skip to Main Content

Legal Update | Digital Personal Data Protection Bill, 2022

Co-authored by Manav Raheja (Senior Partner), Kanisha Vora (Partner), Avadhoot Potnis (Associate)

The Ministry of Electronics and Information Technology released the much-awaited draft Digital Personal Data Protection Bill, 2022 (“Draft Bill”) on 18 November 2022, which is a more concise draft legislation than its previous versions. Following are the key takeaways from the Draft Bill:

1. Scope
The Draft Bill applies to the ‘automated processing of digital Personal Data’, and in addition to the processing of digital Personal Data in India, it also applies to the processing of such data outside India in connection with any profiling of or activity of offering goods/services to Data Principals (any natural person to whom the personal data pertains) within India. 

The Draft Bill specifically excludes, inter-alia, non-automated processing of Personal Data, and offline Personal Data. It remains to be seen if separate legislations will be introduced to cover these exclusions.

Further, ‘Personal Data’ has been defined to mean any data about an individual who is identifiable by or in relation to such data. Unlike previous iterations of the bill, Personal Data is not categorized into ‘sensitive’ and ‘critical’ Personal Data. 

2. Consent
While consent continues to be the basis for collecting and processing Personal Data, the Draft Bill introduces the concept of deemed consent in certain instances, such as in public interest, in furtherance of applicable laws, for employment purposes, etc.  

3. Cross Border Data Transfer
Cross-border transfers of Personal Data can only be undertaken to specific countries which are to be designated by the Central Government, based on the factors which are still to be prescribed. 

4. Central Government to make Rules
Rules on various aspects are to be made by the Central Government, such as the fair and reasonable purposes for which Personal Data can be processed without consent, the manner in which data breaches are to be notified by Data Fiduciaries and Data Processors, etc

5. Penalties
There has been a significant change from turnover-based penalties under previous iterations of the Draft Bill to the right of the Data Protection Board to impose penalties from INR 50 crore to INR 500 crore, depending on the nature of the non-compliance. Further, there is no provision for any statutory compensation for any aggrieved Data Principal, as was provided under section 43A of the Information Technology Act, 2000. 

Penalties are also now contemplated for breach by Data Principles of their duties (including not furnishing false particulars when applying for any document or service, complying with all applicable laws while exercising rights under the Draft Bill, etc) which can extend up to INR 10,000. 

6. Exemptions
The Central Government may exempt government agencies from the scope of the Draft Bill. The inclusion of Joint Parliamentary Committee’s recommendation that exemptions provided need to be subject to just, fair, reasonable, and proportionate procedures has not been included. Further, wide-ranging exemptions from certain provisions of the Draft Bill have been provided for, inter-alia, prevention of offenses, prevention of dissemination of false statements, and Data Fiduciaries which may be notified.  

In addition, it may be noted that a specific exemption has been provided for processing the Personal Data of foreign data principals under a cross-border contract. 

The Draft Bill is open for public comments till December 17, 2022. While the Draft Bill appears to be an attempt to provide a simple data privacy regime for India, it would need to be considered along with the prescribed rules, as well as any further iterations pursuant to comments from stakeholders.

Back To Top


The Bar Council of India does not permit soliciting work or advertising by advocates in any manner or form. By clicking on "AGREE" below, the user acknowledges and confirms that:

  1. There has been no advertisement, personal communication, solicitation, invitation or inducement of any sort whatsoever from us or any of our members to solicit any work through this website;
  2. The website is a resource solely for the purpose of providing general information about Veritas Legal at the user’s own risk, cost and liability; 
  3. The information provided in this website shall not be construed as legal advice or create any lawyer-client relationship in any manner whatsoever; 
  4. The links provided on this website shall in no way be considered referrals, endorsements or affiliations with the linked entities and Veritas Legal shall not hold responsibility for the content of such links.

The user shall not hold Veritas Legal responsible for any action taken relying upon the content of the website. In cases where the user has any legal issues and requires assistance, he/she/it must seek independent legal advice.