Draft Digital Personal Data Protection Bill 2022


The Information Technology (IT) Act of 2000, governs the use of personal data currently in India. This framework has been found to be insufficient for ensuring the protection of personal data. A Committee of Professionals on Data Protection, headed by Judge B. N. Sri Krishna, was established by the national government in 2017 to look into matters pertaining to data protection in the nation. In July 2018, the Committee turned in its report. 

The requirement for legislation for the security of private information in India was brought on by the country’s constantly shifting legal and regulatory environment as well as the introduction of GDPR. This cleared the way for the 2019 Personal Data Protection “Bill,” which put emphasis on the need for tougher sanctions and greater protections for personal data. The Personal Data Protection Bill, 2019 was presented in Lok Sabha in December 2019 based on the Committee’s recommendations. A Parliamentary Committee was charged with looking at the Bill, and it turned in its findings in December 2021. 

Data Protection Bill

Nevertheless, a joint committee to whom the Bill was initially submitted debated it in great depth and came up with 81 modifications and 12 suggestions in order to produce a strong data protection legislation. After taking into account the joint parliamentary committee’s recommendations, the government made the decision to withdraw the bill on August 3, 2022, and to replace it with a new one that adheres to the recommended complete legal framework.

After considering different issues related to digital personal data and its protection, the (MEITY) Ministry of Electronics and Information Technology created a draft Bill with the name The Digital Personal Data Protection Bill, 2022, which was published on November 18, 2022.

In the digital era, our lives may be progressively summarised by a variety of data points, including what we share on social media, what we order, where we take taxis, what we buy, where we bank, where we have cell service, who we connect with on dating sites, etc. When these facts are combined, a complete profile of the person may be produced. Thus, it is crucial that access to and utilization of our information be controlled in order to guarantee that it is not abused. While holding that informational privacy is a crucial aspect of the right to privacy under the basic right to life, the Supreme Court of India also emphasised the need of the Union Government looking into and implementing a strong data protection framework.


There have been extensive discussions around the Digital Personal Data Protection Bill 2022. To guarantee that more people become aware of the proposal’s problems, it is crucial to keep the dialogue going. A Data Protection Bill was to be submitted before Parliament in the second part of the Budget Session in 2023, the Solicitor General further announced on January 31, 2023, in a statement made just before the Supreme Court of India. As a result, this plan may become a law in the next few months. To guarantee that our community can have a meaningful conversation about the plan, the brief contains new research that was conducted.

Non-personal data is excluded from the purview of the DPDPB, which only intends to control personal data. The Digital Personal Data Protection Bill 2022 introduced the pronouns “she” and “her” to refer to people regardless of gender for the initial time in India.

Among other definitions, the DPDPB includes new terms like Data Principal (the person with whom the personal information relates, which includes the person’s parents or legal guardians if the person is a child) and Data Fiduciary (the person who, alone or jointly with others, defines the intent and implies of the collection and use of personal data).

The DPDPB revision solely addresses automated or digital data; manual data is not covered. The draft bill provisions are also judged to be ambiguous in other areas. For instance, it is possible to misread what is meant by “in the public interest” and to what extent. The centre is given extra authority by the measure.

The issue of cross-border data movement is another, and maybe one of the most significant, improvements made to the bill in this iteration. The Digital Personal Data Protection Bill 2022 permits the unrestricted flow of data across international boundaries. It allows the cross-nation transmission of data that only the central government would notify.

The DPDPB calls for the establishment of the “Data Protection Board,” a regulating agency. According to this Data Protection Bill, the Board’s main duty is to ascertain if this Act’s provisions have been broken and to impose penalties in accordance with their terms. The law further stipulates that subsequent regulations would be made regarding the composition, strength, incidental qualifications, selection method, periods of appointment, and dismissal of the chairman and other members. The Digital Personal Data Protection Bill 2022 further stipulates that the Central Government would designate the Chief Executive of the Board, and that the Chief Executive’s terms and conditions of employment would be as the Government may choose.


To conclude, in contrast to the old Personal Data Protection Bill 2019, which was criticised by companies and start-ups for just being compliance-intensive, the new version of the bill is an effort by the government to create a streamlined, yet understandable law on data protection. Even though the current draught appears to have addressed issues with localization, a consent-heavy structure, and increased compliance obligations, among others, certain provisions, such as those that offer exemptions to the state’s processing of personal data, insufficient explanation in operational details, and fewer safeguards for data principals, are among the main concerns raised by experts.

Checkout Other Whitepapers

In an age defined by technological leaps, the convergence of Generative AI and Data Privacy emerges as a pivotal crossroads.As Generative AI …

This paper is an in-depth analysis of the newly introduced Digital Personal Data Protection Act 2023. The Act is a simple and …

The European Commission introduced a proposal in April 2021 to regulate artificial intelligence (AI) in a 108-page document, aiming to establish a …

As defined by the EU Council, the NIS 2 directive “will set the baseline for cybersecurity risk management measures and reporting obligations …