The Draft Digital Personal Data Protection Bill, 2022 comes on the heels of the Personal Data Protection Bill, 2019 being withdrawn from Parliament. The draft Bill is a culmination of several rounds of discussions with and within the Ministry of Electronics and Information Technology.
The current version has been released for stakeholder feedback nearly three years after the 2019 Bill was introduced in Parliament and sent for deliberation by a Joint Parliamentary Committee (JPC). The draft Bill was preceded by a report of the JPC, which contained a revised version of the 2019 Bill, and other recommendations by the JPC.
In keeping with the government’s efforts to maximise its Digital India campaign, the introduction of the draft Bill is crucial for several reasons. First, it is a major step forward in establishing a comprehensive legal framework governing the processing and protection of personal data in India, with the Information Technology Act, 2000 viewed as being inadequate to deal with India’s emerging digital landscape and economy.
Second, this draft Bill will constitute the formal framework under which the right to privacy will be given effect, as it seeks to empower the digital citizen by providing their statutory rights over the manner in which their personal data is processed. In interactions with the media preceding the release of the draft Bill, the government had made it clear that any data protection framework will focus on the rights of the digital citizen, while creating an enabling environment for India’s booming data economy.
The focus will now be on the government and the consultation process it undertakes till December 17, the period till which feedback can be provided on the draft Bill.
At the outset, the draft Bill is a simpler and more easily understandable version in comparison to its predecessors — not only in terms of language, but also in terms of the obligations it sets to impose, and the structure it seeks to put in place.
Here are some of the key takeaways:
In keeping with previous versions, the draft Bill too reserves broad discretionary powers for the government. Specifics of several provisions also remain to be clarified through delegated legislation (including the form and manner of notifying personal data breaches, manner of obtaining parental consent for processing children’s personal data, composition of the Data Protection Board of India, etc.) — in other words, the government is empowered to prescribe rules with respect to the operational aspects of the enforcement and implementation of the draft Bill.
The government also has the power to exempt certain entities from compliance with the provisions of the draft Bill, including “any instrumentality of the state”. It is, therefore, possible that State agencies’ processing of personal data will not be subject to the same standards as data processing by industry.
Given the draft Bill is open for feedback, it remains to be seen how netizens, industry, and civil society will react to the new provisions. Even as we await the final form this framework will take and the ensuing impact, many will agree that the introduction of the draft Bill brings us one step closer to having a dedicated data protection framework, and laying to rest many years of debates and discussions regarding the form and structure such a framework will take.
This article was originally published in Money Control on 23 November 2022 Co-written by: Shahana Chatterji, Partner; Namrata Ramachandran, Senior Associate. Click here for original article
Contributed by: Shahana Chatterji, Partner; Namrata Ramachandran, Senior Associate
This is intended for general information purposes only. The views and opinions expressed in this article are those of the author/authors and does not necessarily reflect the views of the firm.
The Bar Council of India does not permit solicitation of work and advertising by legal practitioners and advocates. By accessing the Shardul Amarchand Mangaldas & Co. website (our website), the user acknowledges that: