Data Protection & Privacy 2023

Last Updated February 06, 2023


Law and Practice


Tatva Legal, Hyderabad is the largest full-service law firm in the states of Telangana and Andhra Pradesh. The firm is ranked in Band 1 for domestic firms by Chambers Asia-Pacific Legal Guide 2023 for its corporate and commercial practice in Hyderabad and has been consistently recognised as one of the best regional law firms in India over the last ten years. Tatva Legal, Hyderabad provides the full range of corporate and commercial legal services that a client might require across all industries and sectors, including private equity, technology, education, healthcare, pharma, real estate, infrastructure, banking and finance, agriculture, auto components, energy, logistics, the food industry, and manufacturing. The firm combines its local market insights with legal expertise to advise national and international clients in their domestic and cross-border endeavours.

Under the Indian legal system, the right to privacy was not initially recognised either under the Constitution of India (COI) or any other statute, therefore, protection against its violation was also not available. The right to privacy came to be recognised as a fundamental right only after several years of jurisprudential developments through the Supreme Court of India (SCI) which culminated with Justice KS Puttaswamy v Union of India (the “Puttaswamy Case”). In the Puttaswamy Case, the SCI held that the right to privacy has its origin under Article 21 (Protection of life and personal liberty) of the COI and under the freedoms guaranteed in Part III of the COI, thus, it is a fundamental right of every person. The effect of such legal recognition of the right to privacy means that individuals can now enforce this right against the state or its instrumentalities through the existing constitutional mechanisms (ie, Article 32 and Article 226 of the COI, which confer jurisdiction on the SCI and the high courts, respectively).

The Data Protection Rules

The provisions in relation to data protection were added by way of an amendment to the Information Technology Act, 2000 (IT Act) in the year 2009, which brought about Section 43A. This section of the IT Act provides for damages by way of compensation when a body corporate that is dealing with sensitive personal data or information (SPDI) in a computer resource, is negligent in implementing and maintaining reasonable security practices and procedures and thereby causes wrongful loss or wrongful gain to any person. The aforesaid amendment in the IT Act paved the way for the enactment of the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (the “Data Protection Rules”). The Data Protection Rules govern issues in relation to the collecting, receiving, possessing, storing, dealing, and handling of information, including SPDI, by body corporates. However, the Data Protection Rules are silent on the aspect of coverage, but based on the principal provision under which they were notified, Section 43A of the IT Act, it can be argued that the Data Protection Rules should extend in their application only to digital/online data and should not cover the collection of offline data, or the collection of data by natural persons.

The Data Protection Rules are the only set of rules in India, in relation to data protection, which are overarching in nature. Sector/industry-specific regulations have been framed by various regulators over the course of the last few years (see 1.2 Regulators).

In the Puttaswamy Case, the SCI not only recognised the right to privacy, but also directed that a special committee be formed to study the matter in relation to the privacy of individuals and how to protect it through a statutory mechanism.

Pursuant to the recommendations of the SCI, a committee headed by Justice BN Srikrishna (the “Srikrishna Committee”) was formed to study the current laws and to recommend a legal framework in relation to data protection. The Srikrishna Committee formulated its report titled “A Free and Fair Digital Economy – Protecting Privacy, Empowering Indians” in July 2018, along with a draft of the Personal Data Protection Bill. Based on this draft bill, the Ministry of Electronics and Information Technology of the government of India (“MeitY”) prepared the Personal Data Protection Bill, 2019 (PDP Bill) and laid the PDP Bill before the parliament of India. The PDP Bill was then referred to a joint parliamentary committee (JPC), which gave its report in December 2021. In this report, the JPC recommended several amendments to the existing bill. One of the most prominent recommendations was to widen the scope of the PDP Bill and include non-personal data as well. The PDP Bill was withdrawn in November 2022 and the government has released the draft Digital Personal Data Protection Bill, 2022 (DPDP Bill).

At present, there is no specific regulator/supervisory authority in the Indian legal regime that deals principally or exclusively with matters related to privacy and data protection under any specific legislation. Therefore, what follows is an overview of certain important sector/legislation-specific regulators:

Financial Sector

Banks and financial institutions in India are governed and regulated by various laws, regulations and guidelines (the “Banking Laws”). The Reserve Bank of India (RBI) is the central bank in India and the regulator for banks and most financial institutions. There is no specific definition of SPDI or its equivalent under the Banking Laws. However, different Banking Laws, based on their subject matter, seek to protect customer information, etc. Furthermore, certain Banking Laws require banks to impose certain obligations on third-party vendors/service providers/consultants/sub-contractors when contractually engaging such third parties.

The RBI has been very active in terms of regulating entities that fall under its regulatory framework in relation to data protection and cybersecurity by issuing several directions and regulations, including but not limited to the Payment and Settlement Systems Act, 2007.

Furthermore, the RBI released the Storage of Payment System Data Directive, 2018, in April 2018 which mandated that the entire data relating to payment systems be stored in a system only in India. This data should include the full end-to-end transaction details, information collected, carried, processed as part of the message, and the payment instruction. This circular exempts data corresponding to the foreign leg of a transaction from this requirement. Afterwards, the RBI released clarifications in the form of FAQs on the circular in June 2019. The FAQs clarified that the directive is applicable to all payment system providers authorised/approved by the RBI to set up and operate a payment system in India. It was also clarified that the end-to-end payments data is to be stored in India.

The RBI regularly conducts audits and enquiries into banks’ security frameworks and has imposed penalties for non-compliance with the RBI’s cybersecurity framework for banks.


Telecoms operators are governed by regulations laid down by regulatory bodies including:

  • the Telecom Regulatory Authority of India (TRAI);
  • the Department of Telecom, Government of India (DOT);
  • the Telecom Disputes Settlement and Appellate Tribunal (TDSAT);
  • the Group on Telecom and IT;
  • the Wireless Planning Commission; and
  • the Digital Communications Commission.

Furthermore, the Unified Access Service Licence extends information security to the telecoms networks as well as to third-party service providers/equipment providers of operators. The regulator requires telecoms operators to audit their network at least once a year. The DOT, in its National Digital Communications Policy, 2018, seeks to establish a comprehensive data protection regime and assure security for digital communication. The TRAI has also rolled out measures to protect telecoms subscribers and brought out the Telecom Commercial Communications Customer Preference Regulations, 2010, to fine-tune the process for providing telecoms subscribers with an option to record their preferences, and mandates telecoms service providers (TSPs) to implement measures to protect confidentiality and also to take action on complaints.

Capital Markets

The Capital Markets industry is regulated in India by the Securities and Exchange Board of India (SEBI). SEBI has enacted a framework for cybersecurity for certain regulated entities called the Cyber Security and Cyber Resilience framework of Stock Exchanges, Clearing Corporations and Depositories Circular CIR/MRD/DP/13/2015 dated 6 July 2015, and Circular CIR/MRD/CSC/148/2018 dated 7 December 2018 (the “SEBI Circular”). The SEBI Circular is only applicable to Clearing Corporations, Depositories and Stock Exchanges, which are also referred to as Market Infrastructure Institutions (MIIs).

The SEBI Circular extensively covers the obligations of the MIIs as far as maintaining their IT infrastructure is concerned, such as the need to establish a Cyber Security and Cyber Resilience Policy, maintain a Cyber Security Operation Center which may be maintained by the MII concerned or may be outsourced (subject to conditions in the SEBI Circular), formulate an actionable Cyber Crisis Management Plan along with confidentiality and privacy requirements to be followed by the MIIs, and alert the Indian Computer Emergency Response Team (“Cert-In”) in case of any cyber-attack.


Cert-In has been created under Section 70B of the IT Act to serve as a national agency for responding to cybersecurity incidents. It has been conferred with the power to give directions to service providers, intermediaries, data centres, bodies corporate and any other person. See 3.4 Key Privacy Issues, Conflicts and Public Debates for an overview of the directions issued by Cert-In.


The Insurance Regulatory and Development Authority of India (IRDAI) conducts regular on-site and off-site inspections of insurers to ensure compliance with the legal and regulatory framework. In addition, the IRDAI’s guidelines on Information and Cyber Security for Insurers was updated in December 2020, requiring vulnerability assessments and penetration testing annually and closing any identified gaps within a month. Some other relevant guidelines issued by the IRDAI include the IRDAI (Outsourcing of Activities by Indian Insurers) Regulations 2017, the IRDAI (Maintenance of Insurance Records) Regulations 2015, and the IRDAI (Protection of Policyholders’ Interests) Regulations 2017, which contain a number of provisions and regulations on data security.

Furthermore, the IRDAI has issued guidelines to insurers on structuring cyber-insurance for individuals and the gaps that need to be filled. As per the guidelines, cyber-insurance should provide cover against theft of funds and identity, unauthorised online transactions, and e-mail spoofing, among others.


The Indian Medical Council (Professional Conduct, Etiquette and Ethics) Regulations, 2002 impose patient confidentiality obligations on medical practitioners.

The Electronic Health Record Standards, 2016 (EHR Standards) have been notified by the Ministry of Health and Family Welfare, Government of India (MOHFW) for adoption by hospitals across India, however, these are merely guidelines and, as such, are not enforceable. EHR Standards differentiate between (i) protected health information; and (ii) individually identifiable health information.

The Health Data Management Policy, 2020 (HDM Policy), released by the MOHFW, is largely based on the PDP Bill to govern data in the national digital health mission ecosystem. The HDM policy, like the PDP Bill, recognises entities such as data fiduciaries and data processors and establishes a consent-based data-sharing framework.

Telemedicine Practice Guidelines, 2020 released by the MOHFW, stipulate that registered medical practitioners (registered under the Indian Medical Council Act, 1956) while providing telemedicine (through audio, video, etc) must abide by the relevant provisions of the IT Act, data protection, and privacy laws or any applicable rules notified from time to time for protecting patient privacy and confidentiality, and regarding the handling and transfer of such personal information regarding the patient.

Under the New Drugs and Clinical Trials Rules, 2019, the investigator responsible for conducting clinical trials at the clinical trial site should undertake to keep the identification of all participants who take part in clinical trials confidential, and ensure security and confidentiality of study data. 

Consumer Protection Act, 2019

The Consumer Protection Act, 2019 (“CA 2019”) is applicable to consumers of goods or any services. As per CA 2019, a service provider has to ensure protection of information disclosed by the consumer in confidence. Any disclosure of the same, except in accordance with applicable laws, would amount to unfair trade practice, and the consumer in such circumstances may make a claim against the service provider under CA 2019 before a consumer forum or may even lodge a complaint with the Central Consumer Protection Authority.

As outlined in 1.2 Regulators above, there is currently no overarching privacy regulator or data protection authority in India. Some of the extant laws, such as the IT Act, allow redress to affected individuals or entities.

Police officers, not below the rank of inspector, may carry out investigations in relation to any of the offences under the IT Act, including Section 43A and Section 72A, which imposes punishment for disclosure of information in breach of lawful contract.

Under the IT Act, Section 46 provides for the appointment of an adjudicating officer in relation to the adjudication of offences under the IT Act, or any rule, regulation, direction or order made thereunder. The jurisdiction of such adjudicating officer extends to injury or damage of up to INR5,00,00,000 (five crore Indian rupees) and beyond this amount, jurisdiction is vested with the competent court under the IT Act.

MeitY has notified the secretary of the Department of Information Technology of each Indian state or union territory as the adjudicating officer under the IT Act. A written complaint can be made to the adjudicating officer based on the location of the computer system or the computer network, together with a fee based on the damages claimed as compensation. The adjudicating officer thereafter issues a notice to the parties notifying them of the date and time for further proceedings and, based on the evidence, decides whether to pass order(s) if the respondent pleads guilty, or to carry out an investigation. If the officer is convinced that the scope of the case extends to an offence rather than a mere contravention, and entails punishment greater than a financial penalty, the officer will transfer the case to the magistrate having jurisdiction.

The first appeal based on an adjudicating officer’s decision can be filed before the TDSAT and from the order of the TDSAT, an appeal can be filed before the High Court of the state in India that has jurisdiction.

India does not currently appear to be part of any binding multinational system on data protection or privacy. However, certain similarities and contrasts between India’s Data Protection Rules and the General Data Protection Regulation, 2016 (GDPR) are evident.

  • Extra-territorial application: although the Data Protection Rules are applicable only to body corporates located in India, Section 1(2) read with Section 75 of the IT Act extends the applicability of the IT Act to persons resident in countries outside India, where such persons possess a computer system/network in India. Therefore, in case of violation of the Data Protection Rules by an entity outside India, said entity may be subject to enforcement action under the IT Act, similar to that of the GDPR.
  • Purpose limitation: similar to the GDPR, the Data Protection Rules provide for collected information to be used only for a specified purpose, which should be legal.
  • Data minimisation: unlike the GDPR, the Data Protection Rules do not have an express principle in this regard. However, it is stipulated that information should be collected only if it is necessary for the original purpose.
  • Informed consent: the Data Protection Rules are worded differently to the GDPR in relation to this. However, it is necessary to obtain consent before collecting information and even for the purpose of disclosing or transferring collected information to any third party.
  • Storage limitation: like the GDPR, the Data Protection Rules do not specify storage times for personal information, which can be stored until completion of the purpose for which the personal information was collected.
  • Integrity and confidentiality of personal data: unlike the GDPR, which expressly defines a data breach as a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data, the Data Protection Rules do not have a clear definition of data breach. However, data breach in India is one of the cybersecurity incidents required to be mandatorily reported to Cert-In within six hours, as per Cert-In directions. However, Cert-In directions also do not define a data breach.

Some of the major NGOs and self-regulatory organisations (SROs) working in India, which also address data protection and privacy, are mentioned below.

  • Internet Freedom Foundation: a non-profit organisation that conducts advocacy on digital rights and liberties.
  • Data Security Council of India: a non-profit organisation specifically focusing on data-centric industries, which has been set up by the National Association of Software and Service Companies (NASSCOM).
  • Cellular Operators Association of India: this represents the Indian telecoms industry and interacts directly with ministries, policy makers, regulators, financial institutions and technical bodies.
  • National Cyber Safety and Security Standards: a non-profit organisation that carries out research in cybersecurity and provides comprehensive training programmes in relation to the same.
  • Internet and Mobile Association of India: a non-profit organisation set up with the purpose of representing the interests of diverse players in the digital ecosystem of India, including various start-ups.
  • Internet Service Providers Association of India: a non-profit organisation that represents the interests of internet service providers in India across various fronts.
  • Sahamati: a non-profit organisation representing the interests of account aggregators in India.
  • Indian Software Products Industry Round Table (ISPIRT): a non-profit think tank working extensively in policy-making in relation to digital ecosystems in Indian data-focused industries.

The Indian legal regime related to data protection and privacy is currently undergoing an overhaul and although it already has certain elements in common with the GDPR, it is yet to attain the level of maturity and detail in terms of regulation as contemplated under the GDPR. This is something which is expected of the draft DPDP Bill which is presently undergoing public consultation, and it is likely that this draft will be amended meticulously and will benefit from the practical nuances of the GDPR, towards which the Indian legal regime appears to be inclined.

See 1.8 Significant Pending Changes, Hot Topics and Issues.

Certain impactful changes in the regulation of data protection under Indian law are specified below. 

  • The draft DPDP Bill is undergoing public consultation and will comprehensively change the overarching framework in relation to data governance in India.
  • The Non-Personal Data Governance Framework Policy, 2022 is currently being deliberated by the committee of experts constituted under MeitY.
  • The Digital Information Security in Healthcare Bill, 2017, which is yet to be passed by parliament, has been framed with the purpose of standardising and regulating the processes related to collection, storage, transmission and use of digital health data.
  • The Draft National Data Governance Framework Policy, 2022, published by MeitY, seeks to enhance the use of, access to, and quality of data, and align it with the current technological developments in the country, so as to standardise and improve the government’s data collection and management while enabling a start-up ecosystem based on AI and data-based research.
  • The India Digital Ecosystem Architecture 2.0 (InDEA 2.0) is a framework that enables governments and private sector enterprises to design IT architecture that can extend beyond their organisational boundaries and enable delivery of holistic and integrated services to customers.

The Data Protection Rules

The legal framework currently addressing data protection is the Data Protection Rules. As per the Data Protection Rules, whenever a body corporate collects or manages personal information, the body corporate should have a privacy policy in place and the same should be made available on the body corporate’s website. The privacy policy should include the type of personal data collected, the purpose of collecting the data, any disclosure of the personal information collected, and reasonable security policies that have been developed by the body corporate. Consent of the individuals providing personal data should be obtained for the specific purpose before using any personal data. Data providers should also be given the option to not provide consent for the collection of personal data. However, these rules are not comprehensive with respect to privacy and data protection and there is a need to have a more detailed omnibus law.

The DPDP Bill

The Ministry of Electronic and Information Technology has solicited all relevant stakeholders to make suggestions and comments on the draft DPDP Bill. This bill applies to digital data and offline data that is converted to digital form. However, it doesn’t include data that remains in offline physical form. 

The DPDP Bill is drafted on the basis of the following principles. Personal data collected by organisations:

  • must be used in a fair and transparent way;
  • must be for a specific purpose;
  • may be stored only until the purpose is served;
  • must be accurate and up to date;
  • may not be collected or processed unless this is authorised; and
  • must be processed by the organisation accountable for deciding the purpose and means of processing. 

Requirement for Appointment of an Officer

The current law does not have any mandatory requirement that every organisation that handles data should appoint an officer to ensure compliance with general obligations. In some instances, however, the appointment of an officer is mandated. For example, the Data Protection Rules mandate that a grievance officer who is responsible for handling grievances from the end users should be designated, and the appointment of a grievance officer under the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021, who will be responsible for receiving any grievances relating to the code of ethics as described under said rules, is required. 

The DPDP Bill discusses appointing a “data fiduciary” whenever personal data is being collected from individuals. This data fiduciary is responsible for:

  • the personal data received by their organisation being compliant with the DPDP Bill;
  • taking reasonable security measures to protect personal data;
  • ensuring data is complete in the event that it is used to make a decision that affects the individual;
  • ensuring compliance with regard to erasing personal data;
  • informing the regulator of the Data Protection Board of India in the event of a data breach;
  • developing mechanisms to redress the grievances of data providers; and
  • ensuring additional compliance where children’s personal data is collected. 

Criteria Necessary to Authorise the Collection and Processing of Personal Data

The Data Protection Rules differentiate between personal data and SDPI. SPDI means information relating to a password; a bank account, credit card or debit card or other financial information; physical, physiological or mental health conditions; sexual orientation; medical records or history; and biometric data. SPDI can be collected only after the SPDI provider is informed of the purpose for collecting their personal data and gives consent to its collection. SPDI can be disclosed to a third party only after permission for such disclosure has been given by the data provider. However, consent is not required in exceptional circumstances, such as disclosure to a government agency mandated under law. 

The DPDP Bill does not differentiate between personal data and SPDI and only specifies that personal data should only be collected after obtaining consent for a specific purpose. However, the DPDP Bill does talk about deemed consent in cases of voluntary disclosure, performance of an obligation under any law or judgement, providing medical treatment or assistance in a disaster, or other purposes as specified in the DPDP Bill. 

Application of “Privacy by Design” or “by Default”

Privacy by design or by default is not defined under current law or the DPDP Bill. However, the Data Protection Rules mandate that when a body corporate is collecting information, it should have a privacy policy on the handling of personal information.

Impact Analysis

Current law does not talk about impact analysis, but the DPDP Bill says that the central government may require data fiduciaries to assess the risk or harm to the individual while processing their personal data and, in some situations, also determine the potential impact on the sovereignty and integrity of the country.

Data fiduciaries who are responsible for collecting personal data undertake impact assessments and periodic audits to ensure compliance with the DPDP Bill. 

Need for Internal or External Policies

As per the Data Protection Rules, the body corporate collecting information should formulate a privacy policy and the policy should provide details of the purpose for collecting data, what information will be collected and what safeguards have been undertaken to protect the data. 

The Individual’s Right to Control the Use of Personal Data

The Data Protection Rules provide a right to give consent, withdraw consent, edit or update the personal data provided. 

Under the DPDP Bill, similar rights are provided – for example, the individual providing the personal data has the right to withdraw their consent for collecting their personal data, and the right to correct or erase their data, and the data fiduciary must comply with the request of the individual. The data provider should be informed of the purpose for collecting their data, and how the data will be processed and transferred to another data fiduciary after obtaining consent for the transfer. 

Data Anonymisation, De-identification, Pseudonymisation

The current law and DPDP Bill are silent on the use of data pursuant to data anonymisation, de-identification or pseudonymisation. The DPDP Bill scheme includes rules about notification, however, and there is a possibility that these issues could be addressed therein.

Restricting or Permitting of Profiling, Automated Decision-Making or Big Data Analysis or Other Technologies

The current law does not recognise technologies such as profiling or big data analysis. However, the DPDP Bill applies to data processing performed outside India if the profiling or offering of goods and services is for data providers in India. At the same time, the DPDP Bill does not specifically mention any restrictions or permitting of any activities where micro-targeting, big-data analysis, AI or algorithms can be applied. 

Concept of “Injury” or “Harm”

The DPDP Bill mentions that a data fiduciary should assess the risk or harm that may result from processing the data of a data provider. 

Some of the regulators in India have recognised the sensitive nature of personal data and have formulated measures, which are discussed below. 

Financial Data

Under the Banking Regulation Act 1949, no banking company can be compelled to disclose information that the banking company believes to be confidential. Under the Credit Information Companies (Regulation) Act, 2005 and its respective regulations, before collecting confidential information, every credit institution must implement a privacy policy for collecting, sharing and using the credit information. This privacy policy should contain the purpose, obligations implemented to check accuracy, and measures for protection. Under the Payments and Settlement Systems Act 2007, the operator should maintain confidentiality with respect to any document or information provided by a bank or individual using the payment system. 

The RBI is ensuring the data protection of individuals by means of notifications. Through its master circular on customer service in banks, the RBI identified that there is a contractual relationship between a banker and a customer which also includes the obligation of secrecy. For more details on the measures taken by the RBI, see “Financial Sector” in 1.2 Regulators.

SEBI has also recognised the importance of data protection. Through its notification process, SEBI has mandated that its confidential KYC registration agency should keep client information confidential and not divulge the information to anybody without the consent of its clients. 

Measures undertaken by the IRDAI are discussed in “Insurance” under 1.2 Regulators

Health Data

In the health sector, the government has come up with the HDM Policy, which is designed to protect the personal data of individuals and provide privacy. Details of the HDM Policy are provided in “Healthcare” under 1.2 Regulators

Additionally, the Mental Healthcare Act 2017 provides persons with mental health illness the right to confidentiality in respect of their mental health details. 

Communications, Voice Telephone and Text Messaging Data

Telecoms service providers are governed by several regulations for the protection of personal data, such as the IT Act, the Data Protection Rules, the Indian Telegraph Act 1885, the Indian Telegraph Rule, the Unified Licence Condition, and the guidelines and notifications released by DOT and TRAI. 

The Indian Telegraph Act 1885 and corresponding Rules state that a telegraph officer or any person who has been delegated such duties should not secretly obtain or divulge information which is being transmitted. As per the relevant Rules, if there is any violation of license conditions pertaining to maintenance of secrecy and confidentiality, the service providers will be held responsible. 

The Unified Licence Condition mandates that all licensees providing telecoms services take sufficient measures to observe the confidentiality of customer information, protect the privacy of communication and ensure that there is no unauthorised interception of messages. 

DOT has also issued a notification to TSPs that there should be a security policy for managing their assets by implementing a security risk management system. Refer to “Telecommunications” under 1.2 Regulators.

Content of Electronic Communication

A huge amount of data is transmitted through electronic communication. Ensuring the safety of this data is a difficult but necessary task. Several regulators such as SEBI, the RBI and DOT have stipulated encryption standards to secure electronic communication data. To ensure end-to-end encryption of the data in electronic communication, the Unified Licence Condition recommends encrypting electronic communications in transit as well as in storage in digital ecosystems. Decryption should be allowed only on a needs basis and the consent of the end user should be requested before decrypting their communications. Use of bulk encryption by licensees is not allowed. Providers of electronic communication, such as email, messaging apps, etc, fall under the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021. 

Children’s or Students’ Data

There is no specific law in India to protect children’s or students’ data. However, under the Indian Contract Act, 1872, a child or a minor cannot be a valid party to a legal contract. Therefore, the issue of a minor providing consent for a privacy policy in a contract in a gaming app is not considered as valid consent. 

The DPDP Bill imposes additional obligations regarding the personal data of children. It says that before processing children’s data, the person collecting the data should obtain parental consent to do so, and the monitoring of children’s behaviour and employment of targeted advertising towards children are not permitted. 

Employment Data

Protection of personal data in employment is discussed in 2.4 Workplace Privacy

Social Media Platforms

Social media platforms (“Platforms”) are regulated by the IT Act and Data Protection Rules. This law and the respective rules provide for comprehensive security measures, formulating a privacy policy that regulates Platforms, including giving the reason for the collection of personal data, and display the same on their Platforms. 

Internet, Streaming and Video Issues

Laws and relevant rules discussed in Social Media Platforms apply to this section as well. 

There are no provisions specific to browsing data, viewing data, cookies, beacons or location data. The DPDP Bill provides a prohibition on behavioural or targeted advertising for children. 

Addressing Hate Speech, Abusive Material and Other Content

Under the IT Act, punishment is provided for sending offensive messages, cheating by impersonation using a computer resource, sending pictures of the private parts of a person without their consent, and cyber-terrorism. 

The Information Technology (procedure and safeguard for monitoring and collecting traffic data or information) Rules, 2009 state that the intermediary or person in charge of computer resources should have effective internal checks to ensure that unauthorised monitoring or collection of traffic data does not take place, that the secrecy of traffic data is maintained, and that the utmost care and precautions are taken. 

Other Issues

Data subject rights

The Data Protection Rules provide that the data subject has the right to not give consent to provide data, edit or withdraw data at any point in time. 

The DPDP Bill also provides the right to provide data, edit or correct data, and remove data, as well as the right to enquire if a data fiduciary has the data. In addition, there should be a platform to raise any grievances. 

Right to be forgotten

The Data Protection Rules and DPDP Bill do not per se provide the right to be forgotten to the user. However, the person providing the data has the right to have their information erased from the database. 

The TRAI recommended through a press release that service providers should offer the option to be forgotten to its telecommunication consumers. 

Data portability

The Data Protection Rules do not provide for data portability. However, through its press release, the TRAI has recommended that telecommunication users should have control over their personal data and should have the right to choose portability of services. 

The TRAI has specifically provided sectors where users can block communications like advertisements by registering their preference with the National Customer Preference Right. Once the user chooses to block the services, they should not receive any unsolicited commercial communication or marketing communication.

The Central Consumer Protection Authority constituted under the Consumer Protection Act, 2019 is responsible for handling any false or misleading advertisements. 

The Advertising Standards Council of India also monitors advertisements and ensures that they are truthful and do not mislead consumers. 

Also see Children’s or Students’ Data in 2.2 Sectoral and Special Issues.

The scope for protection of privacy in the workplace in India is very limited. There are no special laws regulating the workplace privacy of employees. Data protection stems from the IT Act and Data Protection Rules which ensure safety measures for personal data collected from employees and inform them if there is any personal data breach. 

The DPDP Bill mentions deemed consent for purposes related to employment, such as corporate espionage, trade secrets, intellectual property, classified information, recruitment, termination of employment, or for the provision of any service or benefit sought by the employee. 

Regarding workplace communications, the law is silent on cybersecurity tools, insider threat detection and prevention programmes. 


The Whistle Blowers Protection Act, 2014, addresses concealing the identity of the whistle-blower and documents provided by the whistle-blower, and also discusses the protection to be given to a whistle-blower against victimisation. However, this law applies only to government bodies and public sector employees. 

The DPDP Bill does not specifically mention whistle-blowers. 

As per Section 177 of the Companies Act, 2013 and SEBI (Listed Obligations and Disclosure Requirements) Regulations, every listed company should have a vigil mechanism for whistle-blowers that allows directors and employees to report concerns about fraud or violation of policies in the company. 

Legal Standard for Breach of Data Protection

Breach of data protection or privacy is addressed both by civil and criminal remedies in India. Under the general common law principles, the standard of proof required is different in both of these. While “preponderance of probability” may suffice in the case of a civil remedy, the “beyond reasonable doubt” standard prevails in criminal remedies. Some of the general remedies include: imposition of penalties based on the sensitivity of the data, being barred from collecting data until revised safety policies have been put in place, imprisonment in criminal cases, fines, etc.

Currently, penalties for breach of data and other offences are provided in the IT Act. These include identity theft, publishing or sending obscene material in electronic form, and other related offences.

One of the leading cases in India regarding data privacy is Justice KS Puttaswamy v Union of India, as discussed in 1.1 Laws.

The Enforcement Directorate recently brought a case against the National Stock Exchange (NSE) for illegally intercepting the telephone lines of a few employees at the NSE without gaining permission from the required authority and without the consent of the NSE employees. The case is currently pending in the district court. 

There are also several other instances where data protection has been compromised. One example was a ransomware attack on one of the most prestigious hospitals in India, the AIIMS Delhi, where reportedly 40 million records were compromised.

During Covid-19, as working from home became more prevalent, moonlighting (working on two or more parallel jobs) also became prevalent, sometimes without the consent of employers. This increased concerns about breaches of data privacy. 

Class Actions

There is no legislation that authorises class actions or collective redress specifically for privacy or data protection. However, the courts have evolved what is called a “public interest litigation” jurisprudence (PIL). A PIL allows a petitioner without any locus (ie, personal interest in the matter) to approach the SCI or the High Court in matters of greater public interest. It is wholly at the discretion of the court to permit the PIL.

Under the Civil Procedure Code, 1908 a representation suit can be filed by one person on behalf of numerous persons having the same interest in the suit. 

Law enforcement agencies can obtain access to data in an organisation under various legislation, some of which are special laws and some general laws. 

The Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021, allow law enforcement agencies (LEAs) to seek data on users of intermediaries, and prescribe the procedure for this. LEAs can seek the data without a judicial order under Rule 3(1)(j) of these rules.

The Information Technology (Procedure & Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009, allow LEAs to direct interception, monitoring or decryption of information and outline the procedures for these.

The Criminal Procedure (Identification) Act, 2022, allows police officers or prison officers to collect biometric information such as fingerprints, iris and retina scans, photographs, etc, and behavioural attributes including the signature and handwriting of a person arrested or convicted of offences punishable with imprisonment for a period of at least seven years, or offences committed against women or children, and the same can be retained in digital or electronic form for a period of 75 years. However, all biometric information and behavioural attributes are required to be erased from the records (unless specifically directed by the court) if a person is released without trial or discharged or acquitted by the court, after exhausting all legal remedies.

The Indian government (including its LEAs) has wide powers under various laws for surveillance, monitoring and access to data for investigations of serious crimes, national security, and anti-terrorism. Most of these specify a process and allow the LEA to unilaterally access data as per that process.

Key legislation, rules and regulations related to this are set out below. 

  • The Indian Telegraph Act 1885 governs interception of telephone conversations in the case of a public emergency or in the public interest, and requires the disclosure of call data records to LEAs.
  • The IT Act and Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules 2009 (“Interception Rules”) allow for the interception, monitoring and decryption of digital information in any computer resource in the interest of the sovereignty, integrity and defence of India. Moreover, the Interception Rules also permit any government agency to monitor and collect traffic in any computer resource for the purposes stated under the IT Act.
  • The Data Protection Rules permit the disclosure of personal data to government agencies without obtaining the data provider’s consent.
  • The IT (Intermediaries Guidelines) Rules 2011 and IT (Guidelines for Cyber Cafe) Rules 2011 require intermediaries to provide any information to government agencies under lawful order within 72 hours.
  • The TRAI’s various license agreements for ISPs, TSPs and UASLs (unified access services licences) provide for surveillance of communications, monitoring telecommunications traffic in every node or in any other technically feasible point in the network, and prohibit bulk encryption and encryption that exceeds 40 bits.
  • The Income Tax Act 1961 allows state tax authorities to process personal data in respect of an assessee’s financial information for enquiry and investigation purposes made in compliance with the law.
  • The Central Monitoring System (CMS), operated by the government’s telecommunications technology development centre’s Telecom Enforcement Resource and Monitoring cells, empowers the government to intercept any and all communications deemed “necessary or expedient” for purposes such as national sovereignty, integrity and state security.

India has signed Mutual Legal Assistance Treaties with several countries, by which law enforcement officials seek and receive information for domestic investigations from other jurisdictions and vice versa. Although this mechanism has been highly debated across the world, it can be a basis for the collection of personal information, and such information may be shared with the law enforcement agencies of other countries.

Handling of “data” is currently governed by the contract between the parties (data provider and data recipient). It may be argued that there is no general prohibition on an organisation sharing data with a foreign government, if the contract does not prohibit it. However, sectoral guidelines have a role to play, for example, information supplied to a credit rating agency may not be shared with any third party, except as outlined in the Securities and Exchange Board of India (Credit Rating Agencies) Regulations, 1999.

As per the RBI rules, the data can be shared with foreign regulators only if there is a requirement for such a transaction, and with prior approval of the RBI.

The Cert-In Directions

Cert-In Direction No 20(3)/2022 dated 24 April 2022 (the “Cert-In Directions”) mandates data centres, virtual private server providers, cloud service providers, and virtual private network service providers (“VPN providers”) to mandatorily collect and retain certain subscriber-related information in an accurate manner, for a minimum period of five years after the subscriber is no longer using the underlying services. This has led to several VPN providers exiting the Indian market, such as NordVPN, ExpressVPN, ProtonVPN, TunnelBear, and Surfshark.

The Cert-In Directions, particularly the requirement in relation to the maintenance of logs of information and communications technology systems and the requirement to maintain these securely for a rolling period of 180 days and maintain the same within the Indian jurisdiction, along with the directions in relation to the storage of user data of VPN service users, are under challenge before the Delhi High Court in SnTHoldings v Union of India.

The Draft DPDP Bill

A recent point of controversy under the DPDP Bill is Section 18, which empowers the central government to exempt from application of the provisions of this bill, the processing of personal data:

  • by any instrumentality of the state in the interests of the sovereignty and integrity of India, security of the state, friendly relations with foreign states, maintenance of public order or preventing incitement to any cognisable offence relating to any of these; and
  • necessary for research, archiving or statistical purposes if the personal data is not to be used to take any decision specific to a data principal and such processing is carried on in accordance with the standards specified by the board under the said bill.

Various concerns have been raised against such provision of wider powers to the central government and these have been causing a stir in privacy-related public discussions.

The Data Protection Rules place restrictions on the international transfer of SPDI. As per the Data Protection Rules, when the SPDI is transferred from India, the transferee located outside the country should maintain the same level of protection for the data as that applicable in India. The transfer should also only happen if it is necessary for the performance of a lawful contract between a body corporate or individual, and the SPDI provider has given their consent. 

One of the other examples of restrictions on international transfer emanates from the RBI. Restrictions emanating from the RBI related to international transfers are discussed in 1.2 Regulators under the heading Financial Sector. 

In one of its cases, the Kerala High Court directed the Kerala government to obtain consent from individuals whose data was shared with a foreign third party so that it could be used in data analysis on Covid-19 patients. 

In addition to the above restrictions, the DPDP Bill also includes a provision broadly covering the transfer of personal data outside the country. As per the DPDP Bill, personal data may be transferred to certain countries according to the procedure formulated. The list of countries and the procedures for the transfer have not yet been issued. 

There are no mechanisms or derogations for international data transfer under current law, apart from the restrictions mentioned in 4.1 Restrictions on International Data Issues

Different regulators or government bodies may issue notifications from time to time regarding restrictions on the transfer of personal data to entities governed by them (eg, the RBI guidelines discussed in 1.2 Regulators). However, no government approvals or notifications are required before a general international transfer.

As mentioned earlier, there are currently no general data localisation requirements, and data may be maintained as per each organisation’s policies (see 4.1 Restrictions on International Data Issues).

Currently, there are no legal provisions that mandate a general sharing of software codes, algorithms or similar technical details with the government. However, sector-specific guidance and frameworks need to be examined. The National Security Directive on the Telecommunication Sector has created a list of trusted sources to which telecoms service providers can connect only those devices that are designated as “trusted products”, and the process for getting the certification could include access to the code, etc.

The DPDP Bill is also silent on the requirement to share technical details with the government. 

See 3.3 Invoking Foreign Government Obligations.

It appears that there are presently no Indian statutes that seek to block the operation of the statutes of a foreign country in relation to data privacy or otherwise.

The current legal framework does not directly address big data, AI, profiling or micro-targeting, automated decision-making, and the internet of things. There may be a few guidelines governing specific sectors, but the legal framework is still nascent regarding these domains and is currently undergoing development at policy level (eg, the RBI mandates that banks should ensure that credit cards are offered to the visually challenged without any discrimination).

Furthermore, facial recognition and biometric data are classified as SPDI under the Data Protection Rules, and therefore, the collection, use, etc, of these have to comply with every requirement under such rules for processing. In addition, biometric data in the form of Aadhaar is subject to the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016 and the rules thereunder, which provide for the manner in which Aadhar data can be used and stored by entities that have collected the same.


The Ministry of Civil Aviation of the government of India has notified the Drone Rules, 2021, which comprehensively govern the use of drones (unmanned aerial vehicles in India), prescribing compulsory certification, licensing of users, standardisation, etc.


Guidelines for acquiring and producing Geospatial Data and Geospatial Data Services including Maps, 2021 notified by the Department of Science and Technology have been framed for the regulation of geolocation data.

Disinformation, Deepfakes and Other Online Harm

At present, there is no specific legislation that deals with such issues. The general criminal and civil law is taken as a recourse in such instances.

There is no general legal requirement for organisations to establish a digital governance or fair data practice review board or committee. 

Generally, every company is required to comply with Sec 134(5)(f) of the Companies Act, 2013, which requires directors to confirm every year that they have devised proper systems to ensure compliance with all the applicable laws, and that such systems are operating effectively​. 

In addition, sector-specific requirements may need to be met.

WhatsApp LLC is under investigation by the Competition Commission of India (CCI) due to its privacy policy, which requires users to consent to the sharing and integration of user data with other Meta Group companies as a precondition for using WhatsApp services. The SCI has upheld the decision of the CCI to continue this investigation.

For further details, see 2.5 Enforcement and Litigation

Compliance is usually checked based on the industry in which a target company is engaged, since data protection laws differ from industry to industry (see 1.2 Regulators). Therefore, there will be more scrutiny in the case of a company engaged in the financial sector as compared to a company that is engaged in the infrastructure sector, as the financial sector is more heavily regulated by the RBI in terms of data protection through several directions and regulations.

There is no specific legal provision requiring an organisation’s mandatory disclosure of its cybersecurity risk profile or experience.

As per the Data Protection Rules, organisations are required to display their privacy policy on their website (see 2.1 Omnibus Laws and General Requirements). Furthermore, entities are required to report cybersecurity incidents to Cert-In within six hours of the same occurring or being brought to notice.

A data breach at a listed company may in certain circumstances be considered a significant incident that needs to be reported to the stock exchange, as per the listing norms of SEBI.

Trends in the progression of legal frameworks and judicial views show that there may be cross-diffusion of concepts. However, the current approach in India seems to be sector-specific in relation to general policy. There appears to be some traction by regulators broadening their horizons, eg, the CCI has been proactive in terms of checking various data-driven companies, such as Meta, which have a blend of both competition and consumer protection implications in India. However, there is currently no omnibus legislation that seeks to address the same.

There do not appear to be any other significant issues which have not been covered.

Tatva Legal, Hyderabad

Tatva House, Plot No 107A
Road No 72, Jubilee Hills
Hyderabad – 500 110

+91 40 23581000 – 04

+91 40 23581005
Author Business Card

Trends and Developments


Tatva Legal, Hyderabad is the largest full-service law firm in the states of Telangana and Andhra Pradesh. The firm is ranked in Band 1 for domestic firms by Chambers Asia-Pacific Legal Guide 2023 for its corporate and commercial practice in Hyderabad and has been consistently recognised as one of the best regional law firms in India over the last ten years. Tatva Legal, Hyderabad provides the full range of corporate and commercial legal services that a client might require across all industries and sectors, including private equity, technology, education, healthcare, pharma, real estate, infrastructure, banking and finance, agriculture, auto components, energy, logistics, the food industry, and manufacturing. The firm combines its local market insights with legal expertise to advise national and international clients in their domestic and cross-border endeavours.


The legal regime in India pertaining to data protection and privacy is currently in the midst of an overhaul. Data protection and privacy in India is primarily governed by the Information Technology Act, 2000 (the “IT Act”) and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011. Other ancillary and sector-specific regulations exist, such as the Information Technology (the Indian Computer Emergency Response Team and the Manner of Performing Functions and Duties) Rules, 2013, the directions imposed by the Indian Computer Emergency Response Team; the Consumer Protection Act, 2019; the Consumer Protection (E-Commerce) Rules, 2020; and rules published by regulatory authorities in India such as the Reserve Bank of India, the Insurance Regulatory and Development Authority of India, and the Securities Exchange Board of India, which govern facets of data protection based on their jurisdiction. 

In recent times, the Supreme Court of India, the highest court in India, in Justice KS Puttaswamy v Union of India affirmed that the “right to privacy” is one of the fundamental rights of Indian citizens under the constitution of India. Post this judgment, the Indian government recognised the need for robust legislation for the protection of citizens’ right to privacy, while also ensuring the growth of the digital economy. Accordingly, a committee of experts was constituted in 2017, headed by Justice BN Srikrishna (the “Srikrishna Committee”) to identify key data protection issues, methods of redressal, and to prepare a data protection bill. 

The Srikrishna Committee submitted its report in 2018, along with a draft bill. Pursuant thereto, a Personal Data Protection Bill (“PDP Bill”) was prepared by the government of India, and it was introduced in the lower house of the Indian parliament in 2019. Notably, the PDP Bill differed from the draft bill recommended by the Srikrishna Committee in various aspects such as dilution of data localisation requirements, introducing a right to erasure, introducing the concepts of consent managers and privacy by design, etc.

The PDP Bill was thereafter referred to a joint parliamentary committee and was subject to deliberation for almost two years. The joint parliamentary committee ultimately tabled its report in the Indian parliament, along with a revised version of the PDP Bill – the Data Protection Bill, 2021. However, in 2022, the PDP Bill was withdrawn from parliament by the Indian government, citing substantial revisions suggested by the joint parliamentary committee. The Indian government proposed to introduce a new bill, with a comprehensive framework to foster digital economy. 

The Indian government thereafter published the draft Digital Personal Data Protection Bill, 2022 (the “DPDP Bill”) for public comment, and intends to introduce the updated DPDP Bill in parliament in 2023. In its current form, the DPDP Bill is a significantly simpler version of its predecessor bills and intends to amend and introduce certain key provisions of the prevailing Indian laws relating to data privacy. If passed into law, the DPDP Bill will introduce significant key provisions that may impact tech players, digital businesses, start-ups, and society at large. 

The DPDP Bill

Key principles and applicability

The DPDP Bill has been drafted on the principles of:

  • the lawful, transparent, and fair usage of data of the data principals;
  • lawful purpose;
  • data minimalisation;
  • reasonable safeguards;
  • limitations on storage of data;
  • ensuring the accuracy of data; and
  • accountability.

In its current form, the DPDP Bill applies to the processing of digital personal data within India where (a) such data is collected online from data principals, and (b) such data is collected offline but is digitalised. 

The DPDP Bill also has extra-territorial jurisdiction, for when processing of data is undertaken outside India in connection with any profiling or activity of offering goods or services to data principals within India. 

Furthermore, the DPDP Bill does not apply to:

  • non-automated processing of personal data;
  • offline personal data;
  • data processed for any personal/domestic purpose; and
  • personal data pertaining to individuals, which has been stored for at least 100 years. 

Key features

The DPDP Bill introduces the following key features.

  • Definition of personal data: The DPDP Bill eliminates the distinction between personal information and sensitive personal information or data, provided under the SDPI Rules. Rather, the DPDP Bill applies to all personal data, ie, data about an individual who can be identified by or in relation to such data. This significantly widens the ambit of personal data and brings within its scope all identifiable information pertaining to individuals, including biometric, medical and financial information. 
  • Consent requirements: The DPDP Bill largely retains the provisions under the SDPI Rules, which provide that informed consent should be procured from data principals for the collection and processing of their sensitive personal information or data. The DPDP Bill imposes a requirement on data fiduciaries –
    1. to provide data principals with an itemised notice, stating the description and purpose of the personal data to be collected and processed (either in physical or electronic form); and
    2. to procure freely given, specific, informed and unambiguous consent from data principals for the processing of their personal data for the purpose specified in the itemised notice.
  • Deemed consent: The DPDP Bill introduces a new concept of deemed consent given by data principals. A data principal is deemed to have provided their consent in the following scenarios, and explicit consent may not be required for the collection and processing of their personal data –
    1. where the data principal voluntarily provides their personal data to the data fiduciary, and it is reasonably expected that they would provide such personal data;
    2. for performance of any law/provision of any service or benefit to the data principal;
    3. for compliance with any judgment or orders under law;
    4. in cases of medical emergency involving threat to life of the data principal;
    5. to provide medical treatment/health services in cases of public health threats, epidemic or outbreak of disease;
    6. to provide assistance to data principals in case of the breakdown of public services;
    7. for purposes related to employment; and
    8. in the public interest, such as in cases of fraud, credit scoring, network and information security, etc. 
  • Review and withdrawal of consent: Data principals have the right to manage, review and withdraw their consent through a “consent manager”. The concept of a consent manager is newly introduced in the DPDP Bill, and the same is intended to be an entity accountable to the data principal and registered with the prescribed government authority. 
  • Rights of data principals: Data principals have been empowered with further additional and comprehensive rights under the DPDP Bill, such as –
    1. the right to obtain a summary of the personal data processed and the identities of all data fiduciaries with whom such data has been shared;
    2. the right to correct or erase their personal data;
    3. the right to grievance redressal; and
    4. the right to nominate a nominee to exercise the data principal’s rights in case of incapacity or death. 
  • Obligations of data fiduciaries: The DPDP Bill imposes obligations on data fiduciaries predominantly in respect of –
    1. safeguarding the personal data collected;
    2. notification requirements in case of data breaches;
    3. restrictions on the storage of personal data when the purpose for such data is no longer served or when retention is not required for legal or business purposes;
    4. appointment of a data protection officer, to respond to queries from data principals; and
    5. establishing a grievance redressal mechanism. 
  • Additional obligations relating to children: The DPDP Bill imposes additional obligations for obtaining parental consent or consent from lawful guardians in relation to the collection and processing of personal data pertaining to children. Furthermore, the data fiduciary is restricted from monitoring children or undertaking any targeted advertising directed at children. 
  • Significant data fiduciary: The DPDP Bill classifies data fiduciaries into regular and significant data fiduciaries. Significant data fiduciaries are entities who are notified as such by the government, on account of factors such as the volume and sensitivity of the personal data processed, risk to the electoral state, and harm to data principals, security of the state, etc. A significant data fiduciary will have additional obligations such as –
    1. appointing an independent data auditor to evaluate its compliance with the DPDP Bill and the IT Act; and
    2. undertaking other measures such as data protection impact assessment and periodic audits, as may be prescribed by the government. 
  • Data transfers outside India: The DPDP Bill does not impose strict data localisation requirements, by permitting data transfers outside India to countries notified by the Indian government and in accordance with such terms and conditions that the government may specify in this regard. 
  • Introducing a data protection board: The DPDP Bill introduces the setting up of an independent data protection board to determine compliance with the DPDP Bill, to redress grievances of data principals and to impose penalties on data fiduciaries in case of non-compliance. The constitution of the board is yet to be determined by the government. The DPDP Bill further empowers the board to summon and enforce the attendance of persons, examine such persons under oath and inspect any data, book, document, register, books of account or any other document, for conducting an inquiry to determine legislative compliance by data fiduciaries. 
  • Stringent financial penalties: The DPDP Bill proposes stringent financial penalties of up to INR2.5 billion in case of non-compliance with the requirements thereunder. 

Potential Impact

“Data is the new oil,” according to Clive Humby, British mathematician and data science entrepreneur.

Across the world, when it comes to privacy and data protection, there is a complex web of players: big tech, start-ups, research and technology, government, and finally the individuals whose data is the subject of interest of all the other players. 

While it is not an entirely zero-sum game, the direction of the regulation pendulum can significantly affect one or more of these players. A rigid and difficult-to-implement consent mechanism with heavy bias towards individual rights may affect start-ups more than a global tech stakeholder with multiple resources. A country with a large start-up ecosystem may have a bias towards more relaxed protection of data, which may be opposed by the citizens and even powerful private market players, who may not wish for other competitors to emerge. It is in this complex web that the Indian government is trying to balance the interests of the players involved. 

The response to the DPDP Bill by the business community and civil society stakeholders has been mixed. Certain factors, such as easing cross-border data transfers, have been appreciated by global industry players. However, aspects such as the removal of criminal penalties have drawn criticism. Furthermore, the DPDP Bill seeks to amend the Right to Information Act, 2005 by providing that the personal information of an individual will be exempt from disclosure under the Right to Information Act, 2005, thereby restricting the scope and efficacy of the act. 

The DPDP Bill was an opportunity for the Indian legal regime to harmonise the existing legal framework with emerging data applications in various sectors. However, the DPDP Bill does not cater to emerging technologies, such as AI, blockchain, healthcare and fintech innovations, which could create a legal vacuum in relation to the interface of such technologies with emerging applications of data. 

Certain key observations with respect to the potential impact of the DPDP Bill are highlighted below.

  • Application and transition period: The DPDP Bill does not mention timelines for implementation or a transition period. Such ambiguities may create significant concerns for organisations which require adequate time to transition their systems and mechanisms to satisfy the DPDP Bill. 
  • Non-applicability to offline data: The DPDP Bill introduces a lacuna with respect to data collected offline, as the bill is only applicable to online data. This is particularly pertinent as Indian legislations have not yet mandated the requirement to maintain digital records instead of physical records.
  • Itemised notice requirements: The DPDP Bill does not clarify if such requirement is prospective or also applies to personal data already collected and processed by data fiduciaries. In case of the latter, this may be an onerous compliance for business organisations. 
  • Deemed consent and parental consent: The concept of deemed consent recognises the need for organisations to process data where it is impracticable or impossible to procure consent, in line with global frameworks which recognise secondary grounds for processing of data without procuring consent. However, such instances can be considered as standalone exemptions, to avoid unfair use of such concepts to the disadvantage of data principals. Furthermore, the non-inclusion of data for processing pursuant to contract may lead to a scenario where consent has to be repeatedly procured from data principals, resulting in “consent fatigue”. In addition, the DPDP Bill does not determine the means and forms of procuring parental consent. This may result in verification of a data principal’s age at various stages (including digital platforms), to ensure that no parental consent is required. In addition, the DPDP Bill functions by assuming that the data fiduciary is identified (for the purposes of consent and processing of personal data). This may not be possible in, for example, a blockchain network that functions on decentralised handling of data. 
  • Significant data fiduciaries: The DPDP Bill does not clarify the role, obligations and requirements of significant data fiduciaries, resulting in ambiguities for large business organisations or corporations which may be caught within this ambit. 
  • Storage limitation in a new-tech world: The DPDP Bill provides that personal data should be retained until the purpose for which the personal data was collected is no longer served by its retention, and that retention is no longer necessary for legal or business purposes. Such limitation poses challenges, for instance, in the case of AI technologies, as deletion of personal data may significantly impede the development of such technologies. Furthermore, where personal data has been used to train AI software, the deletion of such personal data may impede the functioning of such technology. Similarly, data destruction in blockchain technology would involve significant destruction and re-construction of the blockchain from the point of data recording, conflicting with the basic principles of blockchain technology and requiring significant processing. 
  • Cross-border transfers: The DPDP Bill adopts a “white-list approach” to the cross-border transfer of personal data, where the government is empowered to list countries to which data transfers are permitted. This may inadvertently lead to local storage requirements, should the government adopt a stringent approach to the identification of countries. 
  • Significant penalties: The DPDP Bill places the duty of compliance on data fiduciaries and introduces significant monetary penalties in cases of non-compliance, which are not subject to, for example, the turnover or revenue of an organisation. In a first, the bill also places duties of compliance on data principals, with a penalty of up to INR10,000 in cases of non-compliance. 
  • Information about data breaches: The DPDP Bill provides for notification requirements in case of personal data breaches to the Data Protection Board. However, such notification requirements are already in place, for example, to Cert-In as per directions dated 28 April 2022, with reference number, 20(3)/2022-CERT-In. Furthermore, the DPDP Bill does not specify any risk-based thresholds for issuing such notifications and places an onerous requirement to report breaches in such a way as does not compromise or threaten the security of personal information collected/processed. 
  • Data portability: The bill does not provide for data portability, which would have enabled data principals to obtain and transfer their data from data fiduciaries for their own use, or to migrate their data to another data fiduciary.
  • Purpose limitation: The DPDP Bill requires that the collected personal data is used and processed for the purposes specified in the notice, and for which consent is procured from the data principals. However, such purpose limitations may restrict emerging technologies such as AI. In addition, the original purposes for which data was collected may change over a period of time, and therefore, all the purposes that may emerge may not have been practicably foreseen at the time of data collection. Therefore, data principals may resort to identifying generic possible applications, which may lead to uncertainty and creative interpretations. 
  • Data protection impact assessment: The DPDP Bill imposes obligations on significant data fiduciaries (explained above) to undertake measures such as data protection impact assessments to fulfil the legislative objectives of the DPDP Bill. Data protection impact assessments are a preventative review of processing operations, to identify any potential high-risk consequences and to undertake remedial measures to minimise such risks and consequences. However, the DPDP Bill does not define any such risks or provide instances thereof, which could serve as a cornerstone for significant data fiduciaries undertaking such assessments. Furthermore, rapidly developing and new technologies host untested applications, which may pose a risk to the rights, freedoms and operations of natural persons. Such technology may also pose a greater risk if it involves processing large volumes of sensitive data. Therefore, the development and operation of any such technologies may trigger the onerous requirement for regular assessments by significant data fiduciaries.

Interplay Between Regulations

The DPDP Bill provides that the provisions in the bill are in addition to, and not in derogation of, any other laws in force in India. The explanatory note issued by the Ministry of Electronics and Information Technology states the intent for the bill to apply horizontally across sectors, while allowing sector-specific legislation. However, the DPDP Bill has an overriding effect where there is any conflict with such laws. In the following examples, the need to harmonise the provisions contained in the DPDP Bill with existing sector-specific regulations becomes pertinent.

  • Cross-border data transfers: As per the Reserve Bank of India’s (RBI’s) Directive 2017-18/153, dated 6 April 2018 and issued under the Payment and Settlement Systems Act 2007, registered payment system operators are required to store their data only in India. The Guidelines on Digital Lending (for banks and non-banking financial companies) and the Guidelines on Regulation of Payment Aggregators and Payment Gateways issued by the RBI, require data to be stored in servers located in India. In addition, all insurers are required to store insurance data pertaining to insurance policies issued and claims made in India. Hence, sector-specific restrictions and regulations, which potentially conflict with the DPDP Bill, may create additional ambiguities for stakeholders. 
  • Data retention: The DPDP Bill allows data fiduciaries to retain data as long as required for business purposes. However, other statutes provide differing retention periods. For example, the Prevention of Money Laundering Act, 2002 requires transaction records to be maintained for at least five years. 
  • Consent requirements: Sector-specific regulations require explicit consent from data principals. For example, the Digital Lending Guidelines and the Peer-to-Peer Lending Platform (Reserve Bank) Directions, 2017 issued by the RBI, require explicit consent from borrowers and participants respectively. Similarly, medical laws in India such as Electronic Health Record Standards for India 2016, require consent to be procured from patients to allow access to and/or disclosures by collectors of their information. In view of the foregoing requirements, the concept of deemed consent may not be feasible.


The DPDP Bill aims to offer a new data protection regime in India, by providing greater flexibility and ease of doing business for data fiduciaries, while attempting to provide suitable safeguards to personal data collected from data principals. However, the DPDP Bill in its current form may not fully address next-generation technologies, such as AI, blockchain, web 3.0, NFTs and the metaverse, which are already knocking on our doors, while the current legal regime in India is still grappling with existing challenges rather than gearing up to address the technology of tomorrow. For instance, AI is founded on the underlying dataset. However, the current AI models are a black hole as far as internal processes are concerned, and while data ingested may not currently be decompiled from the model, this could be a potential time bomb waiting to explode. Similarly, while blockchain is open, distributed and immutable, it is hitting the roadblocks of privacy and law enforcement (eg, in the context of ransomware attacks) leading to calls for anonymisation on the one hand and KYC on the other hand. All such technologies are waiting around the corner but may not be addressed in the current iteration of the DPDP Bill. 

Such legal uncertainties may result in evasion and circumvention of legislative requirements, thereby defeating the legislative intent of the DPDP Bill and increasing risks to data protection and the privacy of individuals, defaults in enforcement and a gradual decline of legislative compliance. A need therefore arises for the government to further compound on the DPDP Bill, by issuance of rules and relevant notifications, in order to resolve such ambiguities and harmonise existing laws with the proposed legal framework.

Tatva Legal, Hyderabad

Tatva House, Plot No 107A
Road No 72, Jubilee Hills
Hyderabad – 500 110

+91 40 23581000 – 04

+91 40 23581005
Author Business Card

Law and Practice


Tatva Legal, Hyderabad is the largest full-service law firm in the states of Telangana and Andhra Pradesh. The firm is ranked in Band 1 for domestic firms by Chambers Asia-Pacific Legal Guide 2023 for its corporate and commercial practice in Hyderabad and has been consistently recognised as one of the best regional law firms in India over the last ten years. Tatva Legal, Hyderabad provides the full range of corporate and commercial legal services that a client might require across all industries and sectors, including private equity, technology, education, healthcare, pharma, real estate, infrastructure, banking and finance, agriculture, auto components, energy, logistics, the food industry, and manufacturing. The firm combines its local market insights with legal expertise to advise national and international clients in their domestic and cross-border endeavours.

Trends and Development


Tatva Legal, Hyderabad is the largest full-service law firm in the states of Telangana and Andhra Pradesh. The firm is ranked in Band 1 for domestic firms by Chambers Asia-Pacific Legal Guide 2023 for its corporate and commercial practice in Hyderabad and has been consistently recognised as one of the best regional law firms in India over the last ten years. Tatva Legal, Hyderabad provides the full range of corporate and commercial legal services that a client might require across all industries and sectors, including private equity, technology, education, healthcare, pharma, real estate, infrastructure, banking and finance, agriculture, auto components, energy, logistics, the food industry, and manufacturing. The firm combines its local market insights with legal expertise to advise national and international clients in their domestic and cross-border endeavours.

Compare law and practice by selecting locations and topic(s)


Select Topic(s)

loading ...

Please select at least one chapter and one topic to use the compare functionality.