data Fiduciaries have the power to gain
The other possible substitutes of Deemed Consent include a wide range of
processing grounds recognised in other jurisdictions, including processing by
state or judicial entities, for authorised contract, legitimate interest,
benefit of data principle, and repurposing. Future notifications of new grounds
is also a choice. The data principal need not be notified beforehand or after
the fact under these possibilities, though. Data owners might not know what,
why, how, or when their personal data was handled, which undermines the
transparency and accountability principles essential for protecting
Cross border data transfer:
Stakeholders have extensively argued the specifics of cross-border data flow
under past drafts of this bill, with significant opposition to soft and rigid
data localization standards. Such localization standards are eliminated by
DPDB,2022, which is a positive development. It stipulates that the central
government must inform any countries to which personal data may be transferred,
under applicable terms and conditions, following any examination of
considerations that it may consider essential.
This suggests that the central government will have complete discretion when
deciding whether jurisdictions are appropriate or not, as well as when to set
requirements for data transfers. Alternative methods for cross-border
transmission, such as legally enforceable business policies, typical contract
provisions, and sporadic data transfers, are not included.
Currently, IT Rules only allow cross-border transfers with consent or when such
transfers are necessary for the performance of the contract entered into with
the data principal. Data transferors are required to assess whether a similar
level of data protection will be afforded to the personal data by the data
As a result, DPDB tends to further relax the restrictions already in place, and
it appears that data fiduciaries and processors can freely transfer personal
data outside of India as long as there is consent or a basis for deemed consent
for such a transfer until such time as transfer-related rules are made.
Obligation of data fiduciary:
The guiding concept is that, despite any contract to the contrary or any action
on the part of the data principal, the data fiduciary shall be principally
accountable for compliance with DPDB. The IT Rules and other countries' data
protection laws permit this common approach.
The duties imposed on all data fiduciaries are as follows:
Rights and Duties of Data Principal:
- Make reasonable measures to keep processed personal data accurate and
complete where it may be used to make decisions that impact the data
principal or later shared to another data fiduciary.
- implement suitable organisational and technical measures to comply with
- take reasonable security precautions to safeguard personal information
and prevent data breaches; the penalty for non-compliance could be up to INR
- Notify the Data Protection Board of India (DPBI), the regulatory agency
envisioned under the DPDB, and the impacted data principal of data breach
occurrences; the fine for non-compliance could be up to INR 2,000 million
(about USD 24.5 million) => This is a positive change from the previous
bill, which did not require fiduciaries to tell data principals about
breaches without first conducting harm and risk analyses.
- remove identification information from personal data as soon as the
purpose for retention is fulfilled or when it is not needed for any other
business purposes (opt for pseudonymization or anonymization techniques),
business purpose is broad and can be interpreted broadly to allow retention
even when processing and legal purposes have been satisfied;
- publish the name and phone number of the authorised person who will
respond to the data principal's inquiries.
- create a system and efficient mechanism for grievance redress, and
- With regard to this requirement, it appears that the obligation will not
apply where processing is done on a basis of "deemed consent" and only with
the data principal's consent and only pursuant to a contract, engaging a
data processor, or transferring personal data to another fiduciary.
The DPDB attempts to impose specific obligations on data principals while
limiting the scope of their rights in relation to their personal data.
A data principal is entitled to:
- Confirmation of the processing done
- access a list of all the data fiduciaries with whom personal data has
been shared, a summary of the processing activities that have been carried
out, and any additional information that may be required
- rectification of false or inaccurate personal information
- completing any unfinished personal data
- updating personal information
erasure of personal data no longer required for processing or for any other
legitimate reason. It is important to keep in mind that a fiduciary is
allowed to retain personal data if it is required for business purposes. As
a result, it is unclear whether the right to erasure will supersede this
fiduciary right. Therefore, there is a need for necessary clarification.
- file a complaint with the data fiduciary
- A complain to be directed to DPBI where they receive any unsatisfactory
or nil response from the data fiduciary on the grievances that were lodged.
In the event of their death or incapacity, they can designate another person
to act on their behalf.
The right to data portability, the right to be forgotten, and the right to
object to specific types of processing�automated data processing being the key
area of regulation�shall not be granted to the data principal. These rights have
been contentious issues around the world. Rules-making will determine the
format, timeline, manner, and other specifics of how rights can be exercised.
However, the data principle is required to uphold certain obligations in order
to exercise these rights. One of them demands that the data principal abide by
the rules of all relevant laws. This is unclear because it could be taken to
mean that any violation of any applicable law could invalidate the rights of the
data principal, even when there may not be a connection between the violation
and the right being sought to be exercised.
For instance, a literal interpretation would imply that a person who has been
convicted of a crime lacks the rights of a data principal under DPDB. Who would
decide and confirm whether the data principal has been and is in compliance with
applicable law is also unknown.
The data principal must also refrain from filing fictitious or pointless
complaints with the data fiduciary or making complaints to the DPBI. It appears
that data fiduciary and DPBI have the discretion to decide if a complaint or
grievance is untrue or frivolous.
Additionally, when applying for any document, service, unique identifier, proof
of identity, or proof of address, the data principal is required to provide true
and relevant information; additionally, all information provided in order to
exercise the right to correction or erasure must be verifiably authentic.
The maximum fine for a data principal who violates their obligations is INR
10,000. (about USD 122). Additionally, failure by the data fiduciary to respect
duly exercised data principal rights may result in a fine of up to INR 500
Penalties Imposed On The New Bill: The motivating factor behind guaranteeing
compliance with the law, penalties for disobedience, have likewise changed. The
EU General Data Protection Regulation served as a model for the bill's earlier
iterations, which set a maximum on fines at 4% of the data fiduciary's total
annual global revenue to make sure they were proportionate to the scale of the
The current bill, however, caps the sanctions that can be levied against the
data fiduciary at 5 billion rupees ($61 million). The failure to protect the
security of personal data may result in a penalty of 2.5 billion rupees (about
$30 million) for both the data processor and data controller, while the bill
does not specify the compliance criteria that should be enforced on the data
Following are the penalties that have been imposed in the new Bill:
- Clause 9(4) deals with failure to implement reasonable security measures
to stop a breach of personal data, where a penalty has been imposed of up to
Rs. 250 crore
- Clause 9(5) deals with failure to report a personal data breach to the
Board and the impacted Data Principals, where a penalty of up to Rs. 200
crore has been imposed.
- Clause 10 deals with non-compliance with additional obligations relating
to the processing of children's data, where penalty has been imposed of up
to Rs. 200 crores.
- Clause 11 deals with failure of the Significant Data Fiduciary to fulfil
extra requirements, where a penalty has been imposed of up to Rs. 150 crores.
- Clause 16 deals with breach of user obligations, which has made an
imposition of fine of up to Rs. 10,000 crores, and
- All the clauses which have not been mentioned, shall deal with a penalty
of up to Rs. 50 crores.
Justice BN Srikrishna, whose presidency the Personal Data Protection Bill, 2019,
was under, has stated that the lack of stricter regulations protecting citizens'
sensitive personal data does nothing to defend others' fundamental right to
According to the current version of the Personal Data Protection Bill, the data
principal's consent is presumed to have been given whenever the State or any of
its agencies performs any legal obligations on their behalf, provides them with
a service or benefit, or issues them a certificate, licence, or permit for a
particular action or activity.
This indicates that the Bill simultaneously grants the state instrumentality and
the private sector equal convenience to gather data under the presumption of
assumed consent. The Bill is unclear as to whether the Data Principal can revoke
considered permission once it has been assumed to have been given and, if so,
what process would be followed. One can question whether this was a tactic to
win widespread support for the Bill given that it grants the state and the
private sector equal liberties.
The Bill eliminates the burdensome data localization mandate imposed by the 2019
Bill, continuing the pro-business theme. Second, the Bill includes the idea of
"voluntary undertaking," which gives the Data Protection Board the option to
accept an assurance given by an offending organisation to futuristically comply
with the Bill's obligations.
This is similar to how the Companies Act compounds offences. Although the Bill
does provide for fines of up to INR 500 crores for violations of the data
protection law, there is no provision allowing data principals to seek financial
damages for breaking the law. One can't help but question if the private sector
was treated too lightly.
Subordinate legislation, such as the Rules to the Bill and other executive
orders, is anticipated to give some of the law's provisions teeth and make them
operative. However, the Bill does not yet fully address how the right to privacy
guaranteed by the Constitutional Right to Life shall be protected by private or
public actors, nor does it adequately secure the privacy of digital data of data
Overall, it is not recommended to pass the Bill as constituted. Anyone concerned
about their right to digital data privacy should read the bill and voice their
concerns to the government before mid-December, when public comments on it will
Drawbacks of The Bill:
After facing sharp criticism from Big Tech, the amended Bill has omitted
some of the more problematic regulations governing cross-border data transfers.
Cross-border data flows were subject to strict restrictions under the bill's
previous version. Businesses were required to keep a copy of "sensitive"
personal data in India while exporting "critical" personal data was prohibited.
By not placing such demands on businesses, the revised draft represents a
substantial shift in perspective on this matter. Companies are not mandated to
keep their data only in India. Now, they can send the data to any nation on the
government's list. On what basis the government will choose a country is still
not clear. Despite this, loosening the regulations on data storage will be
welcomed by both Big Tech and the nation's expanding start-up environment.
The Data Protection Board's independence is put into question via this bill. The
Board's members and its chairperson shall be appointed by the government. The
rules will be also set up the Central Government. It also contains some
provisions which curtail the powers of the Board.
The broad exclusions granted to the government and its agencies with few
controls are equally disputed. The joint parliamentary committee had recommended
that the exemption be granted in accordance with a "just, fair, reasonable, and
proportionate method" when discussing the prior version of the bill. But no such
changes have been seen in the 2022 Bill. It still gives the exclusive power to
exempt any of its entities from particular or all provisions of the Bill on
grounds such as national security, public order, etc.
The government is also permitted to keep personal data in its possession
indefinitely. Additionally, no government notification is required to process
personal data for the prevention, investigation, etc., of crime. These arguably
problematic elements, which will give the government more jurisdiction than an
independent statutory authority, need to be re-examined in a period of
The companies are also not required to disclose much to people about how they
use personal data. Unlike earlier Bills, which required businesses to say how
long they will store data and whether they will share it with third parties. The
notice that must be displayed to users merely needs to state what personal data
will be gathered and for what purpose.
Additionally, users must be given notice only when giving consent; presumed
consent is not required. Fiduciaries are not required to post privacy rules on
their website, as mandated by earlier Bills. It removes explicit mention of
purpose specification and limitation. These are core obligations.
Another major cause of worry is the inclusion of "deemed consent" clause. In
addition to explicit consent, the Bill also recognises "deemed consent" as a
legal basis for processing personal data. The problem that arises is the
criteria for what qualifies as deemed consent. They are wide and ambiguous,
permitting the processing of personal data without consent for a variety of
Currently with high regulated data environment, companies in India need to have
a stricter compliance strategy to gain positive rewards.
When the DPDB is passed into law, it is intended to be implemented gradually,
thus it will be important for the government to give businesses enough time to
strengthen their current data protection procedures. The fundamental idea behind
DPDB is to offer broad principles for data protection, and MeitY has done this
by including provisions from data protection laws from countries like Australia,
Singapore, and the EU.
The government thinks that the draught law, as it stands, provides enough room
for adaptation as the digital ecologies change. The start-up community and
businesses have expressed optimism about the proposed measures, while others
have expressed concerns about the lack of sufficient checks and balances on
presidential powers and exclusions. However, the devil is in the details, and
that is why delegated legislation has been used. Ultimately, the true
effectiveness and impact of DPDB will need to be proven over time.
The DPDP Bill, 2022 has received mixed reviews, but it is a thorough piece of
legislation that should be passed shortly. For simplicity of understanding, the
definitions have been condensed. The Bill permits the storage and transmission
of data across international borders to "certain notified nations and
territories," although it is still unclear to which countries this is allowed.
Previous iterations of the bill were criticised for being too "compliance
intensive," but the DPDP Bill, 2022, offers encouragement to start-ups because
the government has the authority to exempt some companies from the bill's
requirements based on the volume of users and personal data they process. In
order to preserve public order and India's sovereignty and integrity, the Bill
also grants the government the authority to grant exemptions from its