The draft Digital Personal Data Protection Bill 2022, issued on Friday, appears to be a simplified version of the PDP Bill 2019, but is significantly diluted in many parts, and gives the government the ultimate power of decision-making, said experts.

“In the journey from 2017 to 2022, instead of a strong personal data protection law being implemented, we have on the table a weak- and ill-crafted draft that lacks focus. India had a minimalist data protection law under Section 43A IT Act, but with some support from a more robust Sensitive Personal Data Rules. All of the data principles built into the rules stand diluted in this draft,” NS Nappinai, Supreme Court Advocate and Founder, Cyber Saathi, told businessline.

Despite the meandering ways and delays, one has to hope that this would not be a draft that will see its way into Parliament, she said.

“The exemptions read with deemed consent provisions in effect take away any protection that Indians have even as on date, and substantially gives the government a free pass,” she added.

Rupinder Malik, Partner, JSA (leading national law firm in India), said the 2022 DPDP Bill has simplified the proposed data protection regime and done away with some contentious clauses, which caused industry push back in earlier versions.

“Particularly, data mirroring, data localisation requirements, and overall compliances appear to be limited compared to the previous Bill. The legislative intent appears to be tech and IT business friendly, focussed on facilitating cross-border data flows,” she said.

Another expert pointed out that while the government maintained that it wanted to draft the Bill in simple language so that people could understand it and also keep it short, it had to make sure that the Bill was comprehensive enough to protect the interests of citizens, which is not the case right now.

“The Bill itself is a significant degradation of the previous versions that we had. The last Bill which was put out had 90 clauses, which has now been brought down to 30 odd clauses now. There are basic principles that a data protection law should have, which are missing in this Bill,” said Amber Sinha, Senior Fellow at Mozilla Foundation and earlier with the Centre for Internet and Society.

Mishi Choudhary, Senior Technology Lawyer, also said that the Bill doesn’t meet the expectations of people protection, but ensures that government retains is power as it makes laws about individuals and businesses.

“The brevity and examples provided are a welcome change but cleverly leaves all details to be legislated by the Executive through Rules. Rules that we have seen as in the IT Act are exploited to pass broad provisions making the Executive all powerful,” she said.

The proposed Bill comes in place of the Data Protection Bill, which was withdrawn by the government in August this year. The draft released on Friday also proposes to set up a Data Protection Board of India (instead of Authority), which will carry on functions as per the provisions of the bill.

“An important change relates to the substitution of earlier suggested Data Protection Authority of India with Data Protection Board of India. The functions, and most importantly composition of the Board are to be determined by the government through delegated legislation. This may face constitutional challenge as it is arguably a case of excessive delegation,” Abhishek Tripathi, Managing Partner, Sarthak Advocates & Solicitors, said.

comment COMMENT NOW