India’s Ministry of Electronics and IT has opened a consultation on its freshly proposed comprehensive privacy legislation, DPDP 2022

After many study commissions and multiple serious attempts at a comprehensive data privacy bill, India’s Ministry of Electronics and Information Technology has proposed a new draft privacy bill, and has opened a public consultation regarding the draft until 17 December 2022.

The Ministry states that the proposed bill, the Digital Personal Data Protection Bill 2022 ( DPDP 2022 ), will establish a “comprehensive legal framework governing digital personal data protection in India,” and that the Bill “provides for the processing of digital personal data in a manner that recognizes the right of individuals to protect their personal data, societal rights and the need to process personal data for lawful purpose.” The Ministry has published an explanatory note regarding the legislation, which is available here.

The legislation is built on principles that will be familiar to privacy experts. Here, quoting from the explanatory note:

The first principle is that usage of personal data by organisations must be done in a manner that is lawful, fair to the individuals concerned and transparent to individuals
The second principle of purpose limitation is that the personal data is used for the purposes for which it was collected
The third principle of data minimisation is that only those items of personal data required for attaining a specific purpose must be collected.
The fourth principle of accuracy of personal data is that reasonable effort is made to ensure that the personal data of the individual is accurate and kept up to date.
The fifth principle of storage limitation is that personal data is not stored perpetually by default. The storage should be limited to such duration as is necessary for the stated purpose for which personal data was collected.
The sixth principle is that reasonable safeguards are taken to ensure that there is no unauthorised collection or processing of personal data. This is intended to prevent personal data breach.
The seventh principle is that the person who decides the purpose and means of processing of personal data should be accountable for such processing.

The most recent version of India’s privacy bill prior to this new draft was controversial on several counts, including requirements for data localization. The new DPDP Bill 2022 proposal contains quite a few changes, and there is an overall more streamlined approach that focuses on India’s significant “digital first” efforts.

First, the bill does not mandate data localization. This is a major change from the 2021 bill.

Second, of note in this bill is an historic use of “she” and “her” in legislation to refer to all individuals, regardless of gender.

Third, the term “Data Fiduciary” remains, and is further defined. This provides the potential for advances in legislative approaches at a national level in India. It also provides a slightly different model of approach to data-protection related challenges for other jurisdictions to consider.

Fourth, the bill conceives of a new ecosystem of what it is calling “consent managers.” This is, at least in part, an outgrowth of India’s exceptional digital-first ecosystem, which is largely comprised of its digital identity ecosystem and digital backbone, Aadhaar, with more than 1.3 billion enrollees. This digital backbone differentiates India from all other countries in the world at this point in time; no other country has an ecosystem that is comparable. Consent at scale within a 1-billion-person – plus digital ecosystem is a daunting task; this portion of the proposal is as novel as it is important.

Fifth, the bill would establish a central Data Protection Board of India. The board will function independently, which is unchanged from the 2021 draft. The scope and function of the board, however, appears to have been shifted subtly. It would operate similar to a Data Protection Authority, but the board would function in a slightly different way than envisioned in the 2021 proposal. The 2022 language is notable in that it conceives of this board as “digital by design” in its operations and functions. Section 21 (1) states: “The Board shall function as an independent body and, as far as possible, function as a digital office and employ such techno-legal measures as may be prescribed.”

Sixth, Section 17 would allow the transfer of data outside of India, conditioned on requirements that the countries are assessed by the Indian government and then are notified of this assessment. Given the brevity of Section 17, implementing regulations will be needed to determine the particulars of this procedure. There is no indication in the current bill text that any data localization requirements are present in the bill. The entirety of Section 17 states: “The Central Government may, after an assessment of such factors as it may consider necessary, notify such countries or territories outside India to which a Data Fiduciary may transfer personal data, in accordance with such terms and conditions as may be specified.”

This analysis of the new bill is quite brief, and is by no means complete. WPF will be publishing additional thoughts on the proposal.

India’s Ministry of Electronics and IT has opened a consultation on its freshly proposed comprehensive privacy legislation, DPDP 2022

Related Documents:

Information about the public consultation regarding the proposed India DPDP 2022 is available here

The text of the India DPDP 2022 is available here.