Why in news : The latest draft of the data protection law- the Digital Personal Data Protection bill,2022 has now made open for public comments.

It is revised draft of the original personal data protection bill,2019 which was withdrawn 3 months back. It was introduced based on the recommendation of the Justice B.N.SRI KRISHNA committee.

Key features of the bill :

Data principal :

  • Data principal means the natural person to whom the personal data belongs.
  • In the case of children (less than 18 years), their parents/guardians will be considered as their “Data principals.”

Data fiduciary :

  • Data fudiciary means any entity (company/firm/state) which collects the data and process it for further use.
  • According to the new bill, the union government can notify exemption to certain data fiduciaries based on just the “volume and nature of personal data” processed, irrespective of the purpose of processing the data.

Changes in data localization requirements :

  • The personal data protection bill,2019 provided a three tiered categorization based on which personal data could be moved across borders.
  • But these requirements were severely contested by the industry as it may lead to significant increase in costs in terms of higher data storage and security risks.
  • The DPDP Bill,2022 tries to strike a balance between concerns raised by industries and digital sovereignty.
  • The DPDP Bill,2022 allows cross border data flow to “countries and territories” notified by central government.

Framework for state based processing of personal data :

  • Similar to PDP bill 2019, the current DPDP bill,2022 provides considerable exemption to the state’s processing of personal data.
  • The union government has the power to specify “fair and reasonable” purposes for which it can process personal data without consent.
  • An exemption can be provided from “most data protection obligations” if the processing is undertaken “in the interests of prevention, detection, investigation of any offence.”
  • A complete exemption can be provided if the personal data is being processed “in the interests of sovereignty and integrity of India, security of the State, friendly relations with the foreign states, maintenance of public order or preventing incitement to any cognizable offence relating to any of these.”
  • Storage limitation does not apply to government agencies which means they can continue to retain personal data for an unlimited period of time.

Personal data processing of children :

  • The DPDP 2022, follows the same approach as PDP, 2019.
  • The digital consent age which means the age at which an individual can give consent to their personal data being processed, continues to be 18.
  • Therefore, the parental/guardian consent would be required to process the data of children below age of 18.


  1. The high threshold of 18 years negates evolving capacity as it does not differentiate between the consent of toddler and teenager.
  2. It would result in unequal access to the internet.
  3. Requirement of consent from parents would hamper the autonomous development of child since parents may not want their kids to be exposed to the view points contradictory to them.

Such restrictions are in violation of India’s obligations under the CONVENTION ON THE RIGHTS OF THE CHILD, 1989. India ratified this convention in 1992.

Significance of the bill :

  • Foster country – to – country trade agreements : The bill offers a relatively soft stand on data localization requirements and permits data transfer to select global destination based on some predefined assessments.
  • DRIVES ECONOMY AND BUSINESS : The bill makes relatively easier for global enterprises to operate and process data with their current setup rather than mandatorily developing large infrastructure in India storing and processing of personal data.


  • Centralization of powers :
    The bill reduces the scope of the proposed Data protection board of India(DPB).Out of the 22 clauses in the DPDP bill, the central government has been provided with rule making power in around 14 clauses.
  • Lack of right to data portability :
    The right to portability allows the individual to collect all the data that he/she has given to any organization. It empowers the individual to transfer his/her data from one entity to another entity if he is not satisfied with the services being provided.
  • Right to be forgotten :
    It allows the data principal to ask the data fiduciary to stop the continuing disclosure of their personal data. The DPDP bill,2022 subsumes this right under the right to erasure. This conflation between the two compromises on the right to freedom of speech and expression.
  • Disempowering the data principals :
    The DPDP bill,2022 does not allow the data principals to seek compensation from data fiduciaries for  harms they have suffered due to unlawful suffering.
  • Duties on data principals :
    The bill in a very unusual move places duties on data principals. If they are non-compliant it could lead to penalties up to Rs 10,000.

Way forward :

  • The bill tries to balance the interests of industry and data principal but government being the largest data fiduciary should keep itself at an arm’s length from the regulatory bodies.
  • The proposed Data Protection Board of India members should be selected based on transparent and fixed criteria.
  • The issue of right to be forgotten should be dealt to create the balance between right to information and right to privacy. Supreme Court in Puttaswamy judgement declared that right to privacy is fundamental right under article 21-RIGHT TO LIFE AND PERSONAL LIBERTY.
  • The issue of right of data portability should be taken care of in order to promote healthy competition among different companies.