BIG STORY: All You Need To Know About India’s Upcoming Personal Data Protection Bill

Data Protection Bill India

You may soon be hearing from a lot of companies on their updated privacy notice on how they collect your personal data and use it. That is because the Union Cabinet meeting chaired by Indian Prime Minister Narendra Modi recently gave the nod to the Personal Data Protection Bill which will soon be presented in the parliament for approval. 

When the bill gets passed, it will build up a system for the treatment of personal data, including its processing by public and private organisations. The Bill contains the expansive rules on the collection, storage and handling of personal data, consent of people, punishments and compensation, implicit rules, and an enforcement model. 

Presently, there are no laws on the utilisation of individual information and forestalling its abuse, even though the Supreme Court maintained the right to privacy as a fundamental right back directly in 2017. In line with the EU’s General Data Protection Regulation (GDPR), the Indian government a year ago presented a draft Personal Data Protection bill to manage the how individual data information can be stored and processed by both the public and privately owned businesses.

AIM Daily XO

Join our editors every weekday evening as they steer you through the most significant news of the day, introduce you to fresh perspectives, and provide unexpected moments of joy
Your newsletter subscriptions are subject to AIM Privacy Policy and Terms and Conditions.

The Personal Data Protection Bill, 2018, was set up by a high-level committee headed by previous Supreme Court judge BN Srikrishna. In any case, inter-ministerial deliberations postponed its approval in the parliament.

Data Protection Bill Constitutes 3 Personal Information Types

The bill divides data into three classifications:

Download our Mobile App

  • Critical
  • Sensitive
  • General

The Bill defines sensitive personal data as constituting or related to passwords, financial data, health data, official identifier, sexual orientation, religious or caste data, biometric data and genetic data. 

Be that as it may, sensitive data may be processed outside India with the explicit consent of the user. Critical data will be characterised by the government every once in a while and must be stored and handled only in India. Any data that is non-critical and non-sensitive is categorised as general data with no limitation on where it is stored or managed. 

Data Protection Bill: Impact On The Tech Industry

While the union cabinet has taken a long time to give the nod to the bill finally, there still may be some issues that the tech industry may have. As of now, most players are optimistic of the bill given data privacy is critical for most users. According to experts, there must be a balance between data privacy and innovation, which is crucial as India makes a target of achieving a $5 trillion economy. 

“We look forward to a progressive bill that strikes a careful balance between protecting the privacy and processing data and technology to expand economic opportunity for the citizens of India. To effectively implement this, we look forward to engaging with the Government of India on consultations to build a framework that is evolutionary and allows for precision regulation within principles-based legislation that offers certainty and predictability,” says Karan Bajwa, Managing Director, IBM India.

Earlier, Industry body IAMAI had said that greater clarity was required on the characterisation of data types and consent prerequisites in the draft Personal Data Protection Bill. It contended that organisations need to completely fathom changes they would need to make to conform to the standards. 

The Internet and Mobile Association of India (IAMAI) recently signalled to the ambiguities that exist in the draft Bill and further said these would lead to unnecessary compliance issues. IAMAI said the industry needs clearness on which data is classified as close to general, sensitive and critical. Also, it recommended that incessant consent requirements ought not to be forced on data fiduciaries as long as the processing of information does not depart from the original purpose for which it was collected. The issue according to IAMAI is when data collection and processing is finished by various organisations, in which case, every data fiduciary should make consent at each step of the activity. 

“The bill proposes that data fiduciaries are obligated to take necessary measures and implement policies to ensure privacy should be embedded and built into all the systems, applications and architecture at each stage of collection, processing, usage, transmission, storage and disposal. Additionally, it requires data fiduciaries to implement appropriate safeguards to ensure the security of the personal data, such as encryption and de-identification,” says Jaspreet Singh, Partner – Cyber Security at EY.

Exemptions To Personal Data Processing Rights

As per the bill, the government is qualified to order any data fiduciary to acquire personal and non-personal/anonymised data for the sake of research and for national security and criminal investigations. 

In September 2018, the Supreme court stated on Aadhaar, saying linking the biometric-based identity card with PAN included negligible data to satisfy the more significant open good of poor people, who can utilise it to get benefits and appropriations from the government. Regardless, there has been a tussle since then on how personal data, particularly Aadhaar-based KYC is to be used primarily in the private sector.

“The data protection bill is like a two-sided sword. While it protects the personal data of Indians by empowering them with data principal rights, on the other hand, it gives the central government with exemptions which are against the principles of processing personal data. The government can process even sensitive personal data when needed, without explicit permission from the data principals. However, the government will need to show that any processing of personal data is needed and processing of sensitive personal information is absolutely necessary for the function of the government which authorised by law for the provision of service or benefit,” added Singh. 


According to experts, India has recognised this issue of data privacy, though somewhat late, through its Data Protection Bill. With a population of over a billion, there are about 500 million active web users and India’s online market is second only to China. Web penetration has developed exponentially over the most recent five years, because of the development of new business models, online startups and innovation contributions across enterprises. 

The usage of this bill will generally affect how user information is secured and kept private. The Data Protection Bill is expected to give controlling force in the hands of the data principles, furnishing users with the privilege to access, the privilege to data transportability and right to be forgotten. It endeavours to furnish Indian citizens with far-reaching information security rights and make a trust-based connection between the data principal and the data fiduciary.

Sign up for The Deep Learning Podcast

by Vijayalakshmi Anandan

The Deep Learning Curve is a technology-based podcast hosted by Vijayalakshmi Anandan - Video Presenter and Podcaster at Analytics India Magazine. This podcast is the narrator's journey of curiosity and discovery in the world of technology.

Vishal Chawla
Vishal Chawla is a senior tech journalist at Analytics India Magazine and writes about AI, data analytics, cybersecurity, cloud computing, and blockchain. Vishal also hosts AIM's video podcast called Simulated Reality- featuring tech leaders, AI experts, and innovative startups of India.

Our Upcoming Events

24th Mar, 2023 | Webinar
Women-in-Tech: Are you ready for the Techade

27-28th Apr, 2023 I Bangalore
Data Engineering Summit (DES) 2023

23 Jun, 2023 | Bangalore
MachineCon India 2023 [AI100 Awards]

21 Jul, 2023 | New York
MachineCon USA 2023 [AI100 Awards]

3 Ways to Join our Community

Telegram group

Discover special offers, top stories, upcoming events, and more.

Discord Server

Stay Connected with a larger ecosystem of data science and ML Professionals

Subscribe to our Daily newsletter

Get our daily awesome stories & videos in your inbox

Council Post: Evolution of Data Science: Skillset, Toolset, and Mindset

In my opinion, there will be considerable disorder and disarray in the near future concerning the emerging fields of data and analytics. The proliferation of platforms such as ChatGPT or Bard has generated a lot of buzz. While some users are enthusiastic about the potential benefits of generative AI and its extensive use in business and daily life, others have raised concerns regarding the accuracy, ethics, and related issues.