top of page
  • Writer's pictureTrivedi and Parashar (Advocates and Solicitors)

Legislative Update -


Information that can be used to identify or contact a specific individual is known as personal data. Personal data is processed by both businesses and governmental organisations in order to supply goods and services. Processing personal data enables comprehension of user preferences, which may be helpful for customization, targeted advertising, and suggestion development. Law enforcement may benefit from the processing of personal data. Unchecked processing may have detrimental effects on people's privacy, which has been acknowledged as a fundamental right. Individuals may suffer harm from it including financial loss, reputational damage, and profiling.

India currently lacks a stand-alone data protection law. In accordance with the Information Technology (IT) Act of 2000, the use of personal data is governed. A Committee of Experts on Data Protection, headed by Justice B. N. Srikrishna, was established by the national government in 2017 to look into matters pertaining to data protection in the nation. In July 2018, the Committee turned in its report. The Personal Data Protection Bill 2019 was presented in Lok Sabha in December 2019 based on the Committee's recommendations. A Joint Parliamentary Committee was given the bill and delivered its report in December 2021. The Bill was withdrawn from Parliament in August 2022. A Draught Bill was made available for public comment in November 2022. On August 09, 2023, the Rajya Sabha (Upper House) of the Parliament passed the Digital Personal Data Protection Bill, 2023 (“DPDP Bill”), which was passed in the Lok Sabha (Lower House) on August 03, 2023.

Key Features -

• Application: The Bill is applicable to the handling of digital personal data that is processed in India and that is either (i) obtained online or (ii) gathered offline and converted to digital form. If processing is done to provide goods or services in India, it also applies to processing done outside of India. Any information on a person who may be identified from or in connection with that information is referred to as personal data. The term "processing" refers to any fully or partially automated action taken on digitally stored personal data. It comprises gathering, keeping, using, and sharing.

• Consent: Only with the individual's consent and for legitimate purposes may personal data be handled. Before requesting consent, a notification must be given. Information about the personal data to be gathered and the processing goal should be included in the notification. The ability to revoke consent is always available. For "legitimate uses," which include (i) the specific purpose for which data has been willingly submitted by an individual, (ii) the government's supply of a benefit or service, (iii) a medical emergency, and (iv) employment, consent won't be necessary. The parent or the legal guardian must give consent on behalf of minors under the age of 18.

•Rights and obligations of the data principal: The data principal has the right to (i) request information about processing, (ii) request the rectification and deletion of personal data, (iii) designate a replacement for them in the event of their decease or incapacity, and (iv) seek redress for complaints. Certain obligations will fall on data principals. They may not: (i) file a fictitious or baseless complaint; (ii) provide any false information; or (iii) impersonate another individual in certain circumstances. Duty violations are penalized by fines of up to Rs 10,000.

•Obligations of data fiduciaries: Data fiduciaries have obligations, including the following:

(i) take reasonable steps to ensure the accuracy and completeness of the data;

(ii) create reasonable security safeguards to prevent a data breach;

(iii) notify the Data Protection Board of India and any affected individuals in the event of a breach; and

(iv) delete personal data as soon as the purpose has been achieved and retention is no longer required for legal purposes. The government organisations are exempt from storage restrictions and the data principal's right to erasure.

•Transfer of personal data outside India: The Bill permits the transfer of personal data, with the exception of nations that have been barred by notification from the national government.

• Exemptions: In some circumstances, the rights of the data principal and the duties of data fiduciaries (apart from data security) will not apply. These consist of (i) crime prevention and investigation, and (ii) the upholding of legal rights or claims. Certain activities may be exempted by the central government from the Bill's application through notification. These consist of (i) processing by government agencies for the sake of state security and public order, and (ii) gathering information for research, archiving, or statistical purposes.

• Data Protection Board of India: The Data Protection Board of India will be established by the national government. The Board's main duties include:

(i) enforcing penalties for noncompliance,

(ii) requiring data fiduciaries to take appropriate action in the event of a data breach, and

(iii) listening to grievances brought forth by impacted parties.

Members of the board will be appointed for two years with the possibility of reappointment. The number of Board members and the procedure for choosing them shall be specified by the national government. The TDSAT will hear appeals against the Board's judgements.

• Penalties: The schedule to the Bill outlines fines up to (i) Rs 200 crore for failing to perform commitments to minors and (ii) Rs 250 crore for failing to take security precautions to avoid data breaches for a variety of offences. The Board will issue penalties following an investigation.

Issues and Analysis

• Data collection, processing, and retention may go beyond what is necessary if the State is given exemptions from processing it for reasons like national security. The fundamental right to privacy may be compromised by this.

• The risks of harms resulting from the processing of personal data are not regulated by the Bill.

• The right to data portability and the right to be forgotten are not granted to the data principal by the Bill.

• The Bill permits the transfer of personal data outside of India, but only to nations that have been authorised. This mechanism might not provide a sufficient assessment of the level of data protection in the nations where the transfer of personal data is permitted.

• The members of the Indian Data Protection Board will hold their positions for two years, with the possibility of reappointment. The Board's independence may be hampered by the short term and potential for reappointment.


6 views0 comments

Recent Posts

See All


bottom of page