wordpress blog stats
Connect with us

Hi, what are you looking for?

Twelve major concerns with India’s Data Protection Bill, 2022

The simplified 24-page data protection Bill has already received a barrage of criticism for diluting many of the previous provisions

India on November 18 released the Digital Personal Data Protection Bill, 2022 [PDF, summary, guide], the fourth iteration of its draft data protection law. The simplified 24-page Bill has already received a barrage of criticism for removing or diluting many of the previously proposed provisions that provided better safeguards to privacy and introducing new ones that will do more harm.


Advertisement. Scroll to continue reading.

FREE READ of the day by MediaNama: Click here to sign-up for our free-read of the day newsletter delivered daily before 9 AM in your inbox.

What are the key issues with the Bill?

1. The “as may be prescribed” Bill: Many provisions in the Bill have a clause saying “as may be prescribed” or its equivalence. Privacy activists have criticised this because this essentially gives the central government the power to issue Rules and directions later on to clarify these provisions. “For the 30 clauses, we have noticed the phrase, ‘as may be prescribed’ mentioned 18 times, often without any legislative guidance. This creates vague, unguided power for the Union Government to frame rules,” the Internet Freedom Foundation (IFF) noted.

2. Issues around deemed consent: The Bill introduces “deemed consent” as grounds for processing personal data in addition to explicit consent. Deemed consent has been criticised because the criteria for what constitutes deemed consent is broad and vague, allowing the processing of personal data without consent for a variety of reasons.

Advertisement. Scroll to continue reading.



Advertisement. Scroll to continue reading.

3. A weak Data Protection Board: The 2022 Bill replaces the Data Protection Authority with a body called the Data Protection Board of India, which will be appointed by the central government. The rules the Board and its members must follow will largely be dictated by the central government, thus leading to questions about its independence and effectiveness.

“There is a considerable dilution of the regulatory body, now a proposed Data Protection Board. It lacks autonomy and independence, and will be created and appointed on conditions, ‘as may be prescribed’. Can such a board reasonably enforce compliance from public authorities?” – IFF

4. Government and law enforcement can exempt themselves even more easily than before: 

  • Like previous versions, the 2022 Bill also allows the government to exempt any of its entities from certain or all provisions of the Bill on grounds such as national security, public order, etc.
  • The Bill also does away with the 2021 provisions which require the government to have a “just, fair, reasonable and proportionate” procedure before allowing exemption and the 2018 provision which required exemption to be “authorised by law.”
  • Additionally, the government is allowed to retain personal data for an unlimited amount of time.
  • Furthermore, there is an automatic exemption for processing of personal data for the prevention, investigation, etc, of crime, without the need for the government to issue any notification.

“The bill does not consider the harm that could be caused to a data principal by surveillance.” — Prasanth Sugathan, Legal Director, SFLC.IN

5. Companies don’t have to inform users much about what they do with personal data: 

  • The notice to be shown to users is only required to state what personal data will be collected and for what purpose, unlike previous Bills, which required companies to state how long they will store data and of if they will share it with third parties.
  • Additionally, notice is only required to be shown to users when obtaining consent, not deemed consent.
  • Fiduciaries are also not required to publish privacy policies on their site as required by previous Bills.

6. Why are there penalties on users: The 2022 Bill allows the Data Protection Board to levy a penalty of up to ₹10,000 if a user fails to perform their duties as listed in the Bill. “It defies reason how penalties are being now placed on users […] This is disturbingly similar to the penalties proposed under the Telecom Bill for supplying for incorrect information by subscribers,” IFF noted.

7. Which countries can personal data be transferred to: The Bill does away with the restrictions on the transfer of sensitive and critical personal data, and even such categorisations. Instead, all personal data can be transferred outside to countries or territories approved by the government. But what countries will be approved and based on what factors remains unclear.

Advertisement. Scroll to continue reading.

8. Government can exempt a class of fiduciaries, but who: One of the provisions allows the government to notify a class of data fiduciaries, based on the volume and nature of personal data they process, that will be exempted from certain provisions of the Bill. While this appears to be a provision that can be used to classify small data fiduciaries and exempt them from onerous obligations, there is nothing in the Bill to ensure that. “Clause 18(3) creates arbitrary power for Government to exempt data fiduciaries (not only small entities). How? Who? Why? Silence,” IFF tweeted.

9. No safeguards for sensitive and critical personal data: The earlier Bill had sensitive and critical personal data as subsets of personal data that were subject to more safeguards. This Bill does away with such classifications. “This could be a problem as the harm that could be posed by breach of sensitive personal data is much higher,” Prasanth Sugathan, Legal Director, SFLC.IN remarked.

10. Core principles listed in the explanatory note have not been reflected in the actual Bill: The explanatory note released by the IT Ministry claims that the DPDP Bill, 2022 is based on principles of purpose limitation, data minimisation, storage limitation, etc; but these principles are not really reflected in the actual Bill. “The explanatory note gives a detailed list of principles that the bill has tried to incorporate. However, this is not legally binding,” Sugathan points out.

11. Violations of “voluntary agreements” merely attract fines: The Bill allows the Data Protection Board to accept voluntary undertakings from entities that are being investigated for misconduct. However, a violation of the undertaking merely attracts a fine, which is being criticised as pointless.

Advertisement. Scroll to continue reading.

12. Age of consent still at 18: When processing personal data of users under the age of 18, data fiduciaries are required to obtain “verifiable” consent from the parents. The 18-year-old threshold has been criticised for being too high, and not in line with international standards. Numerous stakeholders have raised concerns about how this threshold can be detrimental to children, rather than protecting them. You can read more about these concerns here, here, here, and here.

Note (1 December, 2:25 PM): Updated to correct that Rules may be formed only by centre not the Board.

This post is released under a CC-BY-SA 4.0 license. Please feel free to republish on your site, with attribution and a link. Adaptation and rewriting, though allowed, should be true to the original.

Also Read

Advertisement. Scroll to continue reading.
Written By

MediaNama’s mission is to help build a digital ecosystem which is open, fair, global and competitive.



Factors like Indus not charging developers any commission for in-app payments and antitrust orders issued by India's competition regulator against Google could contribute to...


Is open-sourcing of AI, and the use cases that come with it, a good starting point to discuss the responsibility and liability of AI?...


RBI Deputy Governor Rabi Shankar called for self-regulation in the fintech sector, but here's why we disagree with his stance.


Both the IT Minister and the IT Minister of State have chosen to avoid the actual concerns raised, and have instead defended against lesser...


The Central Board of Film Certification found power outside the Cinematograph Act and came to be known as the Censor Board. Are OTT self-regulating...

You May Also Like


Google has released a Google Travel Trends Report which states that branded budget hotel search queries grew 179% year over year (YOY) in India, in...


135 job openings in over 60 companies are listed at our free Digital and Mobile Job Board: If you’re looking for a job, or...


By Aroon Deep and Aditya Chunduru You’re reading it here first: Twitter has complied with government requests to censor 52 tweets that mostly criticised...


Rajesh Kumar* doesn’t have many enemies in life. But, Uber, for which he drives a cab everyday, is starting to look like one, he...

MediaNama is the premier source of information and analysis on Technology Policy in India. More about MediaNama, and contact information, here.

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ

Subscribe to our daily newsletter
Your email address:*
Please enter all required fields Click to hide
Correct invalid entries Click to hide

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ