Internet Freedom Foundation

I-1718, Third Floor, Chittaranjan Park,

New Delhi 110019

Recommended Citation: Anushka Jain & Tanmay Singh, “A public

brief on the draft Digital Personal Data Protection Bill, 2022”,
Internet Freedom Foundation, February 16, 2023.

Internet Freedom Foundation (“IFF”) is a registered charitable trust which advocates for the
digital rights of Indians. Our mission is to ensure the growth of digitisation with democratic
rights guaranteed under the Constitution of India..

Authors:

Anushka Jain is a lawyer and policy researcher interested in dis-

ruptivetechnologies such as artificial intelligence, facial recognition
and machine learning. She works as the Policy Counsel at Internet
Freedom Foundation.

Tanmay Singh is the Senior Litigation Counsel at the Internet Free-

dom Foundation. He graduated from the National Law School of
India University, Bangalore in 2013, and holds a Master’s in law from
the University of Pennsylvania Law School with a concurrent Diplo-
ma in Business and Laws from the Wharton School of Business. His
work focuses on free expression, censorship, privacy, surveillance
and press freedom.

Published: February 16, 2023

A public brief on the draft Digital Personal
Data Protection Bill, 2022

Table of Contents

A. Facts on legislative history 4

B. Summary of top issues: Loopholes in the DPDPB, 2022 7

C. A Puttaswamy Analysis of the DPDPB, 2022 8

D. Comparison of the DPDPB, 2022 with the DPB, 2021 10

E. Comparison with other jurisdictions 15

F. Recommendations 21
 Internet Freedom Foundation

A. Facts on legislative history

a. Present status: The Ministry of Electronics & Information Technology (MeitY) released the draft Digital
Personal Data Protection Bill, 2022 (DPDPB, 2022) on November 18, 2022 for public consultation. The
deadline for submission of comments was initially set for December 17, 2022 which was further extended
till January 2, 2023. The notice accompanying the DPDPB, 2022 states that submissions made as part of
the consultation process will not be made public.1 The Bill has not been placed before the Parliament.

b. Past efforts: Previous versions of a Draft Privacy Bill have been coordinated through the Ministry of
Personnel, Public Grievances, and Pensions since 2011.2 Drafts of that bill dealt both with data protection
and surveillance reform till 2014; however this did not proceed further.3 An Expert Committee on Privacy
headed by Justice A.P. Shah under the erstwhile Planning Commission presented a report on October
12, 2012 which serves as an influential document on international & national privacy standards.4 The
Expert Committee on Data Protection chaired by Justice BN Srikrishna was constituted by the Ministry
for Electronics and Information Technology (“MeitY”) on July 31, 2017.5 The ten-member Committee’s
mandate was to examine issues related to data protection, recommend methods to address them,
and draft a data protection bill. It was criticised for its flawed composition and issues of conflict of
interest.6 The Committee released its 176 page Report to the MeitY and proposed the Personal Data
Protection Bill, 2018 on July 27, 2018.7 As soon as the Personal Data Protection Bill, 2019 (“PDPB, 2019”)
was introduced in the Parliament on December 11, 2019, it was sent to a Joint Parliamentary Committee
(“JPC”) with members from both the Houses for its review and suggestions.8 After nearly two years and
several extensions, the Joint Committee on the Personal Data Protection Bill, 2019 brought out its report
on December 16, 2021.9 The Report also contained a new version of the law titled, “The Data Protection
Bill, 2021” (“DBP, 2021”). However, the DPB, 2021 was withdrawn by the Minister for Commnications and
Information Technology, Ashwini Vaishnaw on August 3, 2022.10

1    “The Ministry of Electronics and Information Technology invites feedback on the draft ‘Digital Personal Data Protection Bill,
2022’.”, Ministry of Electronics & Information Technology, November 18, 2022, https://www.meity.gov.in/writereaddata/files/No-
tice%20-%20Public%20Consultation%20on%20DPDP%202022_1.pdf.
2    Ministry of Personnel, Public Grievances & Pensions, “Right to Privacy Bill, 2011,” Press Information Bureau, Governent of India,
August 18, 2011, https://pib.gov.in/newsite/erelcontent.aspx?relid=74743.
3    Elonnai Hickok, “Report of the Group of Experts on Privacy vs. The Leaked 2014 Privacy Bill,” The Centre for Internet and Socie-
ty (blog), April 14, 2014, https://cis-india.org/internet-governance/blog/report-of-group-of-experts-on-privacy-vs-eaked-2014-privacy-
bill.
4    “Report of the ‘Group of Experts on Privacy,’” October 16, 2012, https://www.dsci.in/content/report-group-experts-privacyconsti-
tuted-planning-commission-india.
5    “Justice Krishna to Head Expert Group on Data Protection Framework for India,” Press Information Bureau, Government of India,
August 1, 2017, https://pib.gov.in/newsite/PrintRelease.aspx?relid=169420.
6    Seema Chishti, “Eminent Citizens Write to the Committee of Experts on Data Protection Framework,” The Indian Express, No-
vember 6, 2017, https://indianexpress.com/article/india/citizens-group-questions-data-privacy-panel-composiion-aadhaar-4924220/.
7    “Draft Personal Data Protection Bill, 2018,” PRS Legislative Research, accessed February 2, 2023, https://prsindia.org/illtrack/
draft-personal-data-protection-bill-2018.
8    “Personal Data Protection Bill, 2019 - Key Highlights Of Reports Of Joint Parliament Committee (JPC),” Mondaq, February 16,
2022, https://www.mondaq.com/india/privacy-protection/1161678/personal-data-protection-bill-2019---key-highlights-of-reports-of--
joint-parliament-committee-jpc.
9    Lok Sabha, “Joint Committee on the Personal Data Protection Bill, 2019”, https://loksabha.nic.in/Committee/CommitteeInforma-
tion.aspx?comm_code=73&tab=5.
10    “Here Lies the Data Protection Bill, 2021,” Internet Freedom Foundation, August 4, 2022, https://internetfreedom.in/here-lies-the-
data-protection-bill-2021/.

4
 A public brief on the draft Digital Personal Data Protection Bill, 2022

c. Private Member Bills: There have been six notable efforts to introduce various models of privacy pro-
tection by honourable members of the Lok and Rajya Sabha. These are listed in a tabular form below.

House and date Short title Member Status

Rajya Sabha on The Personal Data V.J. Darda Lapsed
28/11/2014 Protection Bill, 2014

Rajya Sabha on Right to Privacy of Vivek Gupta Lapsed

05/08/2016 Personal Data Bill,
2016
Lok Sabha on Right to Privacy of O.P. Yadav Lapsed
10/03/2017 Personal Data Bill,
2016
Lok Sabha on Data (Privacy and Baijayant Panda Lapsed
21/07/2017 Protection) Bill, 2017
Lok Sabha on Data Privacy and Shashi Tharoor Lapsed
03/08/2018 Protection Bill, 2017
Lok Sabha on Personal Data and D. Ravikumar Pending
26/07/2019 Information Privacy
Code Bill, 2019

d. Right to Privacy Judgement: On August 24, 2017, the Supreme Court, in the matter of Justice KS Puttaswamy
vs Union of India, reaffirmed “privacy” as a fundamental right under Part III of the Constitution of India. It
directed the Government to bring out a robust data protection regime. On January 31, 2023, the Solicitor
General stated before the Supreme Court of India that “a Data Protection Bill, after administrative
compliances, is to be introduced before the Parliament in the second half of the Budget Session, 2023”.11

11    Sohini Chowdhury, “Data Protection Bill To Be Introduced In Parliament In Budget Session : Centre Tells Supreme Court,”
LiveLaw, January 31, 2023, https://www.livelaw.in/top-stories/data-protection-bill-to-be-introduced-in-parliament-in-budget-session-
centre-tells-supreme-court-220372.

5
 Internet Freedom Foundation

Data Protection Framework Timeline

6

B. Summary of top issues:
Loopholes in the DPDPB, 2022
a. Consultation process fails transparency
principles: The notice accompanying the DPDPB,
2022 states that comments received will not be
made public by MeitY. Further, the consultation
process requires interested participants to
register on the MyGov website in order to be
able to provide comments which is a significant
hurdle.
b. Notice requirements weakened: Compared to
past versions, data fiduciaries do not have to
inform principals about the third-parties with
whom their data will be shared, the duration
for which their data will be stored and if their
data will be transferred to other countries.
c. Vague non-consensual processing of data
permitted: The DPDPB, 2022 allows the Data
Fiduciary to “deem” or assume consent of the
Data Principal if the processing is considered
necessary as per certain situations such as for
the breakdown of public order, for purposes
related to employment, and in public interest.
d. Duties and penalties imposed on Data
Principals: For the first time in the history of the
data protection legislation in India, duties such
as not registering a false or frivolous grievance
or complaint have been imposed on the Data
Principal, the violation of which could result in
penalties (of upto 10,000 INR).
e. Vague factors for data transfer: While the
requirement of data localisation contained in
previous iterations has been done away with,
the factors based on which it will be determined
that a country may or may not be eligible to
receive Indian data have not been specified.
f. Exemptions created for private actors: The
Union Government has retained the power
to exempt certain data fiduciaries or class of
data fiduciaries from selected provisions of the
DPDPB, 2022.
A public brief on the draft Digital Personal Data Protection Bill, 2022
g. Wide exemptions for government: The Union
Government has retained the power to exempt
any government instrumentality (GI) from the
application of the DPDPB, 2022. Additionally,
the DPDPB, 2022 also fails to put into place
any meaningful safeguards against overbroad
surveillance which weakens the right to privacy
of Indian citizens.
h. Data Protection Board’s independence under
question: The Union Government has been
empowered to prescribe the strength and
composition of the Data Protection Board, the
process of selection, terms and conditions
of appointment and service, removal of its
Chairperson and other Members at a later stage
as well as appointing the Chief Executive of the
Board.
i. Weakening of the Right to Information Act,
2005: Through amendments, the DPDPB, 2022
removes the public interest exception to
disclosure of personal information under the
Right to Information Act, 2005.
j. Failure to carry out surveillance reform: In
addition to providing wide exemptions to the
state, the DPDPB, 2022 also fails to put into place
any meaningful safeguards against overbroad
surveillance which weakens the right to privacy
of Indian citizens.
k. “As may be prescribed”: For the sake of brevity,
the DPDPB, 2022 leaves various important
provisions to future regulations in the absence
of legislative guidance by the Parliament.
7
 Internet Freedom Foundation

C. A Puttaswamy analysis of the DPDPB, 2022

a. In Justice K. S. Puttaswamy v. Union of India (Puttaswamy-I), a nine-judge bench of the Indian Supreme
Court unanimously affirmed the status of the right to privacy as a fundamental right guaranteed in Part
III of the Constitution of India.12 The Court held that privacy is an integral part of Articles 14,15, 19, and
21 of the Constitution of India. It was held that informational self-determination and informational
privacy constitute an integral part of the right to privacy. Justice Chandrachud held that information
control empowers individuals to use “privacy as a shield” to retain control over personal information.
Justice Nariman held that informational privacy relates to a person’s mind and therefore individuals
have “control over the dissemination of material that is personal” to them. Justice Kaul held that “the
right to control dissemination of personal information” is a part of the right to privacy. Though the case
arose in the context of the constitutional challenge of the Aadhaar Act, the Court recognised that data
protection is closely intertwined with informational privacy. The Court noted that a robust data protec-
tion law must be formulated by the Union Government by “carefully balancing” individual privacy and
legitimate concerns of the Union Government.

b. The Supreme Court held that such a robust regime must satisfy the three-fold tests of legality, neces-
sity, and proportionality. This means that first, there must exist a valid law to justify an encroachment
on privacy; second, there must be a legitimate state aim which justifies that the restriction to people’s
privacy is needed in a democratic society and third, the restriction must be proportionate to the object
and needs of the law. Below, we briefly analyse the DPDPB, 2022 against these thresholds to under-
stand if they are satisfied:

i. Legality: The DPDPB, 2022 may satisfy the first test of legality, since, by virtue of it being a
statute, it will provide a legal basis for the government’s actions.

ii. Necessity: The statement of objects and purpose of the DPDPB, 2022 states that it is to
“provide for the processing of digital personal data in a manner that recognizes both the
right of individuals to protect their personal data and the need to process personal data
for lawful purposes, and for matters connected therewith or incidental thereto”. It is nec-
essary to note that the objective of the Data Protection Bill, 2022 is not framed the other
way around, i.e., to recognise the right to protect personal data, such that it may allow for
the processing of digital personal data. This becomes clearer once the Data Protection Bill,
2022 and its clauses are read as a whole. For example, the wide exemptions provided un-
der Clause 18, and the low bar for consent contemplated under Clauses 7 and 8 leave little
doubt that the thrust of the Data Protection Bill, 2022 is not to protect data, but to enable
its processing. An argument could be made that data processing is a legitimate state aim,
but its legitimacy is weaker than the state aim of protecting personal data of Indian citizens
and users. This is because protecting personal data, i.e., informational privacy, is directly
derived from the right to privacy under the Constitution of India, whereas the state aim
for data processing comes from the commercial interests of data fiduciaries and the state.

iii. Proportionality: To satisfy the proportionality standard, a measure restricting a right must
have a legitimate goal, must be a suitable means of furthering this goal, there must not
be any less restrictive, but equally effective alternatives, and there should be procedural
safeguards. Assuming, for the purpose of continuing this analysis, that the goal was legit-
imate, i.e., that the goal was to protect the personal data of Indians, the DPDPB, 2022, is
not suitable to further this aim. This is because of existing provisions which dilute notice
and consent requirements, reduce Data Principal rights, and impose duties and penalties
on Data Principals. Here, the DPDPB, 2022 fails to include less intrusive alternatives such as
the principles of data minimisation, purpose limitation, and storage limitation which are
12   (2017) 10 SCC 1.

8
 A public brief on the draft Digital Personal Data Protection Bill, 2022

considered best practices for data processing. Lastly, wide exemptions to the government
and its data fiduciaries from the application of the law and the dilution of the powers of the
Data Protection Board, as well as the doubts over its independence, result in the absence
of any meaningful procedural safeguards.

c. The DPDPB, 2022 fails the proportionality standard adopted by the Supreme Court in Puttaswamy - I
and II.13 The DPDPB, 2022 will pass the test of legality, and may even pass the test of necessity, but its in-
ability to provide a suitable means of achieving a legitimate state objective, its failure to consider less
intrusive alternatives, and its complete failure to provide procedural safeguards, render the DPDPB,
2022 a disproportionate invasion of user privacy, and may even render the entire Bill unconstitutional.

D. Comparison of the DPDPB, 2022

with the DPB, 2021

S. no. Topic DPB, 2021 DPDPB, 2022

1. Scope The JPC Report removed the term
“personal” from thePDPB, 2019,
changing it to “The Data Protection
Bill, 2021”. This change reflected the
expansion in the regulatory ambit
as the draft legislation would have
regulated both personal and non-
personal data.
[ Clause 2 ]
The provisions of DPDPB, 2022 shall
only apply to the processing of digital
personal data within the territory of India
where such personal data is collected
from Data Principals online; and such
personal data collected offline, which is
subsequently digitised.
[ Clause 4 ]

2. Notice The DPB, 2021 had extensive The DPDPB, 2022 requires data fiduciaries
notice requirements including to merely notify the Data Principal
providing clear, concise, and easily about the nature of the data they will
comprehensible information to the be collecting and the purpose for which
Data Principal about third party such data may be processed.
sharing of data, cross border transfer
of data, and period of retention of [ Clause 6 ]
data.

[ Clause 7 ]

13   (2019) 1 SCC 1.

9

S. no. Topic DPB, 2021
3. Deemed The DPB, 2021 allowed for the
consent processing of personal data without
consent in certain situations including
for purposes related to employment
and maintaining public order among
others. However, it provided additional
protections to sensitive personal data
when processed for purposes related
to employment.
[ Clauses 12-14 ]
4. General The obligations of a Data Fiduciary
obligations under the DPB, 2021 included
of Data prohibition of processing of personal
Fiduciary data except for any specific, clear,
and lawful purpose; collecting
personal data only to the extent
that is necessary for the purposes
of processing of such personal
data; providing detailed notice for
collection or processing of personal
data; taking necessary steps to ensure
that the personal data processed is
complete, accurate, not misleading
and updated, having regard to the
purpose for which it is processed; not
retaining any personal data beyond
the period necessary to satisfy the
purpose for which it is processed and
deleting the personal data at the end
of the processing; and processing
personal data only on the consent
given by the Data Principal at the
commencement of its processing.
[ Clauses 4-11 ]
Internet Freedom Foundation
DPDPB, 2022
The DPDPB, 2022 retains all grounds for
processing data without consent which
were contained in the DPB, 2021. Further,
it removes any additional protection for
sensitive personal data since that is not
a recognised category under the DPDPB,
2022. It also adds certain grounds
for which consent may be “deemed”
for employment purposes including
prevention of corporate espionage,
maintenance of confidentiality of
trade secrets, intellectual property,
and classified information. The DPDPB,
2022 also fails to specifically define the
grounds which may be included under
“reasonable purposes”, which was done
in the DPB, 2021.
[ Clause 8 ]
The DPDPB, 2022 has imposed certain
obligations on data fiduciaries which
were not included in the DPB, 2021.
Fresh obligations such as implementing
appropriate technical and organisational
measures to ensure effective adherence
with the DPDPB, 2022 provisions, taking
reasonable security safeguards to
prevent personal data breaches, and
notifying the Data Protection Board and
each affected Data Principalin case of a
personal data breach. This is a positive
step which will help in strengthening
protections around personal data.
[ Clause 9 ]
10
 A public brief on the draft Digital Personal Data Protection Bill, 2022
S. no. Topic DPB, 2021
5. Rights The DPB, 2021 included right to
of Data confirmation and access, the right to
Principal correction and erasure, the right to
data portability and the right to be
forgotten as rights which the Data
Principal will have under it.
Here, it may be noticed that while
under the GDPR the right to erasure
and the right to be forgotten are used
interchangeably, the DPB, 2021 had
provided different protections under
the two rights.
[ Clauses 17-20 ]
6. Duties The DPB, 2021 did not impose any
of Data duties on Data Principals.
Principal
7. Transfer of The DPB, 2021 placed a data mirroring
personal requirement for transfer of sensitive
data personal data outside India wherein a
outside copy of it had to be stored in India. It
India also placed a strict data localisation
requirement on critical personal
data however the category of critical
personal data was left undefined.
[ Clause 33 ]
DPDPB, 2022
The DPDPB, 2022 has removed the right
to data portability and the right to be
forgotten.
[ Clauses 12-15 ]
The DPDPB, 2022 imposes certain duties
on the Data Principal which is a new
addition. Duties imposed include not
registering a false or frivolous grievance
or complaint with a Data Fiduciary or the
Board, not furnishing any false particulars
or suppressing any material information
or impersonating another person, and
furnishing only such information as is
verifiably authentic while exercising the
right to correction or erasure.
[ Clause 16 ]
The DPDPB, 2022 empowers the Union
Government to notify certain countries
to which transfer of personal data may
be allowed. This notification will be
made after assessment of certain factors
by the Union Government however the
factors have not been specified.
[ Clause 17 ]
11
 Internet Freedom Foundation

S. no. Topic DPB, 2021 DPDPB, 2022

8. Exemptions In addition to providing wide Clause 18 of the DPDPB, 2022 carries

exemptions to the Union Government
and its authorities, the DPB, 2021
included exemptions for certain
processing of personal data for
journalistic purposes. Further, it also
contained exemptions for manual
processing by small entities.
[ Clauses 35-39 ]
forward most of the exemptions that
were provided to the Union Government
in clauses 35, 36, 37, 38, & 39 of the
DPB, 2021. However, it has removed the
exemption provided for journalistic
purposes in DPB, 2021. The exemptions for
manual processing by small entities have
also been removed. Instead, the DPDPB,
2022 allows the Union Government to
exempt certain Data Fiduciaries or class
of Data Fiduciaries having regard to the
volume and nature of personal data
processed. The DPDPB, 2022 also fails to
put in place any safeguards to prevent
wide interpretation of the exemptions
provided, unlike the DPB, 2021 which put
in place certain conditions, even if weak,
such as necessity and expediency.

[ Clause 18 ]

9. Sensitive The DPB, 2021 contained additional The categories of sensitive and critical
and protections for personal data which personal data do not find mention in the
critical would fall into the categories of DPDPB, 2022.
personal sensitive personal data and critical
data personal data. Categorisation as
sensitive personal data was to be done
by the Union Government on the basis
of the risk of significant harm that
may be caused to the Data Principalby
the processing of such category of
personal data; the expectation of
confidentiality attached to such
category of personal data; whether
a significantly discernible class of
Data Principals may suffer significant
harm from the processing of such
category of personal data; and the
adequacy of protection afforded by
ordinary provisions applicable to
personal data. Critical personal data
would have been such personal data
as would have been notified by the
Union Government at a later stage.

Additional protections were to be

provided to these two categories of
data, especially with regard to transfer
of this data outside India.

[ Clauses 15 & 33 ]

12
 A public brief on the draft Digital Personal Data Protection Bill, 2022

S. no. Topic DPB, 2021 DPDPB, 2022

10. Data The DPB, 2021 envisaged a Data The DPDPB, 2022 renames the Data
Protection Protection Authority whose duty it Protection Authority to the Data
Authority/ was to protect the interests of Data Protection Board. The functions of the
Board Principals, prevent any misuse of Data Protection Board under DPDPB,
personal data, ensure compliance 2022 are to determine non-compliance
with the provisions of this Act, and with provisions of DPDPB, 2022 and
promote awareness about data impose appropriate penalties; and to
protection. It was also specifically perform such functions as the Union
tasked with maintaining a database Government may assign to it under the
on its website containing names of provisions of DPDPB, 2022 or under any
significant data fiduciaries along with other law by an order published in the
a rating in the form of a data trust Official Gazette.
score indicating compliance with
the obligations of DPB, 2021 by such The strength and composition of the
fiduciaries, monitoring cross-border Board, the process of selection, the
transfer of personal data, monitoring terms and conditions of appointment
technological developments and and service, and the removal of its
commercial practices that may affect Chairperson and other Members shall be
protection of personal data amongs such as may be prescribed by the Union
others. Government at a later stage. The Chief
Executive of the Board will be appointed
It vested the executive with the sole by the Union Government.
authority to appoint the DPA, despite
the fact that the DPA would also [ Clauses 19-22 ]
regulate government agencies. The
selection committee of the DPA would
be chaired by the Cabinet Secretary
and other members would include
Secretaries to the Union Government.
It also expands the committee to
include an expert nominated by the
Union Government, the Attorney
General of India, a Director of any of
the Indian Institutes of Technology,
and a Director from any of the Indian
Institute of Management. Both the
directors would also be nominated by
the Union
Government.

[ Clauses 41-56 ]

11. Financial Under the DPDPB, 2022, contravention of

Penalty the freshly introduced duties of a Data
Principalunder Clause 16 could result in
penalties of up to 10,000 INR.

[ Clause 25 & Schedule 1 ]

13
 Internet Freedom Foundation

E. Comparison with other jurisdictions

(Please refer to our in-depth analysis and comparison of the data protection legislations of foreign
jurisdictions here)

a. Notice
Legislation Purpose of Third Party Sharing Duration of
collection retention
United States’ California Yes Yes, notice must include if data will be Yes
Consumer Privacy Act, 201814 sold or shared

United States’ Privacy Act, Yes No No

197415

United States’ Health Yes No No

Insurance Portability and
Accountability Act, 199616

United States’ Children’s Yes Yes, notice must include operator’s No

Online Privacy Protection disclosure practices
Act, 199817

Australia’s Privacy Act, Yes Yes, notice must include any other No
198818 APP entity, body or person, or the
types of any other APP entities,
bodies or persons, to which the APP
entity usually discloses personal
information of the kind collected by
the entity

Singapore’s Personal Data Yes No No

Protection Act, 201219

European Union’s General Yes No No

Data Protection Regulation20

14   The California Consumer Privacy Act, 2018.

15   The Privacy Act, 1974 of the United States of America.
16   The Health Insurance Portability and Accountability Act, 1996 of the United States of America.
17   The Children’s Online Privacy Protection Act, 1998 of the United States of America.
18   The Privacy Act,1988 of Australia.
19   The Personal Data Protection Act, 2012 of Singapore.
20   The General Data Protection Regulation, 2018 of the European Union.

14

b. Deemed Consent
Legislation
United States’ California
Consumer Privacy Act, 2018 (CCPA)
United States’ Privacy Act, 1974
United States’ Health Insurance
Portability and Accountability
Act, 1996
United States’ Children’s Online
Privacy Protection Act, 1998
Australia’s Privacy Act, 1988
Singapore’s Personal Data
Protection Act, 2012
European Union’s General Data
Protection Regulation
A public brief on the draft Digital Personal Data Protection Bill, 2022
Can consent be deemed? If yes, on what conditions?
No NA
No NA
No NA
No NA
Yes Sections 16A and 16B of the
Australian Privacy Act, 1988
contain certain “permitted
general situations in relation to
the collection, use or disclosure
of personal information” and
“permitted health situations in
relation to the collection, use or
disclosure of health information”
respectively wherein consent may
be “implied”.
Yes Section 15 of Singapore’s Personal
Data Protection Act, 2012 pertains
to “deemed consent”. Under the
section, consent may be deemed
if the individual, without actually
giving consent as per Section
14 of Singapore’s Personal Data
Protection Act, 2012, voluntarily
provides the personal data to the
organisation for that purpose; and
it is reasonable that the individual
would voluntarily provide the data.
Yes Article 6 of the GDPR, which relates
to lawfulness of processing, lists
certain situations where processing
may be lawful even if the data
subject has not given consent
such as if it is necessary for the
performance of a contract.
15
 Internet Freedom Foundation

c. Obligations of Data Fiduciary

Legislation Ensuring data Implementing Ensuring accuracy
collection and reasonable security of information
processing is procedures to
necessary and protect data
proportionate

United States’ California Yes Yes Yes

Consumer Privacy Act, 2018
(CCPA)

United States’ Privacy Act, Yes Yes Yes

1974

United States’ Health No Yes Yes

Insurance Portability and
Accountability Act, 1996

United States’ Children’s No Yes No

Online Privacy Protection Act,
1998

Australia’s Privacy Act, 1988 Yes Yes Yes

Singapore’s Personal Data No No No

Protection Act, 2012

European Union’s General Yes Yes Yes

Data Protection Regulation

16
 A public brief on the draft Digital Personal Data Protection Bill, 2022

d. Rights and duties of Data Principals

Legislation Right to Right to Right to data Right to Duties
access erasure portability correction

United States’ California Yes Yes No Yes No

Consumer Privacy Act,
2018 (CCPA)

United States’ Privacy Yes No No Yes No

Act, 1974

United States’ Health No Yes No Yes No

Insurance Portability
and Accountability Act,
1996

United States’ Children’s Yes No No No No

Online Privacy
Protection Act, 1998

Australia’s Privacy Act, Yes No No Yes No

1988

Singapore’s Personal Yes No No Yes No

Data Protection Act, 2012

European Union’s Yes Yes Yes Yes No

General Data Protection
Regulation

17
 Internet Freedom Foundation

e. Exemptions
Legislation Can government Can private actors be Can exemptions
authorities be exempted from the be granted for
exempted from the application of the research, archiving
application of the Act? or statistical
Act? purposes?

United States’ California No No No

Consumer Privacy Act, 2018
(CCPA)

United States’ Privacy Act, Yes No Yes

1974

United States’ Health No No No

Insurance Portability and
Accountability Act, 1996

United States’ Children’s No No No

Online Privacy Protection
Act, 1998

Australia’s Privacy Act, 1988 Yes Yes Yes

Singapore’s Personal Data Yes Yes Yes

Protection Act, 2012

European Union’s General Yes Yes Yes

Data Protection Regulation

18

f. Authorities performing regulatory and adjudicatory functions
Legislation
United States’ California
Consumer Privacy Act, 2018
(CCPA)
United States’ Privacy Act,
1974
United States’ Health
Insurance Portability and
Accountability Act, 1996
United States’ Children’s
Online Privacy Protection
Act, 1998
Australia’s Privacy Act, 1988
Singapore’s Personal Data
Protection Act, 2012
European Union’s General
Data Protection Regulation
A public brief on the draft Digital Personal Data Protection Bill, 2022
Do they have a specific authority Do they have a specific
performing regulatory functions? authority performing
adjudicatory functions?
Yes, the California Privacy Protection Yes, the California Privacy
Agency Protection Agency
No No
No No
No No
Yes, the Australian Information Yes, the Australian Information
Commissioner Commissioner
Yes, Singapore’s Info-communications Yes, Singapore’s Info-
Media Development Authority is the communications Media
Personal Data Protection Commission Development Authority is
under the Act the Personal Data Protection
Commission under the Act
Yes, Article 51 of GDPR states that each Yes, Article 51 of GDPR states
Member State shall provide for one or that each Member State
more independent public authorities shall provide for one or
to be responsible for monitoring the more independent public
application of GDPR in their jurisdiction authorities to be responsible
for monitoring the application
of GDPR in their jurisdiction
19
 Internet Freedom Foundation

F. Recommendations
Our primary recommendation is that the DPDPB, 2022 should be recalled. Our recommendation flows from
the myriad shortcomings of the DPDPB, 2022 which includes the abject vagueness of the draft due to vari-
ous important provisions being left for executive rule-making without legislative guidance at a later stage,
consent being “deemed” in certain situations allowing for non-consensual processing of data, expanded
exemptions being provided to state and private data fiduciaries, and the lack of independence of the Data
Protection Board among others. Though the DPB, 2021 was not without its shortcomings, the consultation
process should resume from a version of DPB, 2021, which was the outcome of institutional processes, and
also accounted for specific civil society feedback received over the years. Here, it is essential that there is
clear reasoning provided for any further changes made to the bill as a result of the responses received in
this consultation as was done through the Joint Parliamentary Committee Report in December, 2021.

Clauses & Concerns Reasoning Recommendations

Misplaced objectives The preamble of any law sets the tone
and the tenor of the law and is crucial
[Preamble] in understanding the intent behind the
legislation. It is also a key factor influencing
the judicial interpretation of various
provisions of the law.
The statement of objects and purpose of
the DPDPB, 2022 states that it is to “provide
for the processing of digital personal data
in a manner that recognizes both the right
of individuals to protect their personal data
and the need to process personal data for
lawful purposes, and for matters connected
therewith or incidental thereto”. Here, the
emphasis seems to be on operationalising
data processing for data fiduciaries
instead of providing primacy to interests
of the Data Principal. This interpretation
is also supported after an analysis of the
provisions of the DPDPB, 2022, which allow
for overbroad processing of personal data
and dilute protections for Data Principals.
The preamble of the DPDPB,
2022 must be suitably amended
to state, in no uncertain terms,
that the overriding objective
of the Bill is protection of data
and informational privacy,
from private as well as state
actors. Doing so would ensure
that data protection regimes
in India remain focused on
the Data Principaland provide
us, the citizens of India, with
control over our own data.
The preamble must also be
suitably amended such that
the reference to the individual
rights of natural persons falls
in line with the Supreme Court’s
right to privacy judgement and
the model privacy principles
recommended by the Justice
A.P. Shah Committee Report.

20
 A public brief on the draft Digital Personal Data Protection Bill, 2022

Clauses & Concerns Reasoning Recommendations

Weakened notice For a Data Principalto provide informed
requirements consent, it is essential that they are made
aware of all relevant information about the
[ Clause 6 ] processing of their personal data. Here, it is
essential that this requirement is fulfilled by
the notice that data fiduciaries are required
to provide Data Principals before seeking
consent to ensure that Data Principals know
what they are providing consent for.
Clause 6 must be amended to
place strict notice requirements
on data fiduciaries which
mandate them to disclose all
relevant information about the
collection, storage, processing,
and retention of their personal
data.

Clause 6 of DPDPB, 2022 requires data

fiduciaries to merely notify the Data
Principal, the nature of the data they will be
collecting and the purpose for which such
data may be processed. Unlike previous
iterations of the bill, it does not require data
fiduciaries to inform principals about the
third-parties with whom their data will be
shared, the duration for which their data will
be stored and if their data will be transferred
to other countries. Thus, data fiduciaries can
continue to obtain consent of principals by
providing limited information and then using
their personal data in a manner principals
might not have anticipated.

Additional obligations The Union Government has awarded itself The criteria for placing
imposed on data with the power to notify any Data Fiduciary additional obligations on any
fiduciaries which the as “significant” based on certain factors Data Fiduciary must be clearly
Union Government which have not been clearly defined and defined keeping in mind their
may arbitrarily define thus, are open to arbitrary interpretation. ability to comply. The aim of
as “significant” These factors include potential impact on placing additional obligations
the sovereignty and integrity of India; risk to should be to improve
[ Clause 11 ] electoral democracy; security of the State; protections for Data Principals
public order; and such other factors as the in India while ensuring that
Union Government may consider necessary. Indian Data Principals do not
Essentially, the Union Government may, at lose access to the services of
any time, place additional obligations on the Data Fiduciary.
any Data Fiduciary. This could result in harm
to the Data Fiduciary which may have to
incur additional costs of compliance, and
also to Data Principals who may lose access
to those data fiduciaries who are incapable
of complying with the additional obligations
placed on them due to which they might
have to exit the Indian market.

21
 Internet Freedom Foundation

Clauses & Concerns Reasoning Recommendations

Non-consensual A data protection law which seeks to protect While certain exceptions are
processing of the interest of Data Principals should have necessary in order to facilitate
personal data user consent as its foundational framework. a functional data protection
allowed However, the DPDPB, 2022 fails to do so regime, these exceptions can, if
by allowing for various situations in which not worded clearly, could lead
[ Clause 8 ] non-consensual processing of data may be to more harm. Therefore, any
justified by data fiduciaries. exception should be worded
clearly, limited in purpose,
Clause 8 allows data fiduciaries to “deem” necessary and proportionate
the consent of Data Principals in situations to the aim, and accompanied
which have not been strictly defined and as by sufficient procedural
a result may be widely interpreted leading safeguards.
to misuse. These include any breakdown
of public order; purposes related to
employment, including prevention of
corporate espionage, maintenance of
confidentiality of trade secrets, intellectual
property, classified information, recruitment,
termination of employment, provision of
any service or benefit sought by a Data
Principalwho is an employee, verification of
attendance and assessment of performance;
and in public interest. Due to the vaguely
defined nature of these situations,
overbroad processing of personal data may
occur, which would be violative of certain
data processing best practices such as data
minimisation and purpose limitation.

Right of the Data The DPDPB, 2022 has removed the right to The DPDPB, 2022 should be
Principals reduced data portability and the right to be forgotten, amended to include the right to
which were present in the DPB, 2021 data portability, the right to be
[ Clauses 13 -15 ] previously. However, no reasons have been forgotten, the right to object to
provided for their removal. Further, rights processing of certain personal
such as the right to object to processing data, and the right to seek
of certain personal data and the right to exemption from automated
seek exemption from automated decision- decision-making.
making, which were missing from the DPB,
2021 have still not been included in DPDPB,
2022. These rights, which have not been
included, provide important privileges and
protections to Data Principals. The omission
of these rights showcases the failure of the
DPDPB, 2022 to sufficiently protect the Data
Principal’s interests.

22
 A public brief on the draft Digital Personal Data Protection Bill, 2022

Clauses & Concerns Reasoning Recommendations

Data localisation Clause 17 of the DPDPB, 2022 removes the It is essential that the criteria
requirements requirement of data localisation that was for transfer of data be
removed but criteria present in DPB, 2021. Instead, it appears to specifically defined to protect
to transfer outside replace it with an ‘allowlist approach’ as data against arbitrary standards.
India still not defined fiduciaries can only transfer personal data Here, it should be ensured that
to such countries as the Union Government data of Indian Data Principals
[ Clause 17 ] may prescribe, implying that transfer of data enjoys equal protections in
to any other country is prohibited. Clause 17 other countries as well.
does not prescribe any standards/criteria
based on which the Union Government
should decide which countries to allow data
transfers to. This enables arbitrary exercise
of power where countries may be selected or
not selected based on considerations other
than protection of personal data of Indians.

Failure to put in place Under this provision, the Union Government It is essential that the Board
an independent has been empowered to prescribe the is independent of executive
regulatory body to strength and composition of the Data control. This was also held by
ensure compliance Protection Board (“Board”), the process the Supreme Court of India
of selection, terms and conditions of in Madras Bar Association vs
[ Clauses 19 - 24 ] appointment and service, removal of its Union of India (2020) wherein
Chairperson and other Members at a later they stated that, “Dispensation
stage. Further, the Union Government has of justice by the Tribunals can
also been empowered to appoint the Chief be effective only when they
Executive of the Board. However, no criteria function independent of any
has been specified for the appointment executive control: this renders
or for who will be authorised to make the them credible and generates
appointment compared to previous versions. public confidence”.
Further, the Board has not been provided
with any regulatory powers unlike the Data Further, the Board should also
Protection Authority of the DPB, 2021. be tasked with regulatory
powers that previous iterations
The vesting of these powers with the of the data protection
Union Government calls into question legislation tasked the Data
the independence of the Board. Since the Protection Authority with. This
Board is tasked with determining non- will also be keeping in line with
compliance with the provisions of the law supervisory authorities across
by data fiduciaries and data processors various jurisdictions which
including state data fiduciaries and state enjoy both adjudicatory and
data processors, it is essential that they regulatory powers.
provide primacy to Data Principals and their
interests while deciding matters brought
before them. However, an executive-
appointed Chief Executive may not be
able to exercise effective oversight over
the executive itself. Further, by removing
regulatory powers, the Board has been
reduced to a mere adjudicatory body which
will settle grievances.

23

Clauses & Concerns Reasoning
Wide government Clause 18(2)(a) of the DPDPB, 2022 may give
exemptions all data collection & processing activities
of these GIs complete immunity from any
[ Clause 18 ] protections that the DPDPB, 2022 puts in
place. Interests stated in the provision for
which exemption may be exercised are
excessively vague & thus open to misuse
through overbroad application resulting in a
large no. of government instrumentalities(GI)
being granted exemption from the
application of law. Further, the exemption
granted itself, i.e., all activities of the
exempted agency will be outside the purview
of the law, is also overbroad.
Granting such blanket exemptions directly
violates the Supreme Court’s decision in K.S.
Puttaswamy v Union of India [2017], wherein
the Court held that any state invasion into
citizen privacy must satisfy the thresholds
of legality, necessity, proportionality, &
procedural safeguards to prevent misuse.
By granting blanket exemptions, the Union
Government is preempting any review,
judicial or otherwise, of the actions of the
GIs, which could result in gross violations
of citizen privacy by the state. Further, the
provisions concentrate all surveillance
powers with the executive branch & do
not have safeguards such as judicial
review of surveillance orders in place.
The data protection law was expected
to institute much awaited safeguards on
this architecture but exemptions granted
under 18(2)(a) instead widened government
surveillance powers.
Further, Clause 18(3) allows the Union
Government to exempt any private actors
that they may notify even if they process
personal data which can be considered
sensitive, thereby limiting the effectiveness
of the law. Clause 18(4) exempts the “State
or any instrumentality of the State” from
the mandate to comply with data deletion
requirements under the law. As a result, any
data collected by the State may be retained
by them in perpetuity, in direct violation of
the internationally recognised best principle
of storage limitation, which states that
data should only be retained as long as is
necessary to fulfil the purpose for which it
was collected.
Internet Freedom Foundation
Recommendations
Any exemptions sought by
government agencies should
be granted only if they fulfil
the standards of legality,
necessity, and proportionality.
It is essential that government
collection and processing of
citizen data is regulated to
prevent misuse. Further, there
is a need for a specific chapter
pertaining to surveillance
reform to be included in the
DPDPB, 2022. A procedure must
also be put in place for such
agencies to seek permission
from a judicial authority -
preferably by special benches
or tribunals comprising of High
Court judges. Additionally,
an appropriate oversight and
accountability structure should
be created as part of the DPB
by adding within it an office for
surveillance reform. Judicial
permission that may be granted
for emergency surveillance and
communications interception
must be required to follow the
necessity and proportionality
principles. To administer such
judicial orders, the DPB must
determine compliance and
enforcement mechanisms.
24
Internet Freedom Foundation
I-1718, Third Floor, Chittaranjan Park,
New Delhi 110019

policy@internetfreedom.in
internetfreedom.in

This work is licensed under the Creative

Commons Attribution 4.0 International License.

We would like to thank IFF’s Policy Director, Prateek Waghre, for his editorial inputs, Campaign & Advocacy
Associate, Ashlesh Biradar for design and graphic assistance, and the NLSIU, Bengaluru Law and Technology
Society (‘L-Tech’) Student Research Panel for providing research support.