Moneycontrol PRO
you are here: HomeNewsOpinion

Data Protection Bill | A step closer to a dedicated data protection framework

The Draft Digital Personal Data Protection Bill, 2022 is a simpler and more easily understandable version in comparison to its predecessors — not only in terms of language, but also in terms of the obligations it sets to impose, and the structure it seeks to put in place

November 23, 2022 / 03:12 PM IST
Representational image

Representational image


The Draft Digital Personal Data Protection Bill, 2022 comes on the heels of the Personal Data Protection Bill, 2019 being withdrawn from Parliament. The draft Bill is a culmination of several rounds of discussions with and within the Ministry of Electronics and Information Technology.

The current version has been released for stakeholder feedback nearly three years after the 2019 Bill was introduced in Parliament and sent for deliberation by a Joint Parliamentary Committee (JPC). The draft Bill was preceded by a report of the JPC, which contained a revised version of the 2019 Bill, and other recommendations by the JPC.

In keeping with the government’s efforts to maximise its Digital India campaign, the introduction of the draft Bill is crucial for several reasons. First, it is a major step forward in establishing a comprehensive legal framework governing the processing and protection of personal data in India, with the Information Technology Act, 2000 viewed as being inadequate to deal with India’s emerging digital landscape and economy.

Second, this draft Bill will constitute the formal framework under which the right to privacy will be given effect, as it seeks to empower the digital citizen by providing their statutory rights over the manner in which their personal data is processed. In interactions with the media preceding the release of the draft Bill, the government had made it clear that any data protection framework will focus on the rights of the digital citizen, while creating an enabling environment for India’s booming data economy.

The focus will now be on the government and the consultation process it undertakes till December 17, the period till which feedback can be provided on the draft Bill.

At the outset, the draft Bill is a simpler and more easily understandable version in comparison to its predecessors — not only in terms of language, but also in terms of the obligations it sets to impose, and the structure it seeks to put in place.

Here are some of the key takeaways:

  • The draft Bill retains rights of data principals from previous iterations, and also introduces the concept of ‘duties’ of data principals — the aim here appears to be to create harmony between individual rights and obligations.

  • The draft Bill no longer creates different sub-categories of personal data and applies all provisions to personal data as a whole, so long as it is digitised.

  • The substantive provisions relating to cross-border data transfers have been simplified in order to promote ease of doing business. To aid this, differential standards for varying data categories have been done away with, and transfer of personal data to countries outside India will be determined based on appropriate notifications by the government. It remains to be seen how this will be practically operationalised.

  • In a most welcome change, the framework no longer prescribes criminal penalties for non-compliances, and has chosen to retain only monetary penalties ranging from Rs 10,000 to Rs 250 crore.

In keeping with previous versions, the draft Bill too reserves broad discretionary powers for the government. Specifics of several provisions also remain to be clarified through delegated legislation (including the form and manner of notifying personal data breaches, manner of obtaining parental consent for processing children’s personal data, composition of the Data Protection Board of India, etc.) — in other words, the government is empowered to prescribe rules with respect to the operational aspects of the enforcement and implementation of the draft Bill.

The government also has the power to exempt certain entities from compliance with the provisions of the draft Bill, including “any instrumentality of the state”. It is, therefore, possible that State agencies’ processing of personal data will not be subject to the same standards as data processing by industry.

Given the draft Bill is open for feedback, it remains to be seen how netizens, industry, and civil society will react to the new provisions. Even as we await the final form this framework will take and the ensuing impact, many will agree that the introduction of the draft Bill brings us one step closer to having a dedicated data protection framework, and laying to rest many years of debates and discussions regarding the form and structure such a framework will take.

Shahana Chatterji is Partner, and Namrata Ramachandran is Senior Associate, Shardul Amarchand Mangaldas & Co. Views are personal, and do not represent the stand of this publication.
Invite your friends and family to sign up for MC Tech 3, our daily newsletter that breaks down the biggest tech and startup stories of the day

Shahana Chatterji is Partner at Shardul Amarchand Mangaldas & Co. Views are personal, and do not represent the stand of this publication.
Namrata Ramachandran is Senior Associate, Shardul Amarchand Mangaldas & Co. Views are personal, and do not represent the stand of this publication.