India’s Digital Personal Data Protection Bill, 2022

The Ministry of Electronics and Information Technology (MeitY) on November 18 released the much-awaited India’s Digital Personal Data Protection (DPDP) Bill, 2022 [PDF copy], the fourth iteration of India’s draft data protection law.

A data protection law has been in the works since 2017, when the Supreme Court, in the landmark Puttaswamy judgement, ruled that privacy is a fundamental right of Indian citizens, putting the government under the obligation to pass legislation to protect this right.

MeitY has invited feedback from the public on the draft Bill by December 17, 2022. The feedback may be submitted on the MyGov website. Notably, MeitY has informed that “no public disclosure of the submissions will be made.”

The purpose of the legislation is to provide for the processing of digital personal data in a manner that recognizes both the right of individuals to protect their personal data and the need to process personal data for lawful purposes, and for related matters.

Highlights of the India’s Digital Personal Data Protection Bill, 2022

An explanatory note for the Digital Personal Data Protection Bill, 2022, says the legislation lays down “the rights and duties of the citizen (digital nagrik) on one hand and the obligations to use collected data lawfully of the Data Fiduciary on the other hand”.

The 2022 Bill emphasis the relevance of consent of an individual before their data is processed. It further mentions that “every individual should know what items of personal data a Data Fiduciary wants to collect and the purpose of such collection and further processing.”

This rule is not required in circumstances where seeking the individual’s consent is “impracticable or inadvisable due to pressing concerns”. The Data Principal can withdraw their consent at any time and the consequences of such withdrawal shall be borne by such Data Principal.

Important points to be noted

1. The draft makes it clear that individuals should have access to “basic information” in languages specified in the eighth schedule of the Indian Constitution.
2. The Bill allows the central government to notify a new regulatory body called the Data Protection Board of India to oversee compliance with the Act.
3. The Board will have the power to impose a penalty of up to Rs 500 crore if non-compliance is ‘significant’.
4. The draft also elaborates on six types of penalties for non-compliance including failure to notify the Board and affected users in case of a personal data breach.
5. The Bill could exempt certain entities from adhering to the law depending on the volume and nature of personal data processed.
6. Another point that emerges from the Bill is that when it comes to children – which it defines as all users under the age of 18 — their parents or lawful guardians will be considered their ‘Data Principals.’ In such cases, the Data Fiduciary must obtain “verifiable parental consent” before processing personal data.

The proposed Bill permits cross-border storage and transfer of data to “certain notified countries and territories” in accordance with the specific terms and conditions.

The individuals will have the right to file a complaint with Data Fiduciary, and if not specified with their response, they can register the grievance with the Data Protection Board.

Learn more about data privacy bill and data protection laws in India here.