Dec 31, 2022

Digital Personal Data Protection Bill, 2022 Released

A draft legislation titled the Digital Personal Data Protection Bill, 2022 (‘DPDB’) was released on November 18, 2022, by the Ministry of Electronics and Information Technology, inviting comments from stakeholders (which were to be provided by January 2, 2023). The DPDB is significantly different from the previous draft privacy legislation that was pending consideration until August and proposes significant changes to the current data protection regime in India.

The DPDB governs the processing of all digital personal data and amongst other provisions provides for ‘Data Fiduciaries’ and ‘Data Principals’. A Data Fiduciary is defined to mean any person who alone or in conjunction with other persons determines the purpose and means of processing of personal data, and a Data Principal will mean the individual to whom the data relates. Some of the key changes that the DPDB contemplates are as follows:

i.     DPDB provides for the omission of Section 43A of the Information Technology Act, 2000 (‘IT Act’) which is the provision under which the existing data privacy and protection regime in India i.e., The Information Technology (Reasonable Security Practices & Procedures and Sensitive Personal Data or Information) Rules, 2011 (‘SPDI Rules’), have been enacted;

ii.    DPDB allows for the transfer of personal data outside India by a Data Fiduciary. However, personal data may be transferred only to those countries that are notified by the Central Government and subject to prescribed terms and conditions;

iii.   DPDB requires the Data Fiduciary to provide an itemized notice to the Data Principal, containing (i) a description of personal data sought to be collected; and (ii) the purpose of collecting such data. Specific, freely given, informed and unambiguous consent of Data Principals is to be obtained by the Data Fiduciary, prior to collecting their personal data; and

iv.   DPDB provides for ‘deemed consent’ of a Data Principal in certain cases. A Data Principal is deemed to have given his/her consent under the DPDB where (i) personal data is provided voluntarily in a situation where they would be reasonably expected to voluntarily provide such data; (ii) necessary for performance of any function under the law; (iii) necessary for compliance with any judgment or order issued under any law; (iv) necessary for providing medical treatment during an epidemic / outbreak of a disease / threat to public health; (v) necessary for public safety and order; or (vi) necessary for employment purposes.

Significant penalties have been included for non-compliance with the provisions of the DPDB and range from ₹10,000 (approx. US$ 120) to ₹250 crores (approx. US$ 30.1 million). As with the previous draft privacy legislation that was introduced by the Indian Government, the DPDB may undergo significant changes pursuant to stakeholder comments and discussions before it is introduced in Parliament for consideration.




These are the views and opinions of the author(s) and do not necessarily reflect the views of the Firm. This article is intended for general information only and does not constitute legal or other advice and you acknowledge that there is no relationship (implied, legal or fiduciary) between you and the author/AZB. AZB does not claim that the article's content or information is accurate, correct or complete, and disclaims all liability for any loss or damage caused through error or omission.