Data Protection Bill

Context: The revised version of India’s much-anticipated data protection law has received the Cabinet’s approval and is now poised to be presented to Parliament.

image 15

More about the Bill

  • It is a crucial pillar of the overarching framework of technology regulations the Centre is building, which also includes the Digital India Bill, which will be the proposed successor to the Information Technology Act, 2000, the draft Indian Telecommunication Bill, 2022, and a policy for non-personal data governance.
  • Once it becomes law, it will play a crucial role in India’s trade negotiations with other nations, especially regions like the European Union, whose General Data Protection Rules (GDPR) are among the world’s most exhaustive privacy laws.

Significance of a privacy law

  • The proposed law will apply to the processing of digital personal data within India; and to data processing outside the country if it is done for offering goods or services, or for profiling individuals in India.
  • It requires entities that collect personal data, called data fiduciaries, to maintain the accuracy of data, keep data secure, and delete data once their purpose has been met.
  • Voluntary undertaking: The entities violating its provisions can bring it up with the data protection board, which can decide to bar proceedings against the entity by accepting settlement fees.


  • The highest penalty to be levied for failing to prevent a data breach has been prescribed at Rs 250 crore per instance. 
  • The definition of “per instance” is subjective and could mean either a single instance of a data breach, or an account for the number of people impacted and multiply it by Rs 250 crore.
  • However, it will be open to interpretation by the data protection board on a case-by-case basis.

Concerns related to the draft bill

The Bill has largely retained the contents of the original version that was proposed in November 2022. Some of the proposals flagged by privacy experts:

  • Use of open-ended language such as “as necessary” or “as may be prescribed”.
  • The Bill did not seem to work towards protecting people but ensured that the government retains all power without any checks or balances
  • The government has been given the power to exempt not only government agencies but any entity that is collecting user data, from having to comply with the provisions of this bill on account of national security, relations with foreign governments, and maintenance of public order among other things.
  • The central government will have control in appointing members of the data protection board which will be an adjudicatory body that will deal with privacy-related grievances and disputes between two parties. 
  • The chief executive of the board will be appointed by the central government, which will determine the terms and conditions of their service.
  • The Executive in India has a track record of exploiting to expand its powers. There is no right to compensation to individuals in case of a data breach and have no right to data portability.
  • There is also concern that the law could dilute the Right to Information (RTI) Act, as the personal data of government functionaries is likely to be protected under it, making it difficult to be shared with an RTI applicant.

Changes in the new bill

  • A key change is made in the way it deals with cross-border data flows to international jurisdictions, moving from a ‘whitelisting’ approach to a ‘blacklisting’ mechanism.
  • The previous draft proposed a “whitelist” of jurisdictions where the personal data of Indian citizens could be transferred, based on notifications from the central government.
  • However, the revised draft bill allows global data flows to all jurisdictions except those listed in a specified “negative list,” which acts as an official blacklist of countries where data transfers are prohibited.
  • The previous draft’s provision on “deemed consent” could be modified to impose stricter requirements on private entities. However, government departments would still be allowed to assume consent when processing personal data for reasons of national security and public interest.

Comparison with other countries

  • An estimated 137 out of 194 countries have put in place legislation to secure the protection of data and privacy, according to the United Nations Conference on Trade and Development (UNCTAD), an intergovernmental organization within the United Nations Secretariat.
  • Africa and Asia show 61% (33 countries out of 54) and 57% (34 countries out of 60) adoption respectively.
  • Only 48% of Least Developed Countries (22 out of 46) have data protection and privacy laws.

Different Models of data protection framework

  • EU model: The GDPR focuses on a comprehensive data protection law for the processing of personal data. It has been criticized for being excessively stringent and imposing many obligations on organizations processing data, but it is still the template for most of the legislation drafted around the world.
  • US model: Privacy protection is largely defined as “liberty protection” focused on the protection of the individual’s personal space from the government. It is somewhat narrow because it enables the collection of personal information as long as the individual is informed of such collection and use.
  • China model: New Chinese laws on data privacy and security include the Personal Information Protection Law (PIPL), which came into effect in 2021. It gives Chinese data principals new rights as it seeks to prevent the misuse of personal data.

Enhancement of Data Protection Measures in India

  • In 2017, the Supreme Court of India, in the case of Justice K.S. Puttaswamy Vs Union of India, unanimously affirmed that Indian citizens have a fundamental right to privacy, protected by Article 21 of the Constitution, which guarantees life and liberty.
  • The Indian government in 2017 established the B.N. Srikrishna Committee, to address data protection issues. The committee submitted a report with recommendations, that included imposing restrictions on data processing and collection, establishing a Data Protection Authority, recognizing the right to be forgotten, and advocating for data localization.
  • Furthermore, the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules of 2021 require social media platforms to exercise increased diligence in monitoring the content on their platforms.

Mains practice question

Q. Discuss the key provisions and implications of the Data Protection Bill, 2022, in the context of safeguarding individuals’ privacy rights and promoting data security. (15 marks; 250 words).

Prelims previous Year question (2018)

Q. Right to Privacy is protected as an intrinsic part of the Right to Life and Personal Liberty.

Which of the following in the Constitution of India correctly and appropriately implies the above statement?

(a) Article 14 and the provisions under the 42nd Amendment to the Constitution

(b) Article 17 and the Directive Principles of State Policy in Part IV

(c) Article 21 and the freedoms guaranteed in Part. III

(d) Article 24 and the provisions under the 44th Amendment to the Constitution

Scroll down for answer










Answer: (c)

Leave a Reply

Your email address will not be published. Required fields are marked *

The maximum upload file size: 20 MB. You can upload: image, document, archive, other. Drop files here

Online Counselling
Table of Contents