The Ministry of Electronics and Information Technology (MeitY) has released the long-awaited draft of a data protection legislation titled Digital Personal Data Protection Bill, 2022, for public consultation.
Notably, this draft legislation comes nearly three years after the Personal Data Protection Bill (PDP Bill), was introduced by the central government in Parliament in December 2019. Subsequently, the PDP Bill was referred to the Joint Parliamentary Committee, which tabled its report, including a revised version of the bill titled Data Protection Bill, before Parliament in 2021. Thereafter, in August 2022, MeitY withdrew the PDP Bill, saying “a comprehensive legal framework is being worked upon”.
The introduction of the draft Digital Personal Data Protection Bill, 2022, for public consultation (until December 17, 2022) assumes importance for several reasons. First, it gives a fillip to the ‘Digital India’ initiatives of the government and its intent to bring in a “techade and digital revolution” in the country and ensuring an “open, safe, and trusted and accountable internet”.
Second, it proposes a defined legal structure and principles for the regulation of personal data and provides much-needed clarity to businesses on how personal data collected within India should be protected and handled.
The draft bill is a simpler, clearer version of previous iterations.
Provisions related to data localisation and cross-border transfers have been simplified to promote ease of doing business. There is no mandate to store categories of personal data locally. Transfer of personal data has been permitted to certain “countries or territories”, as notified by the government.
The bill has also done away with different categories of personal data and the provisions will be applicable to any ‘digital’ personal data. Further, there is no criminal penalty for non-compliances and only monetary penalty ranging from ₹10,000 to ₹250 crore.
That said, the bill grants the government vast discretionary powers to prescribe rules for the enforcement and implementation of the draft data protection law. These powers extend to the conditions under which cross-border transfers can occur; the structure, composition and functioning of the Data Protection Board of India, an “independent body” to replace the Data Protection Authority envisaged under previous legislation.
Further, the government has been empowered to exempt the processing of personal data by certain data fiduciaries or class of data fiduciaries from provisions relating to consent, notice, obligations of data fiduciaries, rights of data principals, and so on; and by “any instrumentality of the state”, which can have a wide connotation, from compliance with this law, where necessary or expedient in the interest of sovereignty and integrity of India, security of the state, and so on. For example, there are no restrictions on the duration for which “the state and any instrumentality of the state” can retain personal data.
Overall, this is a step forward in crafting a comprehensive data protection framework that respects the rights of the digital citizen.
(The authors are with the law firm, Shardul Amarchand Mangaldas & Co’)