The Union Cabinet on Wednesday, 5 July, approved the draft Digital Personal Data Protection Bill, 2022, according to multiple news reports.
The bill was first introduced in November 2022 and reportedly went through several rounds of public consultation as well as inter-ministerial discussions. Following this, a second draft of the bill was prepared.
Reports also claimed that the draft legislation, which primarily pertains to the processing of digital personal data of citizens, will be tabled for passage in the upcoming Monsoon Session of Parliament.
In a landmark 2017 judgment, the Supreme Court had held privacy to be a fundamental right of every Indian citizen, and had directed the central government to establish a data protection regime. The introduction and passage of this bill would end the six-year-long wait for the same.
The Cabinet's ascension of the bill also comes amid increasing instances of cyberattacks and data breaches, such as the alleged breach of the CoWIN vaccination portal that may have exposed the sensitive data of lakhs of Indians.
Déjà Vu?
This is not the first time that the Union Cabinet has cleared a data protection bill. The government had earlier tabled the Personal Data Protection Bill, 2019, in Parliament. Later, this draft bill was revised based on recommendations by a joint parliamentary committee.
However, in a surprising turn of events, Union Minister of IT Ashwini Vaishnaw withdrew the bill entirely in August 2022.
"The Personal Data Protection Bill, 2019 was deliberated in great detail by the Joint Committee of Parliament. 81 amendments were proposed and 12 recommendations were made towards comprehensive legal framework on digital ecosystem," the government statement read.
"Considering the report of the JCP, a comprehensive legal framework is being worked upon. Hence, in the circumstances, it is proposed to withdraw 'The Personal Data Protection Bill, 2019' and present a new bill that fits into the comprehensive legal framework," the statement added.
Key Points of Draft DPDP Bill, 2022
The scope of the draft Digital Personal Data Protection Bill, 2022, is limited to online personal data belonging to the data principal (or user). Hence, it does not offer protection of an Indian user's offline personal data.
The user also has to give their consent for data fiduciaries (companies) to process their personal data, as per the draft bill. However, the user is deemed to have given their consent for data processing in the event of a medical emergency, disaster, breakdown of public order, court order, etc.
Under the draft DPDP Bill, 2022, data principals have certain rights such as the right to information about your personal data, the right to correct and erase your personal data, the right to register a grievance with a data fiduciary, etc.
Notably, the draft bill carves out exemptions for "any instrumentality of the State" as well as certain types of data fiduciaries and organisations that process data for law enforcement or judicial purposes.
But most importantly, the draft bill proposes the establishment of the Data Protection Board of India (DPBI) whose functions would include determining non-compliance with the law, adopting "urgent measures" to curb data breaches, and performing any other functions assigned by the government.
The strength and composition of the Data Protection Board, as well as the process of selection and removal of its chairperson and other members, are all "as may be prescribed."
(At The Quint, we question everything. Play an active role in shaping our journalism by becoming a member today.)