article featured image


On Friday, November 18, 2022, the Indian government proposed a new online data protection regulation version.

The Digital Personal Data Protection Bill 2022 is the fourth attempt, since 2018, to secure users’ personal data, seek their consent for the information that will be collected, and also disclose the purpose of that data collection.

The proposal is available for public comment until December 17, 2022.

Details about the Digital Personal Data Protection Bill 2022

This legislation aims to prevent abuse while boosting responsibility and trust in the digital field. The 760 million active internet users in India need protection by imposing privacy regulations on online platforms.

The purpose of the draft Bill is to provide for the processing of digital personal data in a manner that recognizes both the right of individuals to protect their personal data and the need to process personal data for lawful purposes, and for matters connected therewith or incidental thereto.


The main directions of the current form of the Digital Personal Data Protection Bill 2022 are:

  • Organizations are required to implement sufficient security measures to protect user information and to let users know if a data breach
  • If an account is deleted from an online platform, the user’s data should not be retained any longer.
  • If a company fails to prevent a data breach, it can be fined up to ₹250 crores ($30.6 million), and in the case of failure to notify users of a data breach the fine is up to ₹500 crores ($61.3 million).
  • Online users can require organizations to know what data have they shared with third parties, and ask that their data will be deleted or updated.
  • Companies must implement data minimization requirements as well as additional safeguards to prevent the illegal gathering or handling of personal information.
  • Data localization is no longer mandatory, this will allow companies to transfer personal data outside of Indian geographical borders to specific countries and territories.
  • A government-appointed Data Protection Board will be established to manage meeting these rules.

Problems Are Already Showing

The Digital Personal Data Protection Bill 2022 also exempts the Indian government from the provisions of this law “in the interests of sovereignty and integrity of India, security of the State, friendly relations with foreign States, maintenance of public order or preventing incitement to any cognizable offense relating to any of these”, according to The Hacker News.

Experts are worried that this way of putting aside any form of data protection regulations for the authorities will open the door to mass surveillance.

“If the law is not applied to government instrumentalities, data collection and processing in the absence of any data protection standards could result in mass surveillance. Any exemption sought by government agencies should be granted only if they fulfill the standards of legality, necessity, and proportionality. It is essential that government collection and processing of citizen data is regulated to prevent misuse of use”, warns the Internet Freedom Foundation (IFF).

The authorities try to conceive a Digital Personal Data Protection Bill since 2017, but the previous version of the bill was introduced in December 2021 and erased in August 2022 due to a large number of changes.

If you liked this article, follow us on LinkedInTwitterFacebookYouTube, and Instagram for more cybersecurity news and topics.

Author Profile

Andreea Chebac

Digital Content Creator

Andreea is a digital content creator within Heimdal® with a great belief in the educational power of content.