Data Privacy law in 2022

Analysis of Data Privacy Laws in India in 2022 | Shainelex Best Corporate Law Firm In Kolkata

Concerning internet governance, data protection and privacy are two interconnected issues. Data protection is a tool used by the law to protect citizens’ confidentiality. The right to govern one’s personally identifiable information, as well as the ability to same in line with their preferences and will. The right to Data privacy law in 2022 is acknowledged as a legal right and several judicial rulings have helped establish fundamental rights in India. The supreme law of the nation in India is the Constitution. It goes without saying that our Constitution is an evolving document that adapts to its surroundings.


It acknowledges the right to privacy as one of several other rights that fall under the purview of Article 21. The Supreme Court has explicitly ruled that the privacy rights or the right to be left alone is assured under Article 21 of the Constitution in R. Rajagopal v. State of Tamil Nadu, also known as the “Auto Shanker Case.” The privacy of oneself, one’s family, one’s education, one’s marriage, one’s procreation, and one’s motherhood, among other things, are all protected rights of citizens.


The Supreme Court ruled in People’s Union for Civil Liberties v. Union of India, also recognized as the “Phone Tapping Case,” that telephone tapping is a serious violation of a person’s rights to Data privacy law in 2022, which is a component of their right to life and personal liberty under Article 21 of the Constitution, and that the State should not use it unless there is a compelling reason, a public emergency, or a threat to public safety. The Indian Telegraph Act of 1885 and the Information Technology Act of 2000 permit the government to carry out surveillance operations if doing so serves the interests of India’s sovereignty and integrity, national security, friendly relations with other countries, public order, or the prevention of inciting violence to commit an offence.

The United Nations Model Law on Electronic Commerce is the foundation of the Information Act of 2000 and Data privacy law in 2022.


The following clauses about data security and privacy are included. In the case that one fails to use reasonable security practices and procedures (RSPP) to secure sensitive personal data and information (SPDI) and this causes a wrongful gain or loss, compensation is provided under Section 43A.


Information is defined in Section 2(v) as any information, text, image, sound, voice, code, computer programme, software, database, microfilm, or microfiche created by a computer.

Suppose a provider discloses personal details while carrying out a contract without the subject person’s consent or in violation of a valid contract and does so with the intent to cause, or knowing that he or she is likely to cause, loss of or damage or wrongful gain. In that case, Section 72A provides for criminal penalties.


According to the 2011 Information Technology (Reasonable security practises and procedures and sensitive personal data or information) Rules, the following types of personal information may be considered sensitive:


(ii) financial information;

(iii) health parameters (including physical, physiological, and mental health conditions and medical records or histories);

(iv) sexual orientation; and

(v) biometric information.

The term “personal information” has also been defined in the IT Rules as any information that refers to a natural person and is capable of identifying that person.

In contrast to an earlier cumbersome draught, the new Digital Personal Data Protection Bill, 2022 that was published on Friday (November 18) is more data-centric Data privacy law in 2022. The statute has been revised to include stiff penalties for non-compliance, however these penalties are capped and have no relation to the turnover of the offending business. Along with a provision for simpler start-up compliance standards, it has also loosened regulations on international data flows that may provide relief for the major internet corporations.


According to the Ministry of Electronics and IT (MeitY) representatives, the new draught achieves a delicate balance, takes into account lessons from other countries’ policies, and adheres to the Supreme Court’s decision that privacy is a basic right subject to reasonable limitations. Although similarities to the EU’s General Data Protection Regulation, or GDPR, have been made, the Government of India sees its edition of the Data Protection Bill as only one of the parts that make up its larger policy vision for the whole digital economy, as according Graham Greenleaf, professor of Law & Information Systems at the University of New South Wales.

Following are the key components of the draft Digital Personal Data Protection Bill, 2022.


  • The new bill aims to create a Data Protection Board (DPB) to make decisions about data protection.
  • In order to ensure that the relevant institutions follow the legislation, it also aims to create Data Protection Officers or individual data auditors within significant enterprises.
  • Additional rights concerning their personal data were granted to the data principals (the people whose data it is). The data owners may request that the companies in question remove or erase their data.
  • With regard to data, this bill imposed additional obligations or duties on the companies.
  • The new data protection law was introduced with the goal of adding another level of security to the residents’ personal information.
  • The new bill also lowers the rules governing the movement of data across international borders, which was a worry for major digital firms.
  • For startups, it also makes compliance needs easier.
  • The law also lists the circumstances under which government entities may violate proposed legislation in the event of emergencies.
  • In contrast to the previous edition, the right to portability has been eliminated.
  • To address non-consent-based justifications for data processing, the term “deemed consent” has been created.
  • Alternative dispute resolution procedures like arbitration are acknowledged.
  • The new idea also does away with algorithmic accountability and hardware certification.
  • By enforcing severe penalties in the event of a breach, a form of deterrent against data leaks has been created for the benefit of end users.
  • Additionally, there is a clause regarding approval for data sharing, and only when the end user grants consent may the data be written.