wordpress blog stats
Connect with us

Hi, what are you looking for?

DPDP Bill 2022: A Balance of opportunities and data protection objectives

New bill narrows focus over predecessors that went heavy on data sovereignty, localisation and compliance. What explains this change?

By Rahul Sharma

The Supreme Court’s 2017 Puttaswamy judgment recommended the prompt enactment of a robust Data Protection (DP) law to the government.  Every passing day without enforceable DP regulation and non-intervention by government and regulators catalyses data loot, unaccounted data breaches and processing abuse which  normalizes harm. Recently introduced Digital Personal Data Protection (DPDP) Bill, 2022 has narrowed focus and deviates from its predecessors that went heavy on data sovereignty, localisation and compliance. What explains this change in trajectory from playing hardball to the mantra of keeping it ‘simple’?

FREE READ of the day by MediaNama: Click here to sign-up for our free-read of the day newsletter delivered daily before 9 AM in your inbox.


The world post Covid & Russia-Ukraine armed conflict has accelerated trends set in motion following the global financial crisis. Big power contestation is creating a gulf in global governance where anything can be weaponised. Macroeconomic headwinds, inflation, food security, energy crisis, supply chain resilience, looming recession and job cuts are dominating the global political discourse. These shifts & turmoils are driving newer frameworks, engagements and partnerships. 

India senses an opportunity to gain more ground in this window of change. It eyes itself as a natural leader of the global south. It’s exhibiting a willingness to shoulder greater responsibility as a force for good. India is now batting for more integration with the world while simultaneously pursuing the goal of Aatmanirbharta. It’s on an FTA signing spree with UAE, UK, Australia, Gulf etc. 

After having missed making  most out of the earlier tech revolutions, Cyber, Tech, & Data are seen as the biggest growth frontiers that’ll help India transition from a developing economy to a developed one. Market dynamics and techno-protocol solutions (like UPI, CoWIN, Aadhaar, ONDC) are serving as the foundation for future digital blocks. A revamped regulatory architecture with DPDP, Digital India Act, Data Governance framework, Telecommunications Act & sectoral protocols will serve short-medium term. India now has the G20 Presidency where it intends to showcase its digital transformation journey.  It also assumed the Council Chair of Global Partnership on AI. But proposing progressive frameworks or entering into FTAs & multilateral arrangements with digital trade components predicate on having a functioning regulatory regime at home. 

Advertisement. Scroll to continue reading.

There’s a movement amongst the democracies of the world to find alignment on areas of common concerns including tech and data regulations, social media, crypto, ransomware, telecom standards, etc. There are more frank exchanges and feedback to identify areas of convergence and make frameworks interoperable. The West has expressed concerns on data localisation & heavy-handed compliance potentially impacting their firms serving in the Indian market. Similar concerns were echoed by few Indian firms and industry associations. 

With subsequent drafts, there is a conscious effort to diverge from EU style data protection approach and structuring of regulations. MeitY Minister Rajeev Chandrashekhar highlighted that an “absolutist” approach of the GDPR won’t suit India given the momentum in start-ups & innovation ecosystem. Even within Europe, there are calls to drift away from more conservative data protection regulatory approaches to one that enables more value creation through use of data & facilitates the data ecosystem.

That’s the opportunity part dictating the draft. But how does it fare on data protection? Does the draft increase transparency and trust? Does the bill advance the design of privacy cognisant processes, systems and algorithms? 

What Improved?

  • The draft remarkably reduced the complexities while retaining the fundamentals. Easy-to-understand language sans legal verbiage is a welcome change. It’ll result in less legal work & paperwork to demonstrate compliance.
  • It improves grievance redressal for data principals. The proposed Data Protection Board is set to be digital by design for ease. The draft incorporates alternative dispute resolution and dynamic concepts like voluntary undertaking.
  • Deemed consent seems a practical substitute for select use cases. But more guardrails need to be erected for employer processing, measures during breakdown of public order & health emergencies and in ‘public interest’ scenarios like recovery of debt. There are instances of loan apps lifting phone contacts & gallery and harassing individuals resulting in suicides.
  • Removal of criminal provisions that had both businesses and government officials worried.
  • Linguistic diversity for convenience of Digital Nagriks finds more push. Sadly, the draft is released only in the English language. 

What doesn’t cut any ice?

  • The draft further skews the power balance with wider exemptions to government processing activities. JCP inserted ‘Just, fair, reasonable & proportionate’ procedure for exemption on case-to-case basis but draft provisions blanket exemption for certain fiduciaries including exempting data retention requirements.
  • Right to data portability, Right to be forgotten, Right to object to unfair-unethical automated processing do not find any mention. With Sec 43A of the IT (Amendment) Act, 2008 gone, Right to obtain fair compensation is denied to data principals.   
  • Enforcement post enactment is targeted for 5-6 months as per MeitY’s Union Minister Ashwini Vaishnaw. Taking example of Sec 17, data flows—Unless India notifies countries basis assessment for transfers, all existing transfers by data fiduciaries will become non-compliant.  Alternative transfer instruments like model contracts or certifications aren’t provisioned. It also removed safeguards proposed by JCP for data to not be shared with foreign governments or agencies without approval of the central government. EAM Dr. S Jaishankar recently said, “Where our data resides and who harvests it matters increasingly in era of artificial intelligence”.
  • The draft doesn’t categorize sensitive personal data but it’s a criteria to notify significant data fiduciaries, decide penalties and to exempt fiduciaries.
  • The attempt to make the bill modular with “as may be prescribed” repeated throughout the bill seems languid.


  • Enforcement action for the private and public sector needs separate treatment. Exorbitant fines might act as deterrence against companies but would the ‘money go round’ in the form of government fines work? Either way, the focus should be on taking corrective actions &  highlighting outcomes and learnings to improve culture, not filling government coffers.
  • Promoting India as a trusted destination: Broad exemptions to government processing is possibly incompatible with becoming a data powerhouse as scepticism about government access grows. The draft should establish standards for Trusted Data Processors that should apply even when processing foreign national data.

The draft doesn’t reflect a decade-long discourse to formulate an appropriate data protection regime that matches India’s needs and aspirations. The equilibrium can still be achieved, but at a higher threshold. 

Rahul Sharma is Founder, The Perspective & Director, Grade Ace. Views are personal.

Twitter: @wisdom_stoic

This post is released under a CC-BY-SA 4.0 license. Please feel free to republish on your site, with attribution and a link. Adaptation and rewriting, though allowed, should be true to the original.

Also Read:

Advertisement. Scroll to continue reading.
Written By

MediaNama’s mission is to help build a digital ecosystem which is open, fair, global and competitive.



Factors like Indus not charging developers any commission for in-app payments and antitrust orders issued by India's competition regulator against Google could contribute to...


Is open-sourcing of AI, and the use cases that come with it, a good starting point to discuss the responsibility and liability of AI?...


RBI Deputy Governor Rabi Shankar called for self-regulation in the fintech sector, but here's why we disagree with his stance.


Both the IT Minister and the IT Minister of State have chosen to avoid the actual concerns raised, and have instead defended against lesser...


The Central Board of Film Certification found power outside the Cinematograph Act and came to be known as the Censor Board. Are OTT self-regulating...

You May Also Like


Google has released a Google Travel Trends Report which states that branded budget hotel search queries grew 179% year over year (YOY) in India, in...


135 job openings in over 60 companies are listed at our free Digital and Mobile Job Board: If you’re looking for a job, or...


By Aroon Deep and Aditya Chunduru You’re reading it here first: Twitter has complied with government requests to censor 52 tweets that mostly criticised...


Rajesh Kumar* doesn’t have many enemies in life. But, Uber, for which he drives a cab everyday, is starting to look like one, he...

MediaNama is the premier source of information and analysis on Technology Policy in India. More about MediaNama, and contact information, here.

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ

Subscribe to our daily newsletter
Your email address:*
Please enter all required fields Click to hide
Correct invalid entries Click to hide

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ