A Statutory Effort to Safeguard Personal Data In India: The Digital Personal Data Protection Bill, 2022

[By Aayushi Choudhary & Bhanupratap Singh Rathore]

The authors are students of Gujarat National Law University, Gandhinagar.

Three months after the withdrawal of the Digital Personal Data Protection Bill from the Lok Sabha, the government has come up with revamped legislation. This is the fourth time the government has proposed a bill on digital data protection. The first bill was introduced in 2018 based on the recommendations of the Justice BN Srikrishna Committee. After making some modifications, the government introduced the Personal Data Protection Bill in 2019, which was referred to the Joint Parliamentary Committee. The Committee submitted its report along with a draft for 2021 titled “Data Protection Bill, 2021.” After the committee made extensive changes to the draft, the government withdrew the bill. The purpose of the upcoming bill, as mentioned in the draft, is to provide for the processing of digital personal data. This is done in a manner that recognises both the right of individuals to protect their personal data and the need to process personal data for lawful purposes.

Some of the highlights of the bill are:

  1. Regulatory Body: The proposed regulatory body framework resembles the European Union’s General Data Protection Regulation. Although the functions and duties of the board are not clearly explained in the bill, the present Data Protection Board has simpler functions than the earlier bills.
  2. Child Protection: Every person below the age of 18 years will be considered as a child under the Act. The bill prohibits the tracking of children or targeting advertisements. The bill provides a penalty up to Rs 200 crore for non-fulfillment of any obligation provided under it.
  3. Penalties: In the previous draft, penalties were proportional to the company’s global turnover. It was 4% per breach and 2% per breach for non-compliance with any provision. This is done away with in the proposed draft, which provides a fine up to 500 crore instead. Many experts have expressed reservations about such a high penalty. In reality, it would be in the range of 50 to 500 crores. It would be in proportion to the kind of breach, kind of impact that it can create on the end user, and the involvement of the company. The Data Protection Authority and Board will analyse the breach and determine whether a penalty will be imposed. In fact, these penalties are low for tech giants. For example, if the Board fines Google $500 million, it is a very small sum in comparison to the penalties imposed on it by various jurisdictions around the world. If companies can justify that they have managed data well and, despite all the safeguards, a breach has happened, they will not be penalised because there is a finite probability that despite all the security provisions, a breach can happen. Twitter, for example, can be hacked despite spending billions of dollars on security and adhering to numerous security protocols. There should always be room for improvement, and any such industry should be given flexibility.
  4. Difference from previous bill: The previous bill was drawn from the EU General Data Protection Regulation (EU GDPR), whereas the present bill is drawn from Singapore’s Personal Data Protection Authority. This is a shorter version with only 30 provisions, whereas the earlier draft had 90 or more. The thirty sections cover areas that are needed for the enforcement of the right to privacy and data protection in a holistic way. It keeps the bill short and simple with simple language to make it understandable. The previous bill lost its essence as cumbersome amendments kept on happening. Data portability, which allowed users to view quotes from one platform to another, has been eliminated under the new bill. The earlier draft also included non-personal data, a concept that is not clear even at the global level, hardware certification, or algorithmic accountability. The revised proposal eliminates all of this and focuses solely on personal data regulation. The “right to be forgotten” is likewise not specifically mentioned in the present bill.
  5. Cross-border data flow: The bill eliminated previous restrictions on the flow of data from one jurisdiction to another. In any case, the flow of data is restricted to countries that the government has designated as friendly to the flow of data. Therefore, this will apply to all personal information, not just sensitive and critical data.
  6. Centre’s uncontrolled power: Placing a large portion of the important functional section of the legislation for future regulation by the national administration and some sections of the act is indicative of the administration’s unrestrained authority. For example, section 19 of the draft mentions the Data Protection Board of India. Under the bill’s rules, the regulator, which will be granted the same control and authority as a civil court, will be established by the government. Instead of that, the regulator should operate separately from the state and be capable of implementing individuals’ basic liberties while safeguarding due process. Moreover, the measure empowers the government to exclude any government institution from it that it considers appropriate. This power will blatantly contradict natural justice principles.


For the first time, the government has introduced legislation that makes the person providing the data responsible for its accuracy. It is not only the duty of the data processors or those who are keeping the data to protect it; it is also the primary duty of the individuals to provide accurate data and not file frivolous complaints. The Constitution includes a chapter on citizen responsibility, which has yet to be implemented. This bill has made those duties a part of the law.

Section 30(2) of the bill proposes an amendment to Section 8(j) of the RTI Act. As per the present Act, information that relates to personal information is exempt from the Act. However, if the Central Public Information Officer finds that it would serve a larger public interest, the exemption can be revoked. If the proposed bill is approved, personal information will be completely exempt, even if the CPIO otherwise finds that disclosure to be consequential to a larger public interest.

A revised set of rules will be coming with the legislation, which will prescribe the entire process for how laws will be implemented. Rules will answer all those questions that are being raised. As with many other countries, India has struggled to frame regulations that impact global corporations or multinational entities. The current bill has nine principles of privacy, which are the basis of the bill. So in a way, this whole bill covers the nine principles of privacy that are recognised globally, and our Supreme Court has admitted that they are the ones that have to be the basis for everyone to follow, be it a start-up, a beta company, or whoever is in charge of data.


In relation to Indian start-ups, inks, and companies, this is a friendly act. It does not suffocate innovation; rather, it provides a platform for it to thrive and progress without being hampered by such penalties. It strikes the right balance between data protection and allowing Indian start-ups to innovate. It has given enough room for innovation to use this data effectively and create new kinds of solutions for data analysis techniques. Still, there is a need for a data protection officer or authority for each sector, such as health, tech, automobiles, etc. which could somewhat be seen in the case of EU GDPR. This is because there cannot be a standard law for everybody. Even if it is there, there have to be different aspects or layers. As part of the proposed act, an enforceability framework also needs to be created to ensure effective and stringent implementation. The envisaged Data Protection Board, which is tasked with monitoring the provisions of the draft bill, has had its authority limited by the current draft. It is now a central government-established board, whereas the Data Protection Authority was previously envisioned as a statutory authority (under the 2019 Bill). The codes of procedure and appellate tribunal that were included in the bill’s 2019 draft have also been omitted. As opposed to the Data Protection Board, the central government has the authority to designate a category of organisations as significant data fiduciaries, which could pose a bottleneck to protecting people’s privacy. These all gaps need to be addressed in the bill to ensure an efficient enforceability framework. To conclude, India requires comprehensive data security laws. However, its requirements should be properly drafted in order to achieve a suitable harmony between safeguard of human liberties and the administrators’ concerns. Providing the state excessive authority must be resisted at all costs to maintain accountability, that is not the situation under the proposed legislation. When drafting legislation on such important issues, popular perception should be taken into consideration.


Leave a Reply

Your email address will not be published. Required fields are marked *

Contact Us

Kerwa Dam Road., 
National Law Institute University, Bhopal
Madhya Pradesh, India. 462044​.

write to us at – cbcl@nliu.ac.in