India's Digital Personal Data Protection Bill, 2022

Key takeaways and privacy concerns


3 min read

The Ministry of Electronics and Information Technology (MeitY) published the draft of the Digital Personal Data Protection Bill, 2022 (DPDP Bill), on November 18, 2022.

It is set to replace the earlier Personal Data Protection Bill (PDP Bill), introduced in 2019 and later withdrawn in August 2022.

Let's look at some of the key principles outlined in this draft.

Please keep in mind that I use the term "data collector" to refer to any entity that collects, processes, or stores personally identifiable information (PII). In the bill, the terms "Data fiduciary" and "Data processor" are used instead.

The "person" in the bill—the entity whose data is gathered and processed—is referred to as the "user" in this post.

  • The DPDP bill was created specifically to protect digitally processed data. This bill also includes data that is collected offline and then transferred to a computer system for digital processing.

  • The data collector can process any user-consented data.

  • The data collector is required to collect the least amount of data necessary and to disclose its intended use.

  • The request for consent should be available in each of India's 22 official languages.

  • The data collector must delete the data after processing if there are no other compliance requirements.

  • The user has the right to request, update, or erase any of their collected personal data.

  • To process information about children under the age of 18, verifiable parental consent is necessary.

  • The data processor must notify affected users of any data breach.

  • The penalties for non-compliance can be up to 500 crores.

  • A new Data Protection Board will oversee and enforce bill regulations.

Concerns to be aware of:

  • This bill appears to only affect Personally Identifiable Information (PII), so data collectors can process a person's racial or ethnic origin, political opinions, and genetic or biometric data as long as the aggregate data sets do not identify an individual.

  • The bill allows the data collector to avoid the explicit consent rule in some cases by using the "deemed consent" method. What constitutes "deemed consent" appears to be ambiguous.

  • A consent manager is supposed to act as a liaison between the data collector and the user and is in charge of responding to user inquiries about their data. This non-standard approach may complicate things.

  • The DPDP bill generally allows the transfer of personal data outside of India's borders.

  • All DPDP regulations may be completely waived for government agencies if the central government so decides. This poses a potential risk and might lead to carelessness within exempt organizations.

India appears to be catching up (albeit slowly) with other data protection laws, such as the EU's famous GDPR regulations and sector-specific regulations in the United States, such as PCI and HIPPA compliance standards. The DPDP bill appears to gloss over a number of the issues outlined in the concerns section. Individuals are left to protect their data on their own until more stringent solutions are implemented.