The DPDP Bill: From responding to responsibility

Jul 10, 2023
  • Author(s) : Sanjay Notani , Vinay Butani , Harshvardhan Nankani, Akash Manwani
  • The Union Cabinet’s approval of the draft Digital Personal Data Protection Personal Data Protection Bill (DPDP Bill) on July 5, 2023, signifies an important milestone in India’s journey towards establishing a comprehensive data protection framework.

    The bill is expected to be tabled before the monsoon session of the Parliament session this month, and whilst, we will follow the developments as well as assess whether the DPDP Bill will include the public recommendations which the Ministry of Electronics and Information Technology would have gathered during the November 2022 consultation stage, the DPDP Bill is undeniably a simplified version compared to its predecessors.

    Once enacted, the DPDP Bill:

    • Seeks to amend and remove key provisions of the Indian Information Technology Act, 2000 (IT Act), as well as provisions of the Right to Information Act, 2005.
    • Requires that the data principals be provided with a clear notice in English or a local Indian language, detailing the personal data to be collected and its purpose. The bill also introduces ‘deemed consent’ for situations where obtaining personal data is impracticable, such as restaurant reservations or fulfilling legal functions. Deemed consent may apply in court orders, emergencies, employment, public interest, and fair cases.
    • Proposes the establishment of a Data Protection Board of India. This board will have powers to conduct inquiries, impose penalties, and handle complaints related to data protection. The composition and selection process of the board are expected to be outlined in the bill.
    • Permits cross-border transfer of all personal data, however, to countries or territories which are only notified by the Central Government. The DPDP Bill stipulates that while notifying these territories, the Central Government may assess any factors that it may consider necessary.
    • Prescribes penalties in range from up to INR 10,000 to up to INR 250 Crores for different offences. However, the DPDP Bill also sets out the factors that needs to be considered while determining the penalty.

    As disruptive technologies like generative AI, large language models, and natural language processing continue to advance, one can only hope that the DPDP Bill, which claims to have incorporated the best practices adopted from various international personal data protection laws, upholds the underlying principles of privacy as a fundamental right and the autonomy and neutrality of the regulatory bodies involved.

    We trust you will find this an interesting read. For any queries or comments on this update, please feel free to contact us at or write to our authors:

    Sanjay Notani, Partner – Email –
    Vinay Butani, Partner – Email
    Harshvardhan Nankani, Senior Associate – Email –
    Akash Manwani, Associate – Email –

     Disclaimer: The information contained in this document is intended for informational purposes only and does not constitute legal opinion or advice. This document is not intended to address the circumstances of any individual or corporate body. Readers should not act on the information provided herein without appropriate professional advice after a thorough examination of the facts and circumstances of a situation. There can be no assurance that the judicial/quasi-judicial authorities may not take a position contrary to the views mentioned herein