Critical Analysis of Digital Personal Data Protection Bill, 2022

critical analysis of digital personal data protection bill, 2022
critical analysis of digital personal data protection bill, 2022

Status as on- 12/01/2023

On November 18, 2022, the Ministry of Electronics and Information Technology released the proposed Digital Personal Data Protection Bill, 2022 (“Proposed Law”) for public comments.

Since 2018, the Indian government has been working to enact a comprehensive data protection law. The Proposed Law has gone through three revisions before this one. The Proposed Law’s current draft represents a substantial improvement over its earlier versions and is more open-ended, leaving more to be prescribed by the Central Government. Different dataset categories are eliminated (like critical or sensitive data). The Data Protection Board of India (“Board”) is proposed to be the adjudicatory body for the enforcement of the Proposed Law.

The Proposed Law covers the processing of digital personal data in India, including

  • online data collection from data principals and
  • offline data collection that is later converted to digital form.

Although the word “and” is used between (i) and (ii) in the proposed law, the intention seems to be to make these criteria “or” so that the proposed law is applicable in either circumstance.

The proposed law is also intended to have extraterritorial application, which means that it applies when personal data is processed outside of India in conjunction with any activity of creating customer profiles for or offering products or services to data principals based in Indian territory. When this criterion is met, the proposed law will therefore apply to overseas businesses as we satisfy the conditions.

“Data Fiduciary” is defined as any person who alone or in conjunction with other persons determines the purpose and means of the processing of personal data and “Data Principal” mean the individual to whom the personal data relates and to whom such individual is a child includes the parents or lawful guardian of such a child.

According to the Proposed Law, the data fiduciary must seek the data principal’s consent before processing personal data and give detailed notice of the data sets being sought to be gathered and their intended uses. The notice’s language should be simple and straightforward. The consent should be free, specific, informed, and unambiguous.

The Proposed Law introduces the concept of ‘deemed consent’ where the data principal is deemed to have given consent for processing their personal data in certain circumstances.

With regard to their personal data, the data principals are able to exercise certain rights. The Proposed Law lists the rights but doesn’t specify how to exercise them.

Under the Proposed Law, data processors who handle personal data on behalf of other organizations are subject to the following independent statutory obligations:

  • Protect personal data that is in their possession or under their control by putting reasonable security measures in place to prevent personal data breaches.
  • Notify the Board and each impacted data principal in the case of a personal data breach.
  • Undertake sub-contracting of processing activities if permitted under the contract with the data fiduciary.


In contrast to the preceding PDP Bill, which businesses and start-ups criticized for being compliance-intensive, the DPDP Bill is an effort by the government to create a straightforward and understandable law on data protection in the nation. However, the DPDP Bill fails to adequately clarify a number of sections in an effort to condense the earlier text. In the DPDP Bill, for example, the concept of “deemed consent” has been introduced in broad, ambiguous terms, allowing the processing of personal data without the individual’s consent based on a number of diverse factors, including, inter alia, the maintenance of public order, purposes related to employment and in the public interest, including credit scoring, the recovery of debt, for any fair and reasonable purposes, including the reasonable expectations of the data principal.

Disclaimer – Please note that the above articles is based on the interpretation of related laws and judicial pronouncement which may differ from person to person. The reader are expected to take the expert opinion on the matter.

Leave a Reply

Your email address will not be published. Required fields are marked *