BIG STORY: All You Need To Know About India’s Upcoming Personal Data Protection Bill

Data Protection Bill India

You may soon be hearing from a lot of companies on their updated privacy notice on how they collect your personal data and use it. That is because the Union Cabinet meeting chaired by Indian Prime Minister Narendra Modi recently gave the nod to the Personal Data Protection Bill which will soon be presented in the parliament for approval. 

When the bill gets passed, it will build up a system for the treatment of personal data, including its processing by public and private organisations. The Bill contains the expansive rules on the collection, storage and handling of personal data, consent of people, punishments and compensation, implicit rules, and an enforcement model. 

Presently, there are no laws on the utilisation of individual information and forestalling its abuse, even though the Supreme Court maintained the right to privacy as a fundamental right back directly in 2017. In line with the EU’s General Data Protection Regulation (GDPR), the Indian government a year ago presented a draft Personal Data Protection bill to manage the how individual data information can be stored and processed by both the public and privately owned businesses.


Sign up for your weekly dose of what's up in emerging technology.

The Personal Data Protection Bill, 2018, was set up by a high-level committee headed by previous Supreme Court judge BN Srikrishna. In any case, inter-ministerial deliberations postponed its approval in the parliament.

Data Protection Bill Constitutes 3 Personal Information Types

The bill divides data into three classifications:

  • Critical
  • Sensitive
  • General

The Bill defines sensitive personal data as constituting or related to passwords, financial data, health data, official identifier, sexual orientation, religious or caste data, biometric data and genetic data. 

Be that as it may, sensitive data may be processed outside India with the explicit consent of the user. Critical data will be characterised by the government every once in a while and must be stored and handled only in India. Any data that is non-critical and non-sensitive is categorised as general data with no limitation on where it is stored or managed. 

Data Protection Bill: Impact On The Tech Industry

While the union cabinet has taken a long time to give the nod to the bill finally, there still may be some issues that the tech industry may have. As of now, most players are optimistic of the bill given data privacy is critical for most users. According to experts, there must be a balance between data privacy and innovation, which is crucial as India makes a target of achieving a $5 trillion economy. 

“We look forward to a progressive bill that strikes a careful balance between protecting the privacy and processing data and technology to expand economic opportunity for the citizens of India. To effectively implement this, we look forward to engaging with the Government of India on consultations to build a framework that is evolutionary and allows for precision regulation within principles-based legislation that offers certainty and predictability,” says Karan Bajwa, Managing Director, IBM India.

Earlier, Industry body IAMAI had said that greater clarity was required on the characterisation of data types and consent prerequisites in the draft Personal Data Protection Bill. It contended that organisations need to completely fathom changes they would need to make to conform to the standards. 

The Internet and Mobile Association of India (IAMAI) recently signalled to the ambiguities that exist in the draft Bill and further said these would lead to unnecessary compliance issues. IAMAI said the industry needs clearness on which data is classified as close to general, sensitive and critical. Also, it recommended that incessant consent requirements ought not to be forced on data fiduciaries as long as the processing of information does not depart from the original purpose for which it was collected. The issue according to IAMAI is when data collection and processing is finished by various organisations, in which case, every data fiduciary should make consent at each step of the activity. 

“The bill proposes that data fiduciaries are obligated to take necessary measures and implement policies to ensure privacy should be embedded and built into all the systems, applications and architecture at each stage of collection, processing, usage, transmission, storage and disposal. Additionally, it requires data fiduciaries to implement appropriate safeguards to ensure the security of the personal data, such as encryption and de-identification,” says Jaspreet Singh, Partner – Cyber Security at EY.

Exemptions To Personal Data Processing Rights

As per the bill, the government is qualified to order any data fiduciary to acquire personal and non-personal/anonymised data for the sake of research and for national security and criminal investigations. 

In September 2018, the Supreme court stated on Aadhaar, saying linking the biometric-based identity card with PAN included negligible data to satisfy the more significant open good of poor people, who can utilise it to get benefits and appropriations from the government. Regardless, there has been a tussle since then on how personal data, particularly Aadhaar-based KYC is to be used primarily in the private sector.

“The data protection bill is like a two-sided sword. While it protects the personal data of Indians by empowering them with data principal rights, on the other hand, it gives the central government with exemptions which are against the principles of processing personal data. The government can process even sensitive personal data when needed, without explicit permission from the data principals. However, the government will need to show that any processing of personal data is needed and processing of sensitive personal information is absolutely necessary for the function of the government which authorised by law for the provision of service or benefit,” added Singh. 


According to experts, India has recognised this issue of data privacy, though somewhat late, through its Data Protection Bill. With a population of over a billion, there are about 500 million active web users and India’s online market is second only to China. Web penetration has developed exponentially over the most recent five years, because of the development of new business models, online startups and innovation contributions across enterprises. 

The usage of this bill will generally affect how user information is secured and kept private. The Data Protection Bill is expected to give controlling force in the hands of the data principles, furnishing users with the privilege to access, the privilege to data transportability and right to be forgotten. It endeavours to furnish Indian citizens with far-reaching information security rights and make a trust-based connection between the data principal and the data fiduciary.

More Great AIM Stories

Vishal Chawla
Vishal Chawla is a senior tech journalist at Analytics India Magazine and writes about AI, data analytics, cybersecurity, cloud computing, and blockchain. Vishal also hosts AIM's video podcast called Simulated Reality- featuring tech leaders, AI experts, and innovative startups of India.

Our Upcoming Events

Conference, in-person (Bangalore)
Machine Learning Developers Summit (MLDS) 2023
19-20th Jan, 2023

Conference, in-person (Bangalore)
Rising 2023 | Women in Tech Conference
16-17th Mar, 2023

Conference, in-person (Bangalore)
Data Engineering Summit (DES) 2023
27-28th Apr, 2023

Conference, in-person (Bangalore)
MachineCon 2023
23rd Jun, 2023

Conference, in-person (Bangalore)
Cypher 2023
20-22nd Sep, 2023

3 Ways to Join our Community

Whatsapp group

Discover special offers, top stories, upcoming events, and more.

Discord Server

Stay Connected with a larger ecosystem of data science and ML Professionals

Subscribe to our newsletter

Get the latest updates from AIM