The Ministry of Electronics and Information Technology (MeitY) on November 18 released the much-awaited Digital Personal Data Protection (DPDP) Bill, 2022 [PDF copy], the fourth iteration of India’s draft data protection law.
A data protection law has been in the works since 2017, when the Supreme Court, in the landmark Puttaswamy judgement, ruled that privacy is a fundamental right of Indian citizens, putting the government under the obligation to pass legislation to protect this right.
MeitY has invited feedback from the public on the draft Bill by December 17, 2022 (Updated: Deadline extended to January 2, 2023). The feedback may be submitted on the MyGov website. Notably, MeitY has informed that “no public disclosure of the submissions will be made.”
We will be updating this post with a guide to our coverage of the Bill—summaries, comparisons to previous iterations of the Bill, analysis, opinions, stakeholders’ feedback, etc. You can also find our complete coverage of the Bill under the tag Digital Personal Data Protection Bill 2022.
Guide to the Digital Personal Data Protection Bill, 2022
Last updated on December 29, 2022
- The Bills and Guides:
- Summary of the 2022 Bill [read]
- Section-wise summaries and comparisons with previous iterations:
- Government access to data and grounds for exemption [read]
- Transferring personal data outside of India [read]
- Non-personal data (NPD) [read]
- Processing of children’s data [read]
- Rights and duties of individuals [read]
- Obligations of data fiduciaries [part 1: read] [part 2: read]
- Data Protection Board of India [read]
- Data breaches [read]
- Twelve Major Concerns With the 2022 Bill [read]
- What India’s IT Minister Has To Say About The Concerns Around The Bill [read]
- MediaNama Briefing: First Impressions of the DPDP Bill 2022 [watch video]
- Deep Dives
- How The Data Protection Bill Enables Govt Surveillance And Misuse Of Personal Data [read]
- A Small Amendment May Impact Indians’ Rights To Information And Accountability [read]
- Experts Say Withholding Public Feedback Is Problematic, Call For Improved Consultations [read]
- Seven Issues With How The Data Protection Bill Safeguards Children’s Data [read]
- Stakeholders’ initial impressions of the Bill:
- MediaNama Event: Reworking the Data Protection Bill (Delhi)
- How Will The Data Protection Bill Approach Personal Data Transfers Outside Of India? #NAMA [read]
- Data Protection Bill 2022 Focuses On Enabling Govt Access To Data And Surveillance, Not Citizens’ Privacy #NAMA [read]
- What Are The Shortcomings In India’s Data Protection Board In The New Draft Bill? #NAMA [read]
- What Are The Consequences Of ‘Deemed Consent’ Provision In The Data Protection Bill? #NAMA [read]
- How Will The Data Protection Bill Approach Personal Data Transfers Outside Of India? #NAMA [read]
- How The Data Protection Bill Restricts Children’s Access To The Internet #NAMA [read]
- MediaNama Event: Reworking the Data Protection Bill (Bangalore)
- Data Protection Bill’s Deemed Consent Provision “Turns Exceptions Into The Norm” #NAMA [read]
- “Someone Doesn’t Care Enough To Give Us A Proper Data Protection Bill”: Alok Prasanna Kumar Of Vidhi Centre [read]
- Does Withdrawal Of Consent Trump Deemed Consent Or Vice Versa? #NAMA [read]
- Data Protection Bill Legitimises Surveillance, Govt Has No Intent Of Reforms: Stakeholders #NAMA [read]
- Views:
- How Does The New Data Protection Bill Affect Platform Gig Workers? [read]
- Protecting Personal Data: Where Grievance Redressal Falls Short [read]
- What’s Missing From The Consent Manager Framework In The Data Protection Bill, 2022 [read]
- DPDP Bill 2022: ‘Deemed’ Consent, To Users’ Detriment [read]
- Data Privacy Regime In India: Its Genesis And Evolution [read]
What to look out for?
- Whether children below 18 (including teenagers) will need parental consent (and age verification) to use any app or site?
- Whether startups will have to store data of Indian citizens in India only, and if so what kind of personal data must be localised?
- Whether someone (another startup/government agency/a non-profit) can force your company to give anonymised data or analytics to them?
- Whether you can ask a company to give you access to all the data they have on you, and ask them to delete it? Or maybe even check if a political party has any data on you, and as them to delete it.
- Whether the government can ask any tech company to give them data about you, and under what conditions?
- Whether you can hold a company accountable if your data with them has been breached, and whether they need to inform you about it?
- Who is appointed to the Data Protection Authority and what rules and regulations they can make regarding different sectors, and how?
Timeline of key events
- July 2018: After a year of consultations and deliberations, the PDP Bill, 2018, drafted by an expert committee headed by Justice BN Srikrishna, is presented to MeitY. Subsequently, MeitY begins drafting the next iteration of the Bill.
- December 2019: The PDP Bill, 2019, prepared by MeitY, is referred to a Joint Parliamentary Committee (JPC) for review and BJP MP Meenakshi Lekhi is appointed chairperson.
- December 2021: After multiple extensions, and a leadership change, JPC Chairperson PP Chaudhary tabled the report of the JPC on the PDP Bill, 2019, as well as the draft Data Protection Bill 2021, in the parliament.
- August 2022: On August 3 this year, MeitY withdrew the Data Protection Bill 2021 from the parliament, stating that a more “comprehensive legal framework” will be presented soon.
Note: This post will be regularly updated with our coverage of the Bill. The headline was changed on 18 November (5:40 pm) to reflect that this post will be a guide.
