The Indian government has released a new draft of the data protection bill and is seeking public feedback on it. The Digital Data Protection Bill 2022 was described as modern legislation by Rajeev Chandrashekhar, Minister of State, Ministry of Electronics and Information Technology (MeitY), and is part of a comprehensive framework of laws and rules.

The industry has praised the new draft, saying it is a step in the right direction and strikes a balance between encouraging innovation and protecting user rights. However, some observers have expressed reservations.

“In particular, we note that many obligations applicable to data fiduciaries and processors, as well as data processing mechanisms, have been simplified, which will likely make compliance easier.” However, a significant portion of the rule making will most likely take place through rules and guidelines issued under the proposed law. “We look forward to collaborating with the government in developing these rules and the emerging data protection framework in India, as well as supporting the government’s goal of a $1 trillion digital economy,” said Shahana Chatterji, Partner at Shardul Amarchand Mangaldas & Co.

Rupinder Malik, Partner at J. Sagar Associates (JSA), India’s leading national law firm, agrees. “The 2022 DPDP Bill has simplified the proposed data protection regime and removed some contentious clauses that caused industry push back in earlier versions,” she said. She does, however, note that some clauses, such as those dealing with data mirroring, data localisation requirements, and overall compliances, appear to be limited in comparison to the previous Bill.

Amit Jaju, Senior Managing Director, Ankura Consulting Group (India), has also expressed concerns, particularly about the provision for the transfer of personal data outside India, which, according to the new draft, states that the center may, after an assessment of such factors as it deems necessary, notify such countries or territories outside India to which a data fiduciary may transfer personal data, subject to the terms and conditions specified.

“The reborn draft is simpler, but it contains some contentious elements.” The requirement for data localization has been dropped, which contradicts the stance of other regulators such as the RBI. “Thankfully, non-personal data is no longer included in the scope,” Jaju said.

According to the draft bill, the government has proposed a penalty for failure of a data fiduciary (defined as any person who alone or in conjunction with other persons determines the purpose and means of processing personal data) and data processor (defined as any person who processes personal data on behalf of a data fiduciary) to take reasonable security safeguards to prevent a personal data breach under the act.