Data Protection Law, India

Personal Data Protection law of India. Recent developments in privacy law, personal data law in India. Read Articles, Act, Bill in single beautiful interface.


  • Due to covid 19 Pandemic, the bill was not tabled in parliament in Feb 2020.
  • On 11th December 2019, The bill was sent to select committee for review. It is expected that the bill will be tabled in parliament in Feb 2020.
  • On 10th December 2019, Loksabha passed updated Data Protection Bill, 2019.
  • In 2019, Changes were made to the 2018 bill. The final version was made public in December 2019.
  • In 2018, A draft Personal Data Protection Bill, 2018 was released for comments from General Public
  • In 2018, Committee summited it's report. The committee was of the view that if India is to shape the global digital landscape in the 21st century, it must formulate a legal framework relating to personal data that can work as a template for the developing world. There was a need to devise a legal framework relating to personal data not only for India, but for Indians.
  • In 2017, Government Constituted a Committee of Experts to deliberate on a data protection framework for India. The committee had 2 primary objectives
    • To study various issues relating to data protection in India
    • To make specific suggestions for consideration of the Central Government on principles to be considered for data protection in India and suggest a draft data protection bill.
  • In August 2017, Judgement by Supreme Court declared 'Privacy' as a fundamental right
  • In June 2011, a subordinate legislation was passed by way of notifation by Department of Information & Technology under Information Technology Act 2000. This was called as "Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011". These rules required that any organization that processes personal information must obtain written consent from the data subjects before undertaking certain activities. However, application & enforcement of these rules was uncertain.
  • In December 2008, Information Technology Act 2000 was amended and 2 sections relating to privacy were added
    • Section 43A, which deals with implementation of reasonable security practices for sensitive personal data or information and provides for the compensation of the person affected by wrongful loss or wrongful gain.
    • Section 72A, which provides for imprisonment for a period up to three years and/or a fine up to Rs. 500,000 for a person who causes wrongful loss or wrongful gain by disclosing personal information of another person while providing services under the terms of lawful contract.


Right to The Right to Privacy is a fundamental right and an intrinsic part of Article 21 of the Constitution of India. Further, A constitutional bench of the Supreme Court in it's landmark judgement declared 'Privacy' as a fundamental right on 24 August 2017. There is a need to protect privacy of Indians (see history section below) and hence Private Data Protection Bill 2019 was prepared, later in 2022, the bill was redrafted.

Salient Features of Personal Data Protection Law

  1. to promote the concepts such as consent framework, purpose limitation, storage limitation and the data minimisation.
  2. to lay down obligations on entities collecting personal data (data fiduciary) to collect only that data which is required for a specific purpose and with the express consent of the individual (data principal).
  3. to confer rights on the individual to obtain personal data, correct inaccurate data, erase data, update the data, port the data to other fiduciaries and the right to restrict or prevent the disclosure of personal data.
  4. to specify a provision relating to social media whose actions have significant impact on electoral democracy, security of the State, public order or the sovereignty and integrity of India.
  5. to confer a "right of grievance" on data principal to make a complaint against the grievance to the data fiduciary.
  6. to establish an Authority to be called the "Data Protection Board of India".
  7. to provide that the Authority shall protect the interests of data principals, prevent any misuse of personal data, ensure compliance with the provisions of the proposed legislation and promote awareness about the data protection.
  8. to empower the Authority to specify the "code of practice" to promote good practices of data protection and facilitate compliance with the obligations under this legislation;
  9. to impose "fines and penalties" for contravention of the provisions of the proposed legislation.
  10. to empower the Central Government to exempt any agency of Government from application of the proposed Legislation;