The Digital Personal Data Protection Bill 2022 has been released by the Government of India in November 2022 for public comments and feedback.
This is the feedback which has been submitted to the Government by Bestfit which is summarized in ppt form for easy comprehension
1. www.bestfitsolutions.in 1
nmds@bestfitsolutions.in
Feedback on The Draft Digital Personal Data Protection Bill,2022
submitted to MeitY
Nanda Mohan Shenoy D
CAIIB,DBM-Part I,, NSE Certified Market Professional Level-1 ,P G Diploma in IRPM, PG Diploma in
EDP and Computer Management, DIM,LA ISO 9001,LA ISO 27001 NISM empaneled CPE Trainer
Director
3. www.bestfitsolutions.in 3
Mr Nanda Mohan Shenoy
CDPSE, CISA ,CAIIB
Structural Issues – A01
Rationale
1.The word individual is also used in the same Act with a different meaning and context which can be
confusing. Refer 6(2)(b)-(b) “itemised” means presented as a list of individual items
21(3) The Board may authorise conduct of proceedings relating to complaints, by individual Members or
groups of Members.
2.Standardise the wording aligned to international laws which is “Natural Person”
Existing Section
Word ‘Individual’ used in multiple places 15
occasions
Recommended Section
Replace ‘Individual’ with natural persons except in
clauses 6(2)(b)-(b) & 21(3)
Chapter No Clause No
1 Preamble 2(3),2(6),2(8),2(12),2(13),3(3),4(3)(c),4(3)(d)
2 8(4),8(5),8(6),11(2),15,19(3),30(2)
4. www.bestfitsolutions.in 4
Mr Nanda Mohan Shenoy
CDPSE, CISA ,CAIIB
Structural Issues – A02
Rationale
Harm does not include mental harm and is restricted to bodily harm.
Existing Section
“harm”, in relation to a Data Principal, means -
a. any bodily harm; or
b. distortion or theft of identity; or
c. harassment; or
d. prevention of lawful gain or causation of
significant loss;
Recommended Section
“harm”, in relation to a Data Principal, means -
a. any bodily harm or mental harm; or
b. distortion or theft of identity; or
c. harassment; or
d. prevention of lawful gain or causation of
significant loss;
Chapter No Clause No
1 2(10)
5. www.bestfitsolutions.in 5
Mr Nanda Mohan Shenoy
CDPSE, CISA ,CAIIB
Structural Issues – A03
Rationale
Sec 30 is as follows:
(1) The Information Technology Act, 2000 (“IT Act”) shall be amended in the following manner:
(a) section 43A of the IT Act shall be omitted.
Sensitive Personal Data has been for a while and needs to continue as it requires additional protection
Existing Section
Definition of Sensitive personal data is
missing
Recommended Section
“Sensitive Personal data” means personal data
which needs additional safeguards and shall be
as prescribed.
Chapter No Clause No
1 2
6. www.bestfitsolutions.in 6
Mr Nanda Mohan Shenoy
CDPSE, CISA ,CAIIB
Structural Issues – A04
Rationale
The clause “in writing” has been used 6 times in the Bill. In this digital world it looks absurd .IT Act 2000
Sec 4 has already mentioned what is writing. For clarity purpose add that definition.
Alternatively substitute “for reasons to be recorded in writing” with “ for reasons to be recorded and
communicated “
Existing Section
Definition of writing needs to be introduced
Recommended Section
"in writing" shall include communication in
electronic form as defined in clause (r) of sub-
section (1) of section 2 of the Information
Technology Act, 2000 read along with Sec 4
Chapter No Clause No
1 2
7. www.bestfitsolutions.in 7
Mr Nanda Mohan Shenoy
CDPSE, CISA ,CAIIB
Structural Issues – A05
Rationale
Bad in law. Not a legal term. Already this is covered in the General Clauses Act 1897 13 A of
Section13. Gender and number. —In all [Central Acts] and Regulations, unless there is anything
repugnant in the subject or context, —
(1) words importing the masculine gender shall be taken to include females; and
(2) words in the singular shall include the plural, and vice versa.
This is contradictory and can be challenged in court and will also restrict it to her
Existing Section
(3) the pronouns “her” and “she” have been used
for an individual, irrespective of gender.
Recommended Section
1. Delete the sub section :
(3) the pronouns “her” and “she” have been
used for an individual, irrespective of gender.
2. All ‘her’ to be replaced by ‘him’ 44
instances
Chapter No Clause No
1 3(3)
8. www.bestfitsolutions.in 8
Mr Nanda Mohan Shenoy
CDPSE, CISA ,CAIIB
Structural Issues – A06
Rationale
The jargons must be standardised Standardisation. Move this section to definitions at the
appropriate place
Existing Section
For the purpose of this sub-section, “profiling”
means any form of processing of personal data
that analyses or predicts aspects concerning the
behaviour, attributes, or interests of a Data
Principal.
Recommended Section
Move the clause as it is to definitions
Chapter No Clause No
1 4(2)(3)
9. www.bestfitsolutions.in 9
Mr Nanda Mohan Shenoy
CDPSE, CISA ,CAIIB
Structural Issues – A07
Rationale
No clarity
1. Personal data is already defined as that of ‘an individual’ in sec 2 and again repeating is redundant
and bad in law
2. Whether it is applicable to physical record or an electronic record.
3. 100 years from when is not mentioned .is it on revolving basis
4. The construction of the sentence itself is not understandable to common man. Need to rephrase.
5. Also explore the possibility of shifting entire 4(3) related to Applicability to the schedule so that there
is flexibility in adding additional as and when required. The IT Act 2000 schedule one is very clear .It
should be in similar lines
Existing Section
personal data about an individual that is
contained in a record that has been in existence
for at least 100 years.
Recommended Section
personal data in the form of an electronic record
which is more than 100 years old ,on a rolling
basis.
Chapter No Clause No
1 4(3)(d)
10. www.bestfitsolutions.in 10
Mr Nanda Mohan Shenoy
CDPSE, CISA ,CAIIB
Structural Issues – A08
Rationale
1. There is lot of difference between colloquial language and written language. The wordings must be changed.
2. “Itemised” does not have clarity
3. The Data Protection Officer and other details clause 7(3) must be shifted here as it should be logically part of
the notice and not consent. Hence the clause shifted here
Existing Section
On or before requesting a Data Principal for her
consent, a Data Fiduciary shall give to the Data
Principal an itemised notice in clear and plain
language containing a description of personal data
sought to be collected by the Data Fiduciary and
the purpose of processing of such personal data.
Recommended Section
(1) On or before requesting a Data Principal for her
consent, a Data Fiduciary shall give to the Data
Principal an itemised notice in clear and simple
language containing a description of personal data
sought to be collected by the Data Fiduciary and
the purpose of processing of such personal data.
(a) “itemised” means presented as a list of individual
items grouped topic wise and serially numbered.
(2) The notice shall contain the contact details of a Data
Protection Officer, where applicable, or of any other person
authorised by the Data Fiduciary to respond to any
communication from the Data Principal for the purpose of
exercise of her rights under the provisions of this Act
Chapter No Clause No
2 6(1)
11. www.bestfitsolutions.in 11
Mr Nanda Mohan Shenoy
CDPSE, CISA ,CAIIB
Structural Issues – A09
Rationale
.“In the same document” is not transparency. It needs to be communicated to the
customer. The objective of transparency is not achieved. It could be tricky as data
principal will not have a copy of the notice.
Existing Section
“notice” can be a separate document, or an
electronic form, or a part of the same
document in or through which personal data
is sought to be collected, or in such other
form as may be prescribed.
Recommended Section
“notice” can be in physical form or electronic
form a separate document, or an electronic
form, or a part of the same document in or
through which personal data is sought to be
collected, or in such other form and shall be
communicated to the Data Principal as may
be prescribed.
Chapter No Clause No
2 6 (2)(a)
12. www.bestfitsolutions.in 12
Mr Nanda Mohan Shenoy
CDPSE, CISA ,CAIIB
Structural Issues – A10
Rationale
1. We are talking about digital India and on the other hand talking about photocopies. This
illustration must be redrafted.
2. Refer Point A09 above for deletion of the last sentence
Existing Section
Illustration: ‘A’ contacts a bank to open a regular
savings account. The bank asks ‘A’ to furnish
photocopies of proof of address and identity for
KYC formalities. Before collecting the
photocopies, the bank should give notice to ‘A’
stating that the purpose of obtaining the
photocopies is completion of KYC formalities. The
notice need not be a separate document. It can
be printed on the form used for opening the
savings bank account.
Recommended Section
Illustration: ‘A’ contacts a bank to open a
regular savings account. The bank asks ‘A’ to
furnish photocopies of proof of address and
identity for KYC formalities. Before collecting the
proof photocopies, the bank should give notice
to ‘A’ stating that the purpose of obtaining the
photocopies proof is for completion of KYC
formalities and is a legal requirement. The
notice need not be a separate document. It can
be printed on the form used for opening the
savings bank account.
Chapter No Clause No
2 6(2)
13. www.bestfitsolutions.in 13
Mr Nanda Mohan Shenoy
CDPSE, CISA ,CAIIB
Structural Issues – A11
Rationale
1. There is lot of difference between colloquial language and written language. The word ‘plain’ must be
changed.
2. The Data Protection Officer and other details in clause 7(3) must be shifted to Clause 6(1) as it should be
logically part of the notice and not consent.
3. The sections must be standardised. In Section 6 the local language clause is a separate sub section
whereas in 7 is it not hence converted to sub section.
Existing Section
Every request for consent under the provisions of this Act
shall be presented to the Data Principal in a clear and plain
language, along with the contact details of a Data Protection
Officer, where applicable, or of any other person authorised
by the Data Fiduciary to respond to any communication from
the Data Principal for the purpose of exercise of her rights
under the provisions of this Act. The Data Fiduciary shall
give to the Data Principal the option to access such request
for consent in English or any language specified in the
Eighth Schedule to the Constitution of India.
Recommended Section
Every request for consent under the provisions of this Act
shall be presented to the Data Principal in a clear and
simple language, along with the contact details of a Data
Protection Officer, where applicable, or of any other person
authorised by the Data Fiduciary to respond to any
communication from the Data Principal for the purpose of
exercise of her rights under the provisions of this Act.
(4) The Data Fiduciary shall give to the Data Principal the
option to access such request for consent in English or any
language specified in the Eighth Schedule to the
Constitution of India.
Chapter No Clause No
2 7(3)
14. www.bestfitsolutions.in 14
Mr Nanda Mohan Shenoy
CDPSE, CISA ,CAIIB
Structural Issues – A12
Rationale
Bad in law. The word public interest is already defined in 2(18). This is directly contradicting that
definition.
Credit scoring cannot be public interest. Also, public interest is covered specifically in 8(9)(c)
which further adds to the confusion. The public interest word has to be replaced by a better
word to avoid confusion.
Earlier bill used the clause “Reasonable Purposes”
Existing Section
in public interest, including for:
(a) prevention and detection of fraud;
(b) mergers, acquisitions, any other similar combinations,
or corporate restructuring transactions in accordance with
the provisions of applicable laws;
(c) network and information security;
(d) credit scoring;
(e) operation of search engines for processing of publicly
available personal data;
(f) processing of publicly available personal data; and
(g) recovery of debt;
Recommended Section
in the following circumstances, including for:
(a) prevention and detection of fraud;
(b) mergers, acquisitions, any other similar
combinations, or corporate restructuring transactions
in accordance with the provisions of applicable laws;
(c) network and information security;
(d) credit scoring;
(e) operation of search engines for processing of
publicly available personal data;
(f) processing of publicly available personal data; and
(g) recovery of debt;
Chapter No Clause No
2 8(8)
15. www.bestfitsolutions.in 15
Mr Nanda Mohan Shenoy
CDPSE, CISA ,CAIIB
Structural Issues – A13
Rationale
Reasonable security safe guards are very open. No bench mark etc. It can be prescribed by the
authority or by rules., hence the clause “as may be prescribed” to be added.
Existing Section
Every Data Fiduciary and Data Processor
shall protect personal data in its possession
or under its control by taking reasonable
security safeguards to prevent personal data
breach.
Chapter No Clause No
2 9(4) & Schedule 1(1)
Recommended Section
1.Every Data Fiduciary and Data Processor
shall protect personal data in its possession or
under its control by taking reasonable security
safeguards to prevent personal data breach as
may be prescribed
2. The schedule 1(1) also needs to have the
clause “ as may be prescribed”
16. www.bestfitsolutions.in 16
Mr Nanda Mohan Shenoy
CDPSE, CISA ,CAIIB
Structural Issues – A14
Rationale
Independent auditor qualifications, competence etc needs to be defined so “as may be
prescribed” to be added
Existing Section
appoint an Independent Data Auditor who
shall evaluate the compliance of the
Significant Data Fiduciary with provisions of
this Act; and
Chapter No Clause No
2 9(4)
Recommended Section
appoint an Independent Data Auditor, who shall
evaluate the compliance of the Significant Data
Fiduciary with provisions of this Act; and
For the purpose of this section, “Data Auditor”
shall have the necessary qualifications,
competence and independence as may be
prescribed.
17. www.bestfitsolutions.in 17
Mr Nanda Mohan Shenoy
CDPSE, CISA ,CAIIB
Structural Issues – A15
Rationale
How can one data fiduciary show the data of another data fiduciary unless it is a consent manager?
Ambiguous clause.
For example, if I open an account with Bank A, how can Bank B with whom I don’t have any relation , be able
to show the details with another fiduciary?
This can happen only with Consent Manager. It should be a typo error. As a Data Principal, I would like to
know with which all data processers I am sharing my data
Existing Section
The Data Principal shall have the right to
obtain from the Data Fiduciary:
(3) in one place, the identities of all the Data
Fiduciaries with whom the personal data
has been shared along with the categories
of personal data so shared; and
Chapter No Clause No
3 12(3)
Recommended Section
The Data Principal shall have the right to obtain
from the Data Fiduciary:
(3) in one place, the identities of all the Data
Fiduciaries or Data Processors with whom the
personal data has been shared along with the
categories of personal data so shared; and
18. www.bestfitsolutions.in 18
Mr Nanda Mohan Shenoy
CDPSE, CISA ,CAIIB
Structural Issues – A16
Rationale
Typo error and subject to gross misinterpretation. English to be changed and separate sub
section for erasure.Correction is different from erasure
Existing Section
(2) A Data Fiduciary shall, upon receiving a request
for such correction and erasure from a Data
Principal:
(a) correct a Data Principal’s inaccurate or
misleading personal data;
(b) complete a Data Principal’s incomplete personal
data;
(c) update a Data Principal’s personal data;
(d) erase the personal data of a Data Principal that is
no longer necessary for the purpose for which it was
processed unless retention is necessary for a legal
purpose.
Chapter No Clause No
3 13(2)
Recommended Section
2) A Data Fiduciary shall, upon receiving a request for such
correction and erasure from a Data Principal:
(a) correct a Data Principal’s inaccurate or misleading personal
data;
(b) complete a Data Principal’s incomplete personal data;
(c) update a Data Principal’s personal data;
(d)erase the personal data of a Data Principal that is no longer
necessary for the purpose for which it was processed unless
retention is necessary for a legal purpose.
(2) A Data Fiduciary shall, upon receiving a request for erasure
from a Data Principal shall erase the data of the data principal
that is no longer necessary for the purpose for which it was
processed unless retention is necessary for a legal purpose. In
case the data principal is unable to erase the same due to legal
reasons the same shall be communicated back to the Data
Principal
19. www.bestfitsolutions.in 19
Mr Nanda Mohan Shenoy
CDPSE, CISA ,CAIIB
Structural Issues – A17
Rationale
The clause “in writing” has been used 6 times in the Bill. In this digital world it looks absurd .IT
Act Sec 4 has already mentioned what is writing. For clarity purpose add that definition.
Alternately introduce the definition “in writing “as mentioned above already as per the IT Act
Refer Point A04 above.
Existing Section
for reasons to be recorded in writing
Chapter No Clause No
5 20(2),21(2),(4),(5) & (11),22(1)
Recommended Section
“for reasons to be recorded and
communicated”.
20. www.bestfitsolutions.in 20
Mr Nanda Mohan Shenoy
CDPSE, CISA ,CAIIB
Structural Issues – A18
Rationale
The Bill is only talking about the penalties which will go to a specific fund of Data Protection
authority.
The bill talks about only penalty. Where is the compensation due, as a result of the harm or
loss to the Data Principal? It is totally silent on the same. In case of the IT Act, it was
introduced in 2008. This is very important.
Existing Section
Penalties
Chapter No Clause No
5 25
Recommended Section
Add the relevant Compensation clause
accordingly
21. www.bestfitsolutions.in 21
Mr Nanda Mohan Shenoy
CDPSE, CISA ,CAIIB
Structural Issues – A19
Rationale
Deleting this section without any new clause on sensitive personal data is going to be
dangerous. Personal data needs to be classified as sensitive for certain classes of data.
Sensitive data needs additional protection and penalty for breach of this data needs additional
penalty. Similarly, privacy policy and many other aspects are important
Existing Section
1) The Information Technology Act, 2000 (“IT
Act”) shall be amended in the following
manner:
(a) section 43A of the IT Act shall be omitted;
Chapter No Clause No
6 30(1)(a)
Recommended Section
The following sections must be reworked to
include sensitive data :
Sec 17 -Transfer of data
Sec 9(4)
22. www.bestfitsolutions.in 22
Mr Nanda Mohan Shenoy
CDPSE, CISA ,CAIIB
Structural Issues – A20
Rationale
Linked to the modification in Sec 9(4)
Existing Section
Failure of Data Processor or Data Fiduciary
to take reasonable security safeguards to
prevent personal data breach under sub-
section (4) of section 9 of this Act
Schedule Clause No
1 (1)
Recommended Section
Failure of Data Processor or Data Fiduciary to
take reasonable security safeguards, as may
be prescribed, to prevent personal data breach
under sub-section (4) of section 9 of this Act
24. www.bestfitsolutions.in 24
Mr Nanda Mohan Shenoy
CDPSE, CISA ,CAIIB
Language Issues – B01
Rationale
Child is already defined by clause 2(3) as
(3) “child” means an individual who has not completed eighteen years of age ?
The word individual should not be repeated
English language framing.
Existing Section
“Data Principal” means the individual to
whom the personal data relates and
where such individual is a child includes
the parents or lawful guardian of such a
child
Chapter No Clause No
1 2(6)
Recommended Section
“Data Principal” means the individual to
whom the personal data relates and in
case of child it shall include the parents or
lawful guardian of such a child.
25. www.bestfitsolutions.in 25
Mr Nanda Mohan Shenoy
CDPSE, CISA ,CAIIB
Language Issues – B02
Rationale
Typo error. How can false statements be fact ?
Existing Section
“public interest” means in the interest of any
of the following:
(a) sovereignty and integrity of India;
b. security of the State;
c. friendly relations with foreign States;
d. maintenance of public order;
e. preventing incitement to the commission of
any cognizable offence relating to the
preceding sub-clauses; and
f. preventing dissemination of false
statements of fact.
Chapter No Clause No
1 2(18)(f)
Recommended Section
“public interest” means in the interest of any of
the following:
(a) sovereignty and integrity of India;
b. security of the State;
c. friendly relations with foreign States;
d. maintenance of public order;
e. preventing incitement to the commission of
any cognizable offence relating to the
preceding sub-clauses; and
f. preventing dissemination of false statements
or fact.
26. www.bestfitsolutions.in 26
Mr Nanda Mohan Shenoy
CDPSE, CISA ,CAIIB
Language Issues – B03
Rationale
1.Typo/Spelling mistake as per Indian English it is “digitized”
2. In order to align with the IT Act change the statement. IT Act does not use the
jargon digitized. The correct word shall be electronic record.
Existing Section
(1) The provisions of this Act shall apply
to the processing of digital personal data
within the territory of India where:
(b)such personal data collected offline,
is digitized
Chapter No Clause No
1 4(1)(b)
Recommended Section
(1) The provisions of this Act shall apply to
the processing of digital personal data
within the territory of India where:
(b) such personal data collected in Non
electronic form/Physical Form is
converted to an electronic record.
Interpretation: Electronic Record is
defined in sec 2(t) of the information
technology Act 2000
27. www.bestfitsolutions.in 27
Mr Nanda Mohan Shenoy
CDPSE, CISA ,CAIIB
Language Issues – B04
Rationale
Offline data is not written English it is colloquial English. As mentioned in Point A04
above, in order to align to IT Act ‘electronic record ‘can make life simpler for everybody.
By this one-word non- automated processing is also covered and need not be mentioned
explicitly.
Offline can be subject to interpretation.
Existing Section
(3) The provisions of this Act shall not
apply to:
(a) non-automated processing of
personal data;
(b) offline personal data;
Chapter No Clause No
1 4(3)(a) & 4(3)(b)
Recommended Section
(3) The provisions of this Act shall not
apply to:
(a) personal data in the form of a non-
electronic record.
Explanation : Electronic Record is as
defined in Sec 2(t) of Information
Technology Act 2000
28. www.bestfitsolutions.in 28
Mr Nanda Mohan Shenoy
CDPSE, CISA ,CAIIB
Language Issues – B05
Rationale
There is lot of difference between colloquial language and written language. The wordings
must be changed
Existing Section
Where a Data Principal has given her
consent to the processing of her personal
data before the commencement of this Act,
the Data Fiduciary must give to the Data
Principal an itemised notice in clear and plain
language containing a description of personal
data of the Data Principal collected by the
Data Fiduciary and the purpose for which
such personal data has been processed, as
soon as it is reasonably practicable
Chapter No Clause No
2 6(2)
Recommended Section
Where a Data Principal has already given her
consent to the processing of her personal data
before the commencement of this Act, the Data
Fiduciary must give to the Data Principal an
itemised notice in clear and simple language
containing a description of personal data of the
Data Principal collected by the Data Fiduciary
and the purpose for which such personal data
has been processed, as soon as it is
reasonably practicable
29. www.bestfitsolutions.in 29
Mr Nanda Mohan Shenoy
CDPSE, CISA ,CAIIB
Language Issues – B06
Rationale
English and standardisation
Existing Section
(2)Failure to notify the Board and
affected Data Principals in the event of
a personal data breach, under sub-
section (5) of section 9 of this Act
(3)Non-fulfilment of additional
obligations in relation to Children; under
section 10 of this Act.
(5)Non-compliance with section 16 of
this Act
Schedule No Clause No
1 (2),(3),(5)
Recommended Section
(2)Failure of Data Processor or Data
Fiduciary to notify the Board and affected
Data Principals in the event of a personal
data breach, under sub-section (5) of
section 9 of this Act.
(3)Non-fulfilment of additional obligations
by Data Fiduciary in relation to Children;
under section 10 of this Act.
(5) Non-compliance with section 16 of this
Act by the Data Principal