On November 18, 2022, the Indian government announced a fresh draught Digital
Personal Data Protection Bill,2022 (the "Draught Bill").The Draught Bill is now
available for public comment, which must be submitted by December 17,
2022.Previous versions of the bill, including the Personal Data Protection Bill,
2019, and the Data Protection Bill, 2021, were dropped in response to
The long-awaited Digital Personal Data Protection (DPDP) Bill, 2022 was
announced by India's Ministry of Electronics and Information Technology (MeitY)
on November 18. This fourth draughts of India's data protection law is
drastically abridged and amended, eliminating or weakening numerous previous
requirements. While corporations may embrace this simpler version, privacy
campaigners may protest.MeitY has requested public feedback on the Bill by
December 17, 2022.
Bill's Applicability 
This does not apply to:
- Processing of personal data collected on Indian territory when the data
is collected online or offline and digitised.
- Personal data processing outside of India, if the processing is related
to profiling people in India or offering goods and services to people in
India. Profiling is defined as "any form of personal data processing that
analyses or predicts aspects concerning the behaviour, attributes, or interests of a Data
- Personal data processing that is not automate offline personal
- An individual's personal data is processed for any personal or
- Personal information about an individual found in a record that has
been in existence for at least 100 years.
The data protection bill, which covers only "personal data" of Indian citizens,
dubbed "Digital Nagrik," grants citizens the right to erasure or "to be
forgotten." Citizens will be able to have their data corrected or even deleted.
This new version of Data bill named Digital Personal Data Protection bill takes
a novel approach to the relationship between data principals and data
fiduciaries, organisations that determine the means and purpose of collection,
outlining both data fiduciarie's obligations and data principal's duties.
Why is this bill making headlines these days?
A new version of the Data bill is going to be introduced in the house of the
parliament with a "new name". Two versions of this Bill already has been
introduced and were withdrawn both the time.
In the last week of January 2023, a group of petitions challenging whatsApp's
5-judge Bench comprised of justices KM Joseph,Ajay rastogi,Anirudhha
Bose,Hrishikesh Roy, and CT Ravikumar was informed that after adminitrative
compliances, a data protection bill will be introduced before Parliament in the
second half of the budget session,2023.
Recently,the government told the Supreme court on Tuesday that it will introduce
the Digital Personal Data Protection Bill in the second half of the Parliament's
budget session,which begins March 13 ,and that it will cover most of the issues,
including the privacy policies of the instant messaging service Whatsapp, which
are being challenged for alleged violations of citizen's fundamental rights.
That's why this digital personal data protection bill is in news nowdays.
Important Concerns of this bill:
Why "DATA" is being compared to "OIL" nowdays?
- The Bill aims to weaken the provisions of the Right to Information Act, which has given citizens the ability to access information and hold governments accountable. Experience has shown that in order for people, particularly the poor and marginalised, to reap the benefits of welfare programmes, they must have access to relevant, granular information. For example, the National Food Security Act recognises the importance of making ration card holder information and ration shop records, including sale and stock registers, available to the public in order to conduct social audits of the public distribution system. It is impossible for intended beneficiaries to access their rightful entitlement of food grains in the absence of publicly accessible information.
- Problems with deemed consent: In addition to explicit consent, the Bill includes "deemed consent" as a ground for processing personal data. Deemed consent has been criticised because the criteria for what constitutes deemed consent are broad and vague, allowing personal data to be processed without consent for a variety of reasons.
- A shaky Data Protection Board: The Data Protection Authority is being replaced by the Data Protection Board of India, which will be appointed by the central government. The rules that the Board and its members must follow will be largely dictated by the central government, raising concerns about the Board's independence and effectiveness.
- Government and law enforcement are even more easily exempted than before:
- The 2022 Bill, like previous versions, allows the government to exempt any of its entities from certain or all provisions of the Bill on grounds such as national security, public order, and so on.
- The Bill also repeals the 2021 provisions requiring the government to follow a "just, fair, reasonable, and proportionate" procedure before granting exemption, as well as the 2018 provision requiring exemption to be "authorized by law.
- Furthermore, the government has the authority to keep personal data for an indefinite period of time.Furthermore, there is an automatic exemption for the processing of personal data for the purposes of crime prevention, investigation, and so on, without the need for the government to issue any notification.
- Companies are not required to inform users about their use of personal data:
- Unlike previous Bills, which required companies to state how long they will store data and whether or not they will share it with third parties, the notice to be displayed to users is only required to state what personal data will be collected and for what purpose.
- Furthermore, notice is only required to be displayed to users when obtaining consent, not when deemed consent is obtained.
- Fiduciaries are also not required to publish privacy policies on their website, as previous Bills required.
- Why are there user penalties: The Data Protection Board can levy a penalty of up to $10,000 under the 2022 Bill if a user fails to perform their duties as outlined in the Bill. "It defies logic how penalties are now imposed on users. This is disturbingly similar to the penalties proposed in the Telecom Bill for subscribers providing incorrect information," IFF noted.
- Which countries can receive personal data: The Bill eliminates restrictions on the transfer of sensitive and critical personal data, as well as such classifications. Instead, all personal data can be transferred outside of the country to countries or territories that have been approved by the government. However, it is unclear which countries will be approved and on what basis.
- The government can exempt certain types of fiduciaries, but who: One provision allows the government to notify a class of data fiduciaries that will be exempted from certain provisions of the Bill based on the volume and nature of personal data they process. While this appears to be a provision that can be used to categorize small data fiduciaries and exempt them from onerous obligations, nothing in the Bill guarantees that. "Clause 18(3) grants the government arbitrary authority to exempt data fiduciaries" (not only small entities). How? Who? Why? "There is silence," IFF tweeted.
- There are no safeguards for sensitive and critical personal data: The previous Bill defined sensitive and critical personal data as subsets of personal data that required additional safeguards. Such classifications are abolished by this Bill. "This could be a problem because the harm posed by a breach of sensitive personal data is much greater," Prasanth Sugathan, Legal Director at SFLC.IN, observed.
- The following core principles, as listed in the explanatory note, are not reflected in the actual Bill: The IT Ministry's explanatory note claims that the DPDP Bill, 2022 is based on principles of purpose limitation, data minimization, storage limitation, and so on; however, these principles are not reflected in the actual Bill. "The explanatory note provides a detailed list of the principles that the bill attempted to incorporate. However, as Sugathan points out, this is not legally binding.
- Violations of "voluntary agreements" result in only fines: The Data Protection Bill allows the Data Protection Board to accept voluntary undertakings from entities under investigation for misconduct. A violation of the undertaking, on the other hand, results in a fine, which is being criticized as meaningless.
- When processing personal data of users under the age of 18, data fiduciaries are required to obtain "verifiable" consent from the users' parents. The 18-year-old age limit has been criticized as being too high and inconsistent with international standards. Numerous stakeholders have expressed concern about how this threshold may harm children rather than protect them.
The phrase "Data is the new oil" was created by Clive Humby, a British
mathematician and data science entrepreneur. "The new oil is data," he stated.It
is valuable, but it cannot be used unless purified.In order to drive economic
activity, it must be turned into gas, plastic, chemicals, and other valuable
entities; similarly, data must be broken down and examined in order to have
Because it can be used to extract insights, data is the new oil.Depending on the
company, insights can help with customer retention, upselling, new income
models, advertising, and other activities.Insights are the new money if data is
the new oil.
Data amounts are currently expanding as a result of advances in computing, the
internet of things, machine-generated data, and other factors.
One of the primary reasons for the Indian government's ban on Chinese apps was
data privacy."The Indian Ministry of Information Technology announced the ban
after receiving "several complaints from various sources" about apps that were
stealing and secretly sharing user data in an unlawful manner.
"The compilation of these data, its mining and profiling by elements hostile to
India's national security and defence, which ultimately impinges on India's
sovereignty and integrity," the ministry said.We live in a time when we
broadcast every personal detail about ourselves on social media, whether for
professional or recreational reasons.
For example, if we post a photo of oneself to social media, the photo can be
misappropriated, and any computer hacker can pinpoint the location of the
clicked photo, putting us in an unanticipated creepy scenario.
This can also be used to undermine national security, which is why everyone is
concerned about data safety and security.
This is the reason behind the government is again coming with the new version of
Data protection bill.
In this day and age, data plays a very unique and important role in national
security, which is why we require data management with proper laws, penalties,
As previous data bills were withdrawn, the government has introduced a new bill
with a new name and agenda, so let's see if it succeeds.
- Akhil Hirani, Digital Personal Data Protection Bill � an analysis, CHAMBERS AND PARTNERS (December 28, 2022)
- Sarvesh Mathi, Summary: India's Digital Personal Data Protection Bill, 2022, MEDIANAMA (November 19, 2022)
- Lalit T Khanna, Digital Personal Data Protection Bill 2022 and its impact on India's booming data centre industry, THE TIMES OF INDIA (January 6, 2023)
- Sohini Chaudhary, Data Protection Bill To Be Introduced In Parliament In Budget Session: Centre Tells Supreme Court, LIVE LAW (January 31, 2023)