India releases first draft of revised data protection law

The government of India has started the consultation process for the revamped data protection law, which is expected to replace the personal data protection (PDP) bill of 2019 that was withdrawn in August. 

Earlier today, the Ministry of Electronics and Information Technology (MeitY) released the first draft of the new data protection law, called the Digital Personal Data Protection Bill, 2022, for feedback from the industry. 

“The current draft of the Bill carries forward the understanding that emerged during consultation with stakeholders in the process of drafting the Personal Data Protection Bill, 2019,” MeitY said in an explanatory note published Friday. 

The first draft of the Digital Personal Data Protection Bill, 2022 focuses entirely on personal data with no mention of non-personal data. It emphasizes a great deal on the clarity of language so users can understand what personal data they are handing over to companies. For instance, it requires data fiduciaries (the person responsible for determining the purpose of data being collected) to give data principles “itemised notice in clear and plain language” with a description of the personal data they will collect. 

Similarly, any request for consent to a data principal should be in clear and plain language. Data fiduciaries are also required to share the contact details of a Data Protection Officer,

The new bill also recommends that a data fiduciary should acquire consent from parents before processing any personal data of children. The bill also relaxes data localisation norms- it recommends that data fiduciaries can transfer personal data to certain countries or territories outside India after approval from the government of India. 

It also recommends the setting up of a body called the Data Protection Board of India for hearing complaints and slapping fines on companies for non-compliance with the proposed data laws. 

Back in August, when the 2019 bill was withdrawn, IT and electronics minister Ashwini Vaishnaw said in Lok Sabha, that the joint parliamentary committee (JPC) raised several concerns with the bill. The JPC proposed 81 amendments and made 12 recommendations for a more comprehensive legal framework, the minister added. 

Privacy and data rights experts also criticized the later versions of the PDP bill for diluting personal data with non-personal data. They also flagged that governments could process personal data without consent for delivering services. It was also noted that the bill allowed data principals to withdraw consent for the processing of personal data by companies, the process of exercising the right was complex. 

Industry bodies representing big tech companies also criticized the bill for restricting the storage of certain types of sensitive personal data like biometrics outside India.