Personal Data Protection

Personal Data Protection law in India. Recent developments in privacy law, personal data law in India.

Read Personal Data Protection Bill 2019 →

Contact us to sponsor the upkeep of this website.

# Recent Updates

  • 5th Oct 2020 - The bill is expected to be tabled in parliament in coming monsoon session (Jan/Feb 2021)

# History

  • Due to covid 19 Pandemic, the bill was not tabled in parliament in Feb 2020.
  • On 11th December 2019, The bill was sent to select committee for review. It is expected that the bill will be tabled in parliament in Feb 2020.
  • On 10th December 2019, Loksabha passed updated Data Protection Bill, 2019.
  • In 2019, Changes were made to the 2018 bill. The final version was made public in December 2019.
  • In 2018, A draft Personal Data Protection Bill, 2018 was released for comments from General Public
  • In 2018, Committee summited it's report (opens new window). The committee was of the view that if India is to shape the global digital landscape in the 21st century, it must formulate a legal framework relating to personal data that can work as a template for the developing world. There was a need to devise a legal framework relating to personal data not only for India, but for Indians.
  • In 2017, Government Constituted a Committee (opens new window) of Experts to deliberate on a data protection framework for India. The committee had 2 primary objectives
    • To study various issues relating to data protection in India
    • To make specific suggestions for consideration of the Central Government on principles to be considered for data protection in India and suggest a draft data protection bill.
  • In August 2017, Judgement by Supreme Court declared 'Privacy' as a fundamental right
  • In June 2011, a subordinate legislation (opens new window) was passed by way of notifation by Department of Information & Technology under Information Technology Act 2000. This was called as "Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011". These rules required that any organization that processes personal information must obtain written consent from the data subjects before undertaking certain activities. However, application & enforcement of these rules was uncertain.
  • In December 2008, Information Technology Act 2000 was amended and 2 sections relating to privacy were added
    • Section 43A, which deals with implementation of reasonable security practices for sensitive personal data or information and provides for the compensation of the person affected by wrongful loss or wrongful gain.
    • Section 72A, which provides for imprisonment for a period up to three years and/or a fine up to Rs. 500,000 for a person who causes wrongful loss or wrongful gain by disclosing personal information of another person while providing services under the terms of lawful contract.

# Background

Right to The Right to Privacy is a fundamental right and an intrinsic part of Article 21 of the Constitution of India. Further, A constitutional bench of the Supreme Court in it's landmark judgement declared 'Privacy' as a fundamental right on 24 August 2017 Details (opens new window). There is a need to protect privacy of Indians (see history section below) and hence Private Data Protection Bill was prepared.

# Salient Features of Personal Data Protection Law

  1. to promote the concepts such as consent framework, purpose limitation, storage limitation and the data minimisation;
  2. to lay down obligations on entities collecting personal data (data fiduciary) to collect only that data which is required for a specific purpose and with the express consent of the individual (data principal);
  3. to confer rights on the individual to obtain personal data, correct inaccurate data, erase data, update the data, port the data to other fiduciaries and the right to restrict or prevent the disclosure of personal data;
  4. to establish an Authority to be called the "Data Protection Authority of India" (the Authority) which shall consist of a Chairperson and not more than six whole-time Members to be appointed by the Central Government;
  5. to provide that the Authority shall protect the interests of data principals, prevent any misuse of personal data, ensure compliance with the provisions of the proposed legislation and promote awareness about the data protection;
  6. to specify a provision relating to "social media intermediary" whose actions have significant impact on electoral democracy, security of the State, public order or the sovereignty and integrity of India and to empower the Central Government, in consultation with the Authority, to notify the said intermediary as a significant data fiduciary;
  7. to confer a "right of grievance" on data principal to make a complaint against the grievance to the data fiduciary and if aggrieved by the decision of such data fiduciary, he may approach the Authority;
  8. to empower the Central Government to exempt any agency of Government from application of the proposed Legislation;
  9. to empower the Authority to specify the "code of practice" to promote good practices of data protection and facilitate compliance with the obligations under this legislation;
  10. to appoint the "Adjudicating Officer" for the purpose of adjudging the penalties to be imposed and the compensation to be awarded under the provisions of this legislation;
  11. to establish an "Appellate Tribunal" to hear and dispose of any appeal from an order of the Authority under clause 54 and the Adjudicating Officer under clauses 63 and 64; and
  12. to impose "fines and penalties" for contravention of the provisions of the proposed legislation.