The Digital Personal Data Protection Bill and data surveillance

The Digital Personal Data Protection Bill, 2022, was published by the Ministry of Electronics and Information Technology on November 18.


  • When the Department of Personnel and Training started discussions on the Right to Privacy Bill, 2011, the path for a data protection law was opened.
  • Goolam Vahanvati, the attorney general at the time, stated in an office memo dated September 29, 2011, that the Bill should specify the circumstances in which the government may engage in “interception of communication.”
  • The group’s research stressed the need to assess how the government’s expanded collection of citizen data may affect the right to privacy. Since then, civil society organisations, attorneys, and politicians have repeatedly called for surveillance reform, emphasising that personal data protection requires significant regulation of the government’s ability to undertake citizen surveillance.

Revoked version

  • Streamlines international data transfers while giving state authorities broad authority: The revised data privacy bill, which was published three months after the government withdrew an earlier draught, makes it easier to transfer data internationally and stiffens the penalty for violations. However, it grants the Centre a broad range of authority and stipulates relatively few protections.
  • Delicate balancing act between limits and privacy: According to representatives of the Ministry of Electronics and IT (MeitY), the new draught strikes a delicate balance, takes into account lessons from other countries’ policies, and adheres to the Supreme Court’s decision that privacy is a fundamental right subject to reasonable limitations.
  • Seven guiding ideas in the Bill: The seven principles the bill attempts to advance—including openness, purpose restriction, data reduction, and avoiding the unauthorised gathering of personal data—are further described in the explanatory note that is included with the bill.

The architecture of surveillance in India

  • Section 69 of the Information Technology Act of 2000, Section 5(2) of the Indian Telegraph Act of 1885, and the procedural rules issued in accordance with those sections make up the bulk of India’s surveillance architecture.
  • Lack of a clearly defined base No However, this architecture doesn’t actually define how or on what legal justifications monitoring may be carried out.
  • No protections: Additionally, it lacks protections like independent ex-ante or ex-post reviews of interception orders.
  • Lack of accountability: The executive’s concentration of power leads to a lack of responsibility and facilitates abuse. This is supported by evidence that includes both instances of political spying and the stray bits of transparency that telecom firms unintentionally release.
  • Unreasonable data gathering requests are already a reality, as evidenced by submissions made by Airtel to the Telecommunications Department as part of the public consultation process for the Indian Telecommunication Bill. As the demand for surveillance from law enforcement agencies grows, Airtel has requested the government to help cover the costs.
  • Unrestricted gathering and processing of citizen data for other objectives, such as digital governance, raises problems in addition to plain surveillance.

Concerns over the revoked version

  • No reforms to surveillance have been proposed: Since the draught Personal Data Protection Bill of 2019, the draught Data Protection Bill of 2021, and the draught 2022 Bill, no ideas for reforming surveillance have been made in any revisions of the data protection legislation.
  • Without consent, data processing: Even without the subject’s consent, personal data may be processed. general exemptions Clause 18(2) of the 2022 Bill permits the Union government to grant broad exclusions for particular government bodies, just like in earlier editions.
  • However, this Bill is more egregious than earlier revisions since it allows exemption to private sector entities, which may include specific companies or a class of them, by evaluating the volume and form of personal data under Clause 18. (3).
  • Exemptions from the scope of data protection: Under the new Bill in India, exempted state agencies and commercial companies won’t be under the scope of the Data Protection Board, the organisation in charge of enforcing sanctions when fiduciaries violate privacy.


The 2022 Bill’s prologue declares that the goal is to preserve individual privacy rights and ensure that personal data is only processed for legitimate purposes. However, broad exemptions for both public and private organisations generate a host of issues that demand a warlike approach.

And get notified everytime we publish a new blog post.