Persisting issues: On the new data protection bill

Further tightening up of protections is an imperative in the draft data protection bill

Updated - November 23, 2022 11:07 am IST

Published - November 23, 2022 12:20 am IST

A new draft of the much-awaited data protection Bill, the Digital Personal Data Protection Bill (DPDP Bill) 2022, is now open for public comments. The Government had previously withdrawn an earlier draft by averring that it would come up with a “comprehensive legal framework” on data privacy and Internet regulation, and this draft seems to be a standalone attempt at bettering its previous iterations. There are only 30 clauses, for simplicity, but resulting in aspects of privacy protections remaining under-clarified. A case in point is how clauses define the need for consent from data principals for data fiduciaries to process their personal data. Now, a notice is to be provided for the consent of the data principal, and the withdrawal of consent should allow for fiduciaries to remove any such data stored or is to be shared with others. The new draft, unlike the 2018 version, does not refer to key data protection principles such as collection limitation — obligations on the data fiduciaries to collect only such personal data that is required for the purpose of processing. It also does not include obligations on data fiduciaries to inform principals about data sharing recipients, duration of storage, etc. Thus, the comprehensive protection to data principals in the form of the information provided on their personal data and processing by data fiduciaries, is now missing. It does, however, include a crucial clause on fiduciaries notifying principals and the data protection authority about breaches in stored data.

The new draft proposes the establishment of a Data Protection Board of India, whose strength and composition, the process of selection, etc. will be prescribed by the Union government. As with the earlier versions, this diverges from the Srikrishna Committee Draft which allowed for judicial oversight in the selection process of the data protection authority. It is a concern that the proposed board will not have sufficient independence from the Union government; the state is also a data fiduciary which collects vast amounts of individual data. The 2018 Bill allowed for exemptions to be granted to state institutions from acquiring informed consent from data principals or to process their data in the case of matters related only to the “security of the state”, and also called for a law to provide for parliamentary oversight and judicial approval of non-consensual access to personal data. But the new draft Bill continues the wide-ranging and vaguely worded exemptions and instruments, allowing for the executive to collect information which could amount to mass surveillance. Public scrutiny notwithstanding, Parliament should work towards tightening the provisions in the data protection Bill and providing for a robust data protection law.

To read this editorial in Tamil, click here.

To read this editorial in Hindi, click here.

0 / 0
Sign in to unlock member-only benefits!
  • Access 10 free stories every month
  • Save stories to read later
  • Access to comment on every story
  • Sign-up/manage your newsletter subscriptions with a single click
  • Get notified by email for early access to discounts & offers on our products
Sign in


Comments have to be in English, and in full sentences. They cannot be abusive or personal. Please abide by our community guidelines for posting your comments.

We have migrated to a new commenting platform. If you are already a registered user of The Hindu and logged in, you may continue to engage with our articles. If you do not have an account please register and login to post comments. Users can access their older comments by logging into their accounts on Vuukle.