Skip to content

Digital Personal Data Protection Bill: Critical Analysis

  • by
  • 6 min read

The lower house of India’s parliament has given the green light to a revised Digital Personal Data Protection bill, reintroduced by Ashwini Vaishnaw, the IT minister of India, after its previous proposal was abruptly withdrawn last year following pushback from tech giants and allegations of violating the right to privacy.

The legislation has ignited debates due to concerns over the discretionary powers it grants to the government and its potential impacts on individual privacy rights.

The bill aims to regulate the collecting, processing and transferring of personal data in India. One of its key provisions requires companies to obtain explicit user consent before processing their data.

Let us thoroughly analyse the revised Digital Personal Data Protection Bill, which has been discussed in 2019, 2021, 2022 and again in 2023 and understand the revised version of the bill.

Unbridled powers to the government

However, exemptions are provided concerning “certain legitimate uses”, allowing platforms to collect personal data voluntarily provided by users, such as sharing payment receipts or offering public services. This has raised concerns about the potential misuse and exploitation of user data without their informed consent.

Notably, the bill empowers the government with decision-making powers, including the authority to waive compliance requirements for specific data fiduciaries, including startups.

Chapter 4 Section 18, titled ‘Exemptions’, give powers to the government to issue a notification that certain Data Fiduciaries to whom many important sections of the Act will not apply.

Moreover, the government can use a broad range of exemptions in sub-clause (2) to exempt an entity from the provisions of the Bill. The Bill also does not require government agencies to delete personal data even after the purpose of data processing has been met. The bill could then very well be used for creating a surveillance state in the country.

“The Digital Data Protection Bill 2023 has been introduced as a financial bill. The government has been given a lot of powers under the bill, and no sufficient legislative guidance is provided regarding these. Section 43 A of the IT Act, which provided a remedy to aggrieved persons to get compensation, has been deleted. However, the bill does not provide for compensation to be granted for data principals whose privacy has been violated and has suffered a loss. Deemed consent that had raised red flags earlier has been reworded but principally remains the same. Data Principals have been saddled with duties and penalties prescribed for acting in violation of these,” SFLC, a New-Delhi-based legal not-for-profit organisation, told Candid.Technology.

Cross-border transfer of data: Instrument of surveillance?

Photo by Novikov Aleksey /
Photo by Novikov Aleksey /

The government can also designate countries where the transfer of users’ data is prohibited, altering the previous draft’s provision of allowing transfers to “notified countries and territories” under Section 17 of the Bill.

Critics argue that these discretionary powers could increase state surveillance and undermine individuals’ privacy rights.

Also, some question the effectiveness of this Section itself. The aim of the regulation seems to be to protect the personal data of Indian citizens outside the country. However, it requires a tedious case-by-case analysis of the data laws and standards in every world country. Selective restrictions on some countries will not help in protecting data, although it can protect India’s national interest by restricting data flow to those countries which are detrimental to the country.

“The cross-border data flow has been changed from allow listing to a blocklisting regime, which is a welcome change. However, such data transfer restrictions are permitted in the case of specific laws. A problematic provision is a clause added in the bill for blocking a computer resource which could be used for blocking websites and applications. Although the consultation process took a long time, the Government does not seem to have considered the inputs from stakeholders and recommendations from the JPC,” SFLC told Candid.Technology.

Data Protection Board: A vassal of government?

The legislation also establishes a data protection board under Section 19 responsible for overseeing data privacy matters.

“The Central Government shall, by notification, establish, for this Act, a Board to be called the Data Protection Board of India. The allocation of work, receipt of complaints, formation of groups for hearing, pronouncement of decisions, and other functions of the Board shall be digital by design.”

However, critics point out that the government selects all the board members. And as such, the board will act as a vassal of the government and can pass orders in favour of the government.

Moreover, there are certain apprehensions regarding the appointment of the Chief Executive of the board. Usually, in important positions like the Chief Election Commissioner, there is an appointment committee comprising the PM, the opposition leader and other cabinet members. However, there is no provision for an appointment or selection committee in the Bill, which could give unbridled powers to the government in matters of appointment.

Furthermore, the tenure of the members is also a concern. The members of the Data Protection Board will serve only two years without the option of re-appointment.

The board members are also exempted from legal proceedings for any work done in good faith under Chapter 19 clause (6) of this Bill. This, in turn, means that the government is also exempt from the legal issues that might arise due to misuse of the Bill once it becomes an act.

Clause (6) reads as follows:

“No suit, prosecution or other legal proceedings shall lie against the Board or its Chairperson, Member, employee or officer for anything which is done or intended to be done in good faith under the provisions of this Act.”

Although the bill is a significant step towards having similar legislation as Europe’s GDPR, the bill gives much more power to the legislature than anticipated, thereby considerably weakening the freedom of speech and expression of the citizens.

In the News: Pyarmor Pro upgrade boosts Batloader malware’s stealth capability

Kumar Hemant

Kumar Hemant

Deputy Editor at Candid.Technology. Hemant writes at the intersection of tech and culture and has a keen interest in science, social issues and international relations. You can contact him here: