The Deemed Data Protection Bill, 2022

The Data Protection Bill 2019 (DPB 2019) was introduced in the lower house of the Indian parliament, the Lok Sabha, on December 11, 2019. It sought to provide a framework for the regulation of data processing activities in India. It was criticized by privacy advocates for its weak protections for data subjects and its failure to address key concerns related to data governance. The bill was pending before a parliamentary committee, but was withdrawn on August 3, 2022.

The DPB 2019's (promised) key features were:

Establishing the Data Protection Authority of India (DPAI) as the primary regulator of data processing activities in India.

Vesting the DPAI with the power to issue guidelines, conduct investigations, and impose penalties for violations of the data protection regime.

Requires data processors to take reasonable security measures to protect data from unauthorized access, disclosure, or destruction.

Requiring data processors to provide data subjects with access to their data upon request and to allow them to correct or delete inaccurate data.

Exempting certain data processing activities from compliance with the data protection regime, including activities relating to national security, law enforcement, and research.

Including specific provisions for the transfer of data to foreign jurisdictions.

Imposing fines of up to Rs. 5 crore (approx. US$700,000) or 2% of a data processor's global turnover, whichever is higher, for violations of the data protection regime.

Critics were quick to point out many issues with the DPB 2019. For instance, it did not require companies to get consent from individuals before collecting, using or sharing their personal data. It also did not place any restrictions on how companies could use or share individuals' biometric data, or even require companies to disclose data breaches to affected individuals. It did not give individuals the right to know what personal data is being collected about them (which makes sense given they were classified as data 'subjects').

Fast forward to 2022: the government seems to have taken heed of some these concerns while drafting the Data Protection Bill 2022. Or it least it says so.