Skip to main content

Data Protection (In India)

Article 02 Mar 2021 Read time: 3 min


The right of privacy is a fundamental right. It is a right which protects the inner sphere of the individual from interference from both State, and non-State actors and allows the individuals to make autonomous life choices.” - Justice Sanjay Kishan Kaul

Privacy is the fundamental right. Broadly privacy can be categorized as ‘Information / Communication / Territorial / Bodily privacy, as defined by European Union under Data Protection and Regulation Act.

Privacy has three components, namely Secrecy, Anonymity & Solicitude.

In India, there was a dramatic change in the last one decade with the latest trends and technologies implemented in the Government Bodies / Corporate Sectors and data has been transmitted through different channels in the form of digital mode.

Apart from Human Resources, in the current trend “Data” has been recognized as a value added asset which is more critical in this digital era, hence personal data needs to be protected. Protection of personal data has been recognized to be instrumental for empowerment, progress and innovation

In India, as on date, there is no law governing data protection as on date, lacks a dedicated data protection law that addresses its concerns as expanding data-based economy. In India for IT Industry, mainly to protect the “Personal Data’ under the present Indian laws; only ‘Information Technology Act 2000’ (‘IT Act’) can be taken into account

In August 2017, Supreme Court declared ‘Right to Privacy’ as a fundamental right under the Constitution of India between KS Puttaswamy Versus Union of India. To strengthen the Data Privacy and to protect the Individual Information, Government of India constituted a ‘Nine Member Committee’; a Committee of Experts under the dynamic leadership of Justice B N Srikrishna to identify the gaps in India with the existing laws on Data Protection and draft bill need to be framed, a Data Protection law in India.

Draft Personal Data Protection Bill 2018: Concepts and Issues

Expert Committee constituted by Government of India submitted the draft Personal Data Protection (PDP) bill report on July 27, 2018 to Ministry of Electronics and Information Technology published its report along with the draft Personal Data Protection Bill 2018 (“Bill”).

Abstracts of the bill

  • Draft PDP Bill monitors and controls the processing of Individual’s personal Data (Data principals) by Government and Private entities (Data fiduciaries) established in India and abroad.
  • Bill also clearly indicated that Processing is allowed either Individual gives consent, (or) in an emergency situation, on health care grounds (or) by the State for providing services and benefits.
  • The Bill has recognized the need to provide special protection to the personal data of children below the age of 18 years in a manner “that protects and advances the rights and best interests of the child”. Further, while “consent” which is free, informed, specific, clear and capable of being withdrawn has been recognized as a ground for processing personal data, the manner of obtaining such specific consent has not been elucidated upon in the Bill.
  • The Bill recognizes the need for having a reporting mechanism for breach of personal data but has not prescribed a comprehensive mechanism for reporting such breach.
  • One of the most debated issues with the Bill is the introduction of data localization requirements. Such a requirement may prove to be counter-productive for entities such as those relying on cloud-based technologies to sustain their businesses.
  • Further, while the Bill has identified the need of deterrent penalties and has prescribed fines of up to Rs 15 crores or 4% of the total worldwide turnover of the entity for breach of certain provisions of the Bill, the calculation of such worldwide-turnover-based penalties for functionaries of State may pose practical challenges.

Key Factors and Issues

  • As on date, there are no specific rules or guidelines for processing of personal data in a realistic manner.
  • Bill says ‘Data Fiduciary’ should inform to DPA of the Data Breach, may likely to cause harm, but there is no proper definition / clarity, when it comes to ‘harm’.
  • PDP Bill provides certain kind of exemptions relating to ‘Data Localization’ and other responsibility for Data Fiduciary where exposing of Data towards investigation or examination, detection etc.,
  • Data Fiduciary are not suppose to process the Individual Personal Data without obtaining the Consent where as State may not require consent to process the data, to issue certificates, licenses etc.,
  • Storage - A copy of Personal & Sensitive Personal Data, either on A Server or Data Center in India. But the term ‘Serving Copy’, not clear.
  • Similar to EU – GDPR , PDP bill specifies penalties are INR Fifteen Crores or 4% of the global annual turnover, whichever is higher, if breach was happened, but it is unclear
  • Duties, Powers and functions of the Data Protection Authority.


Data privacy has always been important. Every single company possess the personal information of millions of customers data that it needs to keep private so that customer's identities stay as safe and protected as possible, and the company's reputation remains untarnished

We are constantly updating on various aspects of Securing Privacy and we also work to keep individuals informed about the Importance of data privacy and we do that through various means for different target audience and work toward taking this to every individual.