Budget 2023Budget 2023


  • Tata AIA Life Insurance
  • Hafele
  • Motilal Oswal
  • SMC Global Securities Limited
  • SBI Life
  • DSP Mutual Fund
Upcoming Event : LeapToUnicorn - mentoring, networking and fundraising for startups. Register now
you are here: HomeNewsOpinion

Data Protection Bill | A step closer to a dedicated data protection framework

The Draft Digital Personal Data Protection Bill, 2022 is a simpler and more easily understandable version in comparison to its predecessors — not only in terms of language, but also in terms of the obligations it sets to impose, and the structure it seeks to put in place

November 23, 2022 / 03:12 PM IST
Representational image

Representational image

The Draft Digital Personal Data Protection Bill, 2022 comes on the heels of the Personal Data Protection Bill, 2019 being withdrawn from Parliament. The draft Bill is a culmination of several rounds of discussions with and within the Ministry of Electronics and Information Technology.

The current version has been released for stakeholder feedback nearly three years after the 2019 Bill was introduced in Parliament and sent for deliberation by a Joint Parliamentary Committee (JPC). The draft Bill was preceded by a report of the JPC, which contained a revised version of the 2019 Bill, and other recommendations by the JPC.

In keeping with the government’s efforts to maximise its Digital India campaign, the introduction of the draft Bill is crucial for several reasons. First, it is a major step forward in establishing a comprehensive legal framework governing the processing and protection of personal data in India, with the Information Technology Act, 2000 viewed as being inadequate to deal with India’s emerging digital landscape and economy.

Second, this draft Bill will constitute the formal framework under which the right to privacy will be given effect, as it seeks to empower the digital citizen by providing their statutory rights over the manner in which their personal data is processed. In interactions with the media preceding the release of the draft Bill, the government had made it clear that any data protection framework will focus on the rights of the digital citizen, while creating an enabling environment for India’s booming data economy.

  • The draft Bill retains rights of data principals from previous iterations, and also introduces the concept of ‘duties’ of data principals — the aim here appears to be to create harmony between individual rights and obligations.

  • The draft Bill no longer creates different sub-categories of personal data and applies all provisions to personal data as a whole, so long as it is digitised.

  • The substantive provisions relating to cross-border data transfers have been simplified in order to promote ease of doing business. To aid this, differential standards for varying data categories have been done away with, and transfer of personal data to countries outside India will be determined based on appropriate notifications by the government. It remains to be seen how this will be practically operationalised.

  • In a most welcome change, the framework no longer prescribes criminal penalties for non-compliances, and has chosen to retain only monetary penalties ranging from Rs 10,000 to Rs 250 crore.

In keeping with previous versions, the draft Bill too reserves broad discretionary powers for the government. Specifics of several provisions also remain to be clarified through delegated legislation (including the form and manner of notifying personal data breaches, manner of obtaining parental consent for processing children’s personal data, composition of the Data Protection Board of India, etc.) — in other words, the government is empowered to prescribe rules with respect to the operational aspects of the enforcement and implementation of the draft Bill.