Terming it as “India’s own GDPR”, a startup founder said the Bill can be a huge relief for users, if implemented well.
The Digital Personal Data Protection Bill, 2022, is expected to give an impetus to cyber security as companies will focus more on data protection to comply with the regulations.

“India, the second-highest population of smartphone users, is prone to data breaches in social apps because currently we don’t have an apt law on how social apps handle our personal data. With this revised data protection Bill, cyber security became the forefront of data management. Since the coming of the guidelines, tech firms will now pay special attention to data protection, privacy, and residency. With hefty penalties, it might be a burden for small and medium organisations to meet compliance needs,” said Sandip Kumar Panda, cofounder and CEO of InstaSafe Technologies.
According to Kaspersky’s ‘Privacy predictions for 2023’ report, smartphones will take over traditional paper documents next year. The report states that using a smartphone to store an increasing amount of personal data creates a single point of failure, raising serious security concerns. This places serious demands on the security of mobile devices and the way data is stored while preserving privacy.
“Greater use of digital technology presents more opportunities for threat actors to strike at poorly secured enterprises. Business leaders in India are aware of and concerned by the increase in cyberattacks and are budgeting for an increase in cybersecurity expenditure in 2023 to secure their operations,” said Kesavardhanan J, founder and president, K7 Computing, an information security firm.
The IT-ITeS sector stands to benefit as the government has relaxed certain norms on cross-border data flows. “The Bill says that it will whitelist certain territories similar to provisions in the GDPR, which is good for the sector as it depends on cross-border data flow for its business. However, what the sector might have been hoping for, is not just whitelisting but those being open by default. Now, India will have to negotiate with each of the key economies on the conditions for cross-border data flows, which will be quite a lengthy process. So, while this Bill is better than the earlier one, we still need to wait and watch how these foreign trade agreements and negotiations go and what clients of these IT/ITeS companies expect,” said Aparajitha Bharti, founding partner, TQH Consulting.

The Bill’s relatively soft stand on data localisation requirements is likely to foster country-to-country trade agreements, said Manish Sehgal, partner, Deloitte India. “It will make it relatively easier for global enterprises to operate and process data with their current set-up rather than mandatorily developing large infrastructure in India for storing and processing of personal data,” he said.

Terming it as “India’s own GDPR”, a startup founder said the Bill can be a huge relief for users, if implemented well.

“The revamped draft in just three months since the last version has taken into consideration the objections put forth by tech giants like Meta about data localisation has provided some relaxation with cross-border data transfer… if implemented strictly, the data exploitation in India can be eliminated,” said Manoj Kumar Shastrula, founder and CEO, SOCLY.io, a B2B startup offering compliance as a service.
Industry observers have however criticised the Bill’s bias towards government agencies. “The Bill’s exemptions for central and state agencies, along with exclusion of personal data stored and or processed in non-digital (original/ handwritten/ paper) format may be a gap to protect personal data and ensure privacy in entirety,” Sehgal said.

The draft Digital Personal Data Protection Bill, 2022, issued on November 18 is open for public consultation till December 17. On August 4, MeitY withdrew the earlier bill of 2021 on the premise that the joint committee had recommended substantial amendments to the original draft, highlighting the need for developing a “comprehensive” legal framework that is aligned with contemporary privacy laws and constantly evolving nuances of the digital ecosystem.