April 26, 2023

An Insight into the Data Protection Laws of India


The Indian regulatory bodies have been working on the data protection laws since 2017.The latest version of the bill was released for public consultation in November 2022. The new bill aims to balance business innovation and privacy rights of individuals.

The Digital Personal Data Protection Bill, 2022 (DPDP Bill) is a draft bill published by the Union Ministry of Electronics and Information Technology which seeks to replace the earlier Personal Data Protection Bill (PDP Bill) introduced in 2019 and withdrawn in August 2022. The DPDP Bill only covers personal data of a “person” (which includes an individual, a company/corporation/ organization/firm and the state) and the processing of digital personal data of such persons. DPDP Bill allows right of individuals to protect their personal data and the need to process personal data for lawful purposes.

Key Features of the DPDP Bill:

  • Notice and Consent: The DPDP Bill requires seeking prior consent of the data principal in an “itemised notice” which should disclose the description of personal data sought and the purpose of processing it. Only upon receiving the consent from the data principal can the data fiduciary access such personal data.
  • Right to information: The data principal can obtain a confirmation of whether its personal data is being processed, along with the extent and type of personal data processed by the data fiduciary. In fact, the data principal, upon request, should also be provided with the identities of all the data fiduciaries accessing its personal data (in one place).
  • Regulatory Body: The DPDP Bill also provides for the formation of a regulatory body called the Data Protection Board of India, which will determine non-compliance with the provisions of the act and impose penalties.
  • Obligations of the data fiduciary: The DPDP Bill imposes some significant responsibilities on the data fiduciaries to ensure that personal data is processed, stored, or erased in a safe and proper manner. These obligations include security measures, deletion of data, appointment of a Data Protection Officer (DPO), and additional obligations while processing personal data of children.  If the data fiduciary commits some breach in its obligations, Schedule I to the Bill prescribes Financial Penalty not exceeding INR Five Hundred Crore in each instance.

Key Similarities and Differences between DPDP Bill and the European Union (EU) General Data Protection Regulation (GDPR)
The EU GDPR is the main legal instrument that establishes data protection laws within the EU. It came into force on 25 May 2018.
The GDPR applies to all organizations that process personal data of EU residents, regardless of their location. Overall, the GDPR aims to ensure that individuals have control over their personal data and that organizations are held accountable for protecting it.

Key Similarities:

  • Definition of personal data: Both the GDPR and the Digital Data Protection Bill define personal data broadly to include any data relating to an identifiable person.
  • Consent: Both regulations require that individuals provide their consent before their data can be collected, processed, or shared.
  • Penalties for non-compliance: Both regulations provide for significant penalties for non-compliance with their provisions.
  • Right to access and rectification: Both regulations provide individuals with the right to access and rectify their personal data held by organizations.
  • Data protection officer: Both regulations require companies that handle large amounts of personal data to appoint a data protection officer.

Key Differences:

  • Scope: The GDPR applies to all organizations that process personal data of EU residents, regardless of their location, while the Digital Data Protection Bill is limited to organizations operating within India.
  • Timeline to Report Data Breaches: The GDPR has a more detailed framework for data protection impact assessments and requires organizations to report data breaches within 72 hours, whereas the Digital Data Protection Bill does not have such explicit provisions

In the recent years, India has seen huge technological advancements and is at par with other countries. However, it lags stringent laws which address all the recent changes in the way personal data of individuals is handled. Over the last two decades, countries like the USA, China and many more have adopted new laws for data protection. India currently lags a uniform legislation. The times require India to adopt new laws so that it can walk hand in hand with other countries.
The current Information Technology Act, 2000 is moderately handling India’s data protection issues, yet it is not very strict as it falls short in implementing the provisions properly. Data protection with strict implementation is currently a requirement of India.