wordpress blog stats
Connect with us

Hi, what are you looking for?

CCG comments on the DPDP Bill 2022: 5 points to note

CCG’s recommendations cover deemed consent, graded consent for children, obligations of companies, DPBI‘s independence, etc.


  • Take a graded approach for parental consent while keeping children’s best interests in mind.
  • Clarify the rationale for allowing data processing through deemed consent.
  • Allow for notice to be a mandatory obligation for all data processing under deemed consent barring where it would be “absolutely impossible.”
  • Any processing of personal data based on deemed consent should follow the test of necessity and proportionality.
  • The entire provision on duties, i.e. Clause 16, should be deleted.
  • Bring back data portability and the right against direct marketing.
  • Create a Selection Committee to ensure the independence of the DPBI.

For better or worse, the public reaction to the revised Digital Personal Data Protection (DPDP) Bill 2022 has been lukewarm at best. Thankfully, entities heartily invested in ensuring people’s right to privacy continue to analyse, criticise and advise improvements to such Bills. After IFF and SFLC, MediaNama now looks at the National Law University’s Centre For Communication Governance’s (CCG) comments on and suggestions for the DPDP Bill.

A few tweaks to fix the obligations of companies

Bring back core privacy principles: Another suggestion was to incorporate other universally recognised data protection principles like the core privacy principles developed by the Organisation for Economic Co-operation and Development (OECD). This means the inclusion of purpose limitation, storage limitation, and accountability within the general obligations of all data fiduciaries.

“The addition of these principles would ensure fair and lawful data processing after consent is provided,” said the report.

CCG also suggested that the provisions for Data Fiduciaries to have appropriate technical and organisational measures be made “privacy friendly”, incorporating privacy by design and default policy requirements along with procedural guidelines.

Advertisement. Scroll to continue reading.

Bring back additional details in notice: Clause 6 of the DPDP Bill significantly dilutes provisions for the Notice meant to be sent to a Data Principal. CCG recommended the notice should specify additional details for the user “based on data retention, updated notifications, [and] information regarding sharing of personal data with any third party.” They suggested that a specific notice on top of the general notice should be given to the Data Principals to ensure their ‘informed’ consent.

And speaking of consent…

Clearly define parameters for Consent: As per experts, consent under Clause 7 should be clearly defined as articulated in previous iterations of the Bill. The report said, “Reliance solely on consent to allow data processing could be insufficient due to information asymmetry in favour of the data fiduciary. “

Deemed consent should be based on specific safeguards: The provisions on grounds for deemed consent should specify how it will function in practice. For example, which obligations of the Data Fiduciary apply in deemed consent situations and how? The previous versions of the Bill had provisions that said the obligation of notice would be exempt from non-consensual data processing.

FREE READ of the day by MediaNama: Click here to sign-up for our free-read of the day newsletter delivered daily before 9 AM in your inbox.

Think of the children, not for the children

Advertisement. Scroll to continue reading.

Best interests first: CCG pointed out that the principle ensuring any processing of children’s data is done in the best interests of the child has been mandated by the United Nations Convention on Child Rights. Despite India adopting this convention, the principle is missing from the Bill. As such, any decisions regarding children should be bound by it. Further, the Bill should provide for instances where data fiduciaries can allow self-verification of the child’s age for services that have no risk of harm.

Graded approach to parental consent: CCG recommended a graded approach to parental consent that is needed for a child to access internet services. Such an approach will call for parental consent depending on the potential risk associated with the services and allow children to exercise agency and autonomy while ensuring their protection.

“The objective of the law should be to balance the right of the child to access the internet with their data protection interests. So, we recommend that the mechanism for verifying parental consent should ensure that it follows the principles of collection limitation and purpose limitation,” said CCG.

Strengthen user rights

User duties dilute user rights: User duties mentioned in Clause 16 place the onus on the Data Principal to provide correct information to the Data Fiduciary. CCG suggested doing away with these duties since imposing penalties on users for not abiding by these duties “disincentivises Data Principals” from seeking redressal or invoking their rights.

Wider application of Data Principal’s rights: CCG advised the Bill should ensure that the right to erasure includes seeking discontinuation of processing of data by withdrawing consent for its collection, use or disclosure.

Advertisement. Scroll to continue reading.

“This should be based on certain safeguards whereby an independent authority established under the Bill would balance the implementation of this right with the right to freedom of speech and expression and the right to information,” said CCG.

Further, it suggested that the DPDP Bill bring back data portability and the right against direct marketing to ensure a Data Principal’s autonomy over their personal data.

Ensure the independence of the DPBI

The DPDP Bill replaces the Data Protection Board of India (DPBI) with the Data Protection Authority from the older versions. However, unlike previous versions, the DPBI is no longer a regulator and has not been designed as a quasi-judicial body which could have significant implications for safeguarding user rights, said the CCG. As such, it suggested that a Selection Committee with adequate judicial representation appoint members to ensure the independence of the DPBI.

“The DPBI is envisaged to be digital by design, whereby most functions will be carried out digitally… the ‘digital by design’ framework must be optional and not mandatory, so as to account for the digital access gap,” said the report.

This post is released under a CC-BY-SA 4.0 license. Please feel free to republish on your site, with attribution and a link. Adaptation and rewriting, though allowed, should be true to the original.

Advertisement. Scroll to continue reading.

Also Read:

Written By

I'm interested in the shaping and strengthening of rights in the digital space. I cover cybersecurity, platform regulation, gig worker economy. In my free time, I'm either binge-watching an anime or off on a hike.

MediaNama’s mission is to help build a digital ecosystem which is open, fair, global and competitive.



Amazon announced that it will integrate its logistics network and SmartCommerce services with the Open Network for Digital Commerce (ONDC).


India's smartphone operating system BharOS has received much buzz in the media lately, but does it really merit this attention?


After using the Mapples app as his default navigation app for a week, Sarvesh draws a comparison between Google Maps and Mapples


In the case of the ‘deemed consent' provision in the draft data protection law, brevity comes at the cost of clarity and user protection


The regulatory ambivalence around an instrument so essential to facilitate data exchange – the CM framework – is disconcerting for several reasons.

You May Also Like


Google has released a Google Travel Trends Report which states that branded budget hotel search queries grew 179% year over year (YOY) in India, in...


135 job openings in over 60 companies are listed at our free Digital and Mobile Job Board: If you’re looking for a job, or...


By Aroon Deep and Aditya Chunduru You’re reading it here first: Twitter has complied with government requests to censor 52 tweets that mostly criticised...


Rajesh Kumar* doesn’t have many enemies in life. But, Uber, for which he drives a cab everyday, is starting to look like one, he...

MediaNama is the premier source of information and analysis on Technology Policy in India. More about MediaNama, and contact information, here.

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ

Subscribe to our daily newsletter
Your email address:*
Please enter all required fields Click to hide
Correct invalid entries Click to hide

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ