wordpress blog stats
Connect with us

Hi, what are you looking for?

Data Privacy Regime in India: Its Genesis and Evolution

The new data protection bill of 2022 is the latest draft bill in India’s journey of formulating a comprehensive data and privacy regime

By Alan Sunny

Data Privacy and the Global Regime 

With the growth of technology-driven industries around the world, data privacy is an important matter to be addressed. Countries across the world have formulated legal instruments to safeguard the interests of data principals (the person to whom the personal data belongs) and the liabilities of data fiduciaries (entities that control storage and decide the means and purpose of the processing of data). 

The European Union’s General Data Protection Regulation (GDPR) is the predominant framework with exhaustive provisions to safeguard data privacy. The GDPR has influenced many countries in framing their respective data privacy legislations. Thailand’s Personal Data Protection Act (PDPA) and Brazil’s General Personal Data Protection Law (LGPD) are influenced by GDPR.  More than 100 countries have formulated their data privacy legislations to safeguard the interests of their consumers. A comprehensive Data Privacy Legislation is on the anvil in the United States as well, called the American Data Privacy and Protection Act.

The general rights afforded to data principals under these data privacy legislations include the Right to Access (GDPR Article 15), the Right to Rectification ( GDPR Article 16), the Right to be Informed ( GDPR Article 13 and Article 14), etc.

Advertisement. Scroll to continue reading.

FREE READ of the day by MediaNama: Click here to sign-up for our free-read of the day newsletter delivered daily before 9 AM in your inbox.

India and data privacy

The Digital Economy in India has witnessed monumental growth over the years and yet India lacked a competent legislative framework to address data privacy issues. Though the Information Technology Act, 2000, along with SDPI rules functioned as a temporary means  to ensure some degree of data privacy, much more was required. 

Under the SDPI Rules, body corporates are mandated to publish a Privacy Policy (Rule 4), (detailing the type of information collected, purpose and usage of such information, etc.), Appoint a Grievance Officer {Rule 5(9)}, Adopt Reasonable Security Practices and Procedures (Rule 8), etc.

Impact of the K.S. Puttaswamy Judgement 

The landmark K.S. Puttaswamy vs the Union of India judgement in 2017 recognised privacy as a Fundamental Right in India. The Judgement also stressed on data privacy in this digital era. This has given impetus to the development of a much-required data privacy legislation in India. In 2017, the Ministry of Electronics and Information Technology constituted a committee of experts under the chairmanship of Justice BN Srikrishna to deliberate on a data protection framework for India. 

Advertisement. Scroll to continue reading.

Personal Data Protection Bills: Features and Evolution 

The Justice BN Srikrishna Committee proposed the Draft Personal Data Protection Bill, 2018. The Bill called for the creation of a National Level Data Protection Authority. Interalia, the Draft bill proposed different rights to data principals including seeking correction, seeking access to data which is stored with the data fiduciary, the right to be notified on the nature and purpose of data processing, etc.  

The Draft Personal Data Protection Bill, 2018 was amended to become The Personal Data Protection Bill, 2019 which was tabled in Parliament after receiving various stakeholder inputs. The Personal Data Protection Bill, 2019 expanded the ambit of personal data {Clause 2(28)} and also provided data principals with the right to remove personal data which is no longer required to be processed by data fiduciaries for the intended purposes (Clause 9). The 2019 bill also changed the composition of the selection committee for appointing the chairperson and members of the Data Protection Authority of India {Clause 42(2)}.

Recommendations of the Joint Parliamentary Committee (2021)

The bill was referred to a Joint Parliamentary Committee for further deliberation and stakeholder input. The Joint Parliamentary Committee had tabled its report with 81 amendments to the 2019 bill. The Report submitted by the Joint Parliamentary Committee contained a draft bill titled the ‘Data Protection Bill, 2021’ (the title was amended to drop the term “Personal”). Some of the main recommendations made by the Joint Parliamentary Committee were:

  1. Non-Personal data should also be included under the ambit of the Data Privacy Bill since it is very hard to distinguish between personal and non-personal data. 
  2. The data fiduciary should report without any discretion to the Data Protection Authority about any data breach within 72 hours of the data fiduciary being aware of the concerned breach. 
  3. The Central Government has been given the power to exempt certain agencies from the obligations under the bill in the interests of the Sovereignty and Integrity of India, the Security of the State, Friendly Relations with the Foreign States or Public Order and to prevent Cognizable Offences relating to any of these. The procedures followed by these Agencies must be just, fair and reasonable. 
  4. The Composition of the Selection Committee for appointment of the Chairperson and members of the Data Protection Authority of India should be changed to include the Attorney General of India, an Independent Expert of Data Protection and Directors of any IITs and IIMS.

There was wide criticism against the wider powers vested upon the government in the updated version of the bill even from the members of the Joint Parliamentary Committee itself.

Withdrawal of the Bill

Advertisement. Scroll to continue reading.

The data privacy bill was withdrawn owing to dissent from various factions of society and for more deliberations. One main reason reported was the negative impact the bill would have had on start-ups due to increased regulatory compliance.

Also, many tech companies have dissented against the data localisation provision in the data privacy bill. Data Localisation required companies to mandatorily store a copy of sensitive personal data within India. It also prevented companies from exporting critical personal data.

Data Localisation (storing of data on a physical device within a country) gives Countries more control over data and security against data breaches, identity thefts, etc. It ensures more authority for countries. It also improves accountability and enforcement of State Laws against technology giants. The Joint Parliamentary Committee Report had also stressed the importance of Data Localisation in India.

However, technology giants oppose the same as it leads to increased expenditure owing to the creation of localised data collection centres. Data localisation may increase service costs and the efficiency of services delivered. 

The Digital Personal Data Protection Bill, 2022

The government has recently released the Digital Personal Data Protection Bill, 2022. The Bill has reduced the number of clauses to 30. The new Bill, unlike its predecessors, omits personal data stored in physical format {Clause 4(30}. The Bill also doesn’t categorise personal data into sensitive and critical personal data (The Personal Data Protection Bill, 2019 had the classification and had more restrictions surrounding the same). 

Advertisement. Scroll to continue reading.

The Bill empowers Data Principals to nominate another individual to exercise the rights under the Bill in the event of death or incapacity of the Data Principal (Clause 15). The new Bill has provided exemptions for data fiduciaries for transferring personal data outside the territory of India (Clause 17). The Bill provides for higher penalties for non-compliance (Clause 25 and Schedule 1). The Data Protection Authority has been replaced with the Data Protection Board of India. The decisions of the Data Protection Board of India are appealable to High Courts (Clause 22). 

The Bill also details ‘deemed consent’ from data principals (Clause 8). The Bill enumerates the situations in which consent will be deemed from data principals. Some of the situations specified include vague terms like ‘public interest’. This may promote arbitrary acts. Many stakeholders have raised concerns about the impact of ‘Deemed Consent’ owing to its potential for misuse. The government must limit the vagueness associated with deemed consent through clear subordinate legislation.

The Bill proposes hefty fines for non-compliance. Unlike the previous versions, the quantum of penalty is capped and is not dependent on the Worldwide Turnover of Violating Entities. This in turn eases the adjudicatory burden since the accurate calculation of Worldwide Turnover for each corresponding violating Entity would have been a procedural burden. Ignoring the turnover of violating entities could become detrimental to small entities and beneficial for large entities with a huge turnover. Judicial wisdom with careful application of mind could limit its impact.

The Bill vests the power upon the Central Government to waive the applications of the provisions of the Bill on any instrumentality of the State in the interests of the Sovereignty and Integrity of India, Security of the State, Friendly relations with Foreign States, maintenance of Public Order or preventing Incitement to any Cognizable Offence (Clause 18).

The new Bill vests wider powers upon the government. There are many provisions for subordinate legislation to be issued under the Bill. A larger sense and practical impact of the Bill can only be made with the corresponding subordinate legislations to be enacted under the Bill.

Alan Sunny is a Web3/Technology Lawyer and Senior Associate at Triage Law. LinkedIn here

Advertisement. Scroll to continue reading.

This post is released under a CC-BY-SA 4.0 license. Please feel free to republish on your site, with attribution and a link. Adaptation and rewriting, though allowed, should be true to the original.

Also Read: 

Written By

MediaNama’s mission is to help build a digital ecosystem which is open, fair, global and competitive.



India's smartphone operating system BharOS has received much buzz in the media lately, but does it really merit this attention?


After using the Mapples app as his default navigation app for a week, Sarvesh draws a comparison between Google Maps and Mapples


In the case of the ‘deemed consent' provision in the draft data protection law, brevity comes at the cost of clarity and user protection


The regulatory ambivalence around an instrument so essential to facilitate data exchange – the CM framework – is disconcerting for several reasons.


The provisions around grievance redressal in the Data Protection Bill "stands to be dangerously sparse and nugatory on various counts."

You May Also Like


Google has released a Google Travel Trends Report which states that branded budget hotel search queries grew 179% year over year (YOY) in India, in...


135 job openings in over 60 companies are listed at our free Digital and Mobile Job Board: If you’re looking for a job, or...


By Aroon Deep and Aditya Chunduru You’re reading it here first: Twitter has complied with government requests to censor 52 tweets that mostly criticised...


Rajesh Kumar* doesn’t have many enemies in life. But, Uber, for which he drives a cab everyday, is starting to look like one, he...

MediaNama is the premier source of information and analysis on Technology Policy in India. More about MediaNama, and contact information, here.

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ

Subscribe to our daily newsletter
Your email address:*
Please enter all required fields Click to hide
Correct invalid entries Click to hide

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ