Cabinet Clears Much-Awaited Digital Personal Data Protection Bill: Report

The Union Cabinet on Wednesday, 5 July, approved the draft Digital Personal Data Protection Bill, 2022, according to multiple news reports.

The bill was first introduced in November 2022 and reportedly went through several rounds of public consultation as well as inter-ministerial discussions. Following this, a second draft of the bill was prepared.

In a landmark 2017 judgment, the Supreme Court had held privacy to be a fundamental right of every Indian citizen, and had directed the central government to establish a data protection regime. The introduction and passage of this bill would end the six-year-long wait for the same.

The Cabinet's ascension of the bill also comes amid increasing instances of cyberattacks and data breaches, such as the alleged breach of the CoWIN vaccination portal that may have exposed the sensitive data of lakhs of Indians.

This is not the first time that the Union Cabinet has cleared a data protection bill. The government had earlier tabled the Personal Data Protection Bill, 2019, in Parliament. Later, this draft bill was revised based on recommendations by a joint parliamentary committee.

However, in a surprising turn of events, Union Minister of IT Ashwini Vaishnaw withdrew the bill entirely in August 2022.

"Considering the report of the JCP, a comprehensive legal framework is being worked upon. Hence, in the circumstances, it is proposed to withdraw 'The Personal Data Protection Bill, 2019' and present a new bill that fits into the comprehensive legal framework," the statement added.

The scope of the draft Digital Personal Data Protection Bill, 2022, is limited to online personal data belonging to the data principal (or user). Hence, it does not offer protection of an Indian user's offline personal data.

The user also has to give their consent for data fiduciaries (companies) to process their personal data, as per the draft bill. However, the user is deemed to have given their consent for data processing in the event of a medical emergency, disaster, breakdown of public order, court order, etc.

Notably, the draft bill carves out exemptions for "any instrumentality of the State" as well as certain types of data fiduciaries and organisations that process data for law enforcement or judicial purposes.

But most importantly, the draft bill proposes the establishment of the Data Protection Board of India (DPBI) whose functions would include determining non-compliance with the law, adopting "urgent measures" to curb data breaches, and performing any other functions assigned by the government.