The Covid-19 pandemic accelerated business digitalization, prompting regulators to pay closer attention to the technology, media, and communications sectors. In 2022, substantial regulatory changes are planned; this article provides a list of the ones to watch.

New Data Protection Law

On 16 December 2021, a Joint Parliamentary Committee (JPC) on the Personal Data Protection Bill 2019 presented its report on the draft bill before both houses of the Indian Parliament. The report comprises the JPC's recommendations and changes to be made to the draft bill and general data protection framework in India. The JPC's report will lead to a number of consequential changes in the data privacy law, not least adding to it elements of "non-personal" data protection. The new draft data protection law was expected to be passed – with these changes – in early 2022 (for further details please see "Indian data protection law – one step closer with new Parliament committee report")

While the draft law has not been placed before Parliament for debate yet, the situation may progress during the course of 2022.

Intermediary platform regulations to be tested

Amendments to Indian intermediary protection regulations were notified in May 2021. These amendments brought about significant changes, such as requiring:

The new rules have been controversial, and Indian courts have put certain aspects of it on hold. 2022 will bring more instances where the government and the online content industry will test the enforcement of these rules.

In 2022, the medium- to long-term on-the-ground impact of new IT rules will be tested. Indian courts will finally rule on the legality of certain measures. The year will also show how strictly the Indian government intends to enforce these rules, particularly with politically sensitive state elections, which are scheduled for early 2022.

Recurring themes of data sovereignty

A common thread in the Indian government's new and proposed rules on data protection, blockchain and intermediary liability (among other things) is the assertion of India's sovereignty over Indian data. On the one hand, this will lead (and has led) to data localisation rules that prevent non-Indian players from collecting, storing or monetising people's data. This regulatory outlook also translates into giving the Indian government wide powers to access data present in India for law enforcement purposes. A tricky issue arises when the data in question is not of Indian data subjects. In such cases, these data access rights have to be calibrated to deal with, for example, EU subjects' data. Since the July 2020 Schrems II ruling, European and other overseas players have had to conduct data protection impact assessments to determine if the rights of EU data subjects are adequately protected under Indian regulations.

During 2022, the need to reconcile the government's data access powers will again become relevant when the final version of the data privacy law is notified, and/or when the courts rule on the rights accorded to EU data subjects.

More curbs on payment data storage

With India's payment ecosystem growing exponentially in the past decade, concerns about payment-related frauds and data theft have come to the forefront. The Reserve Bank of India (RBI) has, in the past, introduced several new measures – such as payment data localisation measures since 2018 – in an effort to protect end-users.

In 2021, the RBI also mandated the purging of credit card data by entities in the payment transaction chain. The intention was to have payment system participants transition to tokenisation of card details from 1 January 2022 (for further details please see "RBI introduces new data protection requirements"). After an industry-wide pushback, the RBI relented and the deadline for purging card-on-file data was extended by six months, until 30 June 2022. While this provides some respite, it remains to be seen if tokenisation is a viable solution for the Indian payments' ecosystem

In July 2022, the ban on storing credit card data on file will come into force, which has left players scrambling to put in place alternate solutions.

(This is a slightly modified version of an article originally published in Lexology. The original article can be found at