The Indian government has unveiled a draft of the much-anticipated Digital Personal Data Protection Bill, marking the fourth attempt to establish comprehensive data protection legislation since its initial proposal in July 2018. This draft aims to enhance personal data security while emphasizing user consent through clear and straightforward language regarding the types of data collected and their intended purposes.
The Digital Personal Data Protection Bill, 2022 entered the public consultation phase, allowing stakeholders to review and provide feedback until December 17, 2022. Given that India has more than 760 million active internet users, there is a pressing need for stringent privacy regulations to safeguard online data and foster public trust.
The Indian government stated, “The Bill will establish a comprehensive legal framework governing digital personal data protection in India.” It recognizes both individual rights to data protection and societal needs to process personal data for legitimate purposes. In its current form, the bill mandates companies, classified as data processors, to implement robust security measures for user data, inform users of any breaches, and cease data retention upon user request.
According to an explanatory note from India’s Ministry of Electronics and Information Technology (MeitY), the retention of personal data should only last as long as necessary for the specific purpose of its collection. Noncompliance can result in financial penalties totaling up to ₹500 crores (approximately $61.3 million), for companies that either fail to prevent breaches or neglect to notify users of these incidents.
In line with recent trends in data privacy, the draft empowers users to request details about their data shared with third parties and to modify or erase data that is inaccurate. Importantly, the proposal includes data minimization requirements aimed at curbing unnecessary data collection and processing by companies.
Significantly, the draft has moved away from mandatory data localization, permitting major technology firms to transfer personal data across national borders to specified countries, provided they comply with relevant international guidelines. This change may ease operational burdens for multinational organizations but raises questions about data sovereignty.
The legislation also aims to establish a Data Protection Board, an appointed authority to oversee compliance efforts, further solidifying the regulatory framework. However, the central government has been exempted from the act’s provisions under clauses that prioritize national sovereignty and security. Critics, including the Internet Freedom Foundation, warn that such exemptions could enable excessive surveillance and undermining individual privacy rights.
The introduction of this draft bill follows a previous version introduced in December 2021, which was ultimately withdrawn due to numerous amendments and recommendations. The movement towards a data protection framework has gained momentum since 2017 when the Indian Supreme Court affirmed the right to privacy as a fundamental constitutional right, following a landmark case initiated by retired High Court Judge K.S. Puttaswamy.
In assessing potential security implications, the MITRE ATT&CK framework could suggest that techniques such as initial access and privilege escalation may be relevant. Given the scale of affected users, the potential for malicious actors to exploit vulnerabilities during data processing and sharing is a concern for businesses and regulators alike. As India fortifies its approach to digital privacy, stakeholders must remain vigilant about both compliance and the evolving landscape of data security.
