Data Protection Bill, 2021: The Road Ahead

Home     Articles      Data Protection Bill, 2021: The Road Ahead

Data Protection Bill, 2021: The Road Ahead

April 8, 2022


India is expanding as a digital economy and requires a powerful data protection law to safeguard the privacy of the stakeholders of the evolving economy.

The Supreme Court in the famous case of Justice K.S. Puttaswamy v Union of India [1] passed a unanimous verdict affirming that Right to Privacy is a fundamental right guaranteed by the Constitution of India. The Hon’ble Court further recommended the Central Government to draft aconcrete data protection law for the country which fosters the interests of individuals and the state while promoting an environment of technological innovation and entrepreneurship in the country. The Court believed that that as there is no effective data protection law in place, it is hard to establish what rights citizens have, rendering the basic right to privacy practically useless. A data protection legislation will offer a legal foundation to the citizens’ entitlement as it will help outlining the scope of the basic right to privacy as well as what data fiduciaries, who gather personal data, may and cannot do with it.


The committee observed the following revisions to the PDPB, 2019: a) Timelines for implementation (Clause 1): As stated in Clause 1 of the 2019 bill, execution of its provisions was not limited in any way. When it comes to implementing any and all of the provisions of the Act, the revised bill states that “approximately 24 months may be provided for implementation” so that “data fiduciaries and data processors have enough time to make the necessary changes to their policies; infrastructure; processes, etc.” Data protection authorities should begin their work within six months, data fiduciaries should be registered by nine months, and the appellate tribunal should begin its work within 12 months from the date of notice, according to this guideline. [3]

SCOPE (Clause 2):

 The scope of the Personal Data Protection Bill has been expanded to include both personal and non-personal data. Due to this the bill’s title has been changed to “Data Protection Bill (Bill)” from “Personal Data Protection Bill.” As stated by the committee, “it is impossible to discern between personal data and non-personal data, when mass data is acquired or conveyed,” because of which only a single regulator is anticipated to govern both types of data. [4]

Several key terms have been defined, consolidated or revised, including “consent manager,” “data auditor,” “data breach,” “data fiduciary,” “data processor,” “data protection officer,” “harm” and “non-personal data.

f)User rights (Clauses 17, 18, 19, 20, 23 and 64): In case of casualty or death, the data principal will now to able to nominate a legal heir or representative to decide how his/her data will be handled. Porting of data can only be denied on the grounds of technical feasibility and not on grounds of trade secrets. Data fiduciaries are obligated to ensure transparency and fairness of algorithms with regard to methods of processing personal data. Other rights include the Right to correct, complete, erase and update Personal Data; Right to be forgotten (which can only be exercised by filing an application with the DPA) and the Right to be compensated in case of any breach by the data fiduciary.

j) Exemptions from the regulation (Clause 35): As per this clause, any agency of the government can be exempt from all or some of the provisions of the bill. This clause raised maximum opposition from the members of the committee. To resolve this dissent, the present bill states that the procedure for such exemption to be applied has to be “just, fair, reasonable and proportionate procedure”.

l) Composition of the DPA (Clause 42): It’s important that the DPA’s composition be inclusive, robust, and independent, with members from the legal, technical, and academic disciplines, as well as secretary-level officials, capped at six. Data protection, IT, data management, data science, and security services will each be represented by a government-appointed expert. The attorney general of India must be a member of the DPA. One director from Indian Institute of Management and one from Indian Institute of Technology must also be appointed to the DPA. [8]

m) Testing and certification of hardware devices (Clause 49): Dedicated testing labs or facilities and mechanisms to provide formal certification of integrity, reliability, and security for digital and IoT devices should be established by government, as there is no coverage for hardware devices involved in personal data collection and processing in the PDPB (Clause 49). Personal data security standards should be established so that individuals may have their devices certified by the DPA and take action against their manufacturers if their devices do not satisfy these criteria. [9]

n) Data localization: In conjunction with relevant sectors regulators, it is proposed that the government create and announce a comprehensive policy on data localization, which must be presented to India in a time-bound way

0) Privacy-centric alternative financial payment system: An alternative indigenous financial system to the society for Worldwide Interbank Financial Telecommunication system should be to introduced in order to boost digital economy and usage in domestic space and also to ensure privacy in financial transaction. Customers’ fear of financial fraud should be reduced in order to increase the use of digital payment methods by consumers.


The recommendations of Joint Parliamentary Committee has resulted in positive growth of the data protection regime in the country, however, just as a coin has two sides, the Bill is not devoid of its problems. One of the major grey areas in the Bill is with respect to the creation of two parallel universes by the Bill- one for the private sector, where it would be applied strictly, and one for the public sector, where it is filled with exemptions and escape clauses. A Fundamental Right is primarily enforceable against the state, therefore, a statute that purports to grant blanket exemptions to the ‘state’ and its instrumentalities in perpetuity or even for a short term can be considered ultra vires to the Fundamental Right to Privacy. According to experts, these broad exemptions would make it more difficult for India’s data protection regime to achieve sufficient status under the GDPR, impeding the government’s efforts to make it compatible with other regimes. [10] Further, Indian laws are infamous for punishing business houses and their executives criminally, whereas the rest of the world employs contractual damages or penalties. The recommendations suggest criminal penalties for legal violations under the Bill. In a society where police officers routinely violate fundamental investigative standards, it is believed that this approach is once again setting the way for persecution of young digital-company entrepreneurs. [11] Though not translated into amendments in the Bill, the recommendations of the Joint Parliamentary Committee with regard to those social media platforms that don’t act as intermediaries, being treated as publishers is a major concern for companies. As per the Bill such publishers shall be held liable for the information they host. Currently, social media companies that primarily facilitate online contact between users are controlled as “social media intermediaries” by the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules 2021, which have been formulated under the Information Technology Act 2000. The usage of the phrase “intermediaries” is essential because, under the IT Act, such businesses are not responsible for user-generated material if they satisfy certain standards under the legislation. The Joint Parliamentary Committee’s report has proposed to swap the word “intermediaries” with “platforms”, to imply that such firms might be viewed as publishers and be accountable for the information they host. However, considerable suggestions on the accountability of social media platforms are out of place in a data protection legislation, whose principal objective is to defend the rights of persons over their data. A more suitable method to address concerns over the liability of social media companies may have been to contribute to ongoing talks over revising the IT Act. Further, if the report’s proposal to regard social media companies as “platforms” rather than “intermediaries” is kept, it might lead to a disagreement in the interpretation of their liability under the IT Act. [12] Joint Parliamentary Committee ‘s report has been submitted to both chambers of Parliament, although reports currently indicate that the Bill may not be introduced until Parliament’s next session, which generally occurs in February-March. It is possible that the Bill would undergo more amendments as a result of debates in Parliament. According to the Bill, data fiduciaries and processors are required by law to adhere to a variety of rules and regulations. Additional requirements for compliance, however, are still up to the DPA. Therefore, the true essence of the Bill will be understood only when the DPA is constituted and its rules are published.


There are similarities and differences that can be identified between the recommendations by the Joint Parliamentary Committee on the Personal Data Protection Bill (Data Privacy Bill 2021) and global standards such as European Union’s General Data Protection Regulation (GDPR) The following similarities can be identified between the two regulations: [13]

Consent Users must be able to opt in or out of data processing based on their informed consent.A fair and transparent approach to data processing, as well as privacy protection, must be maintained at all times. Consent is the primary ground for processing data, however, in certain mentioned situations data can be possessed without consent.  
Data Fiduciary Any public authority, natural/legal person, agency/body that determine the purpose and means of data processing can be a data fiduciary.Data fiduciaries are defined in the similar manner to that of GDPR. Further, even NGOs which process data are considered as data fiduciaries. 
BreachA breach must be reported within 72 hours of its occurrence, so that the users of such data can take appropriate steps to protect the information. The Data Protection Authority must be informed of all breaches within 72 hours of occurrence, post which DPA decides whether users need to be informed of such breach and subsequently what steps are to be taken.
Transition period Two years Two years 

Differences between GDPR and the Data Privacy Bill 2021 are as follows: [14]

Punishment Under this Act, an offender is charged fines up to 20 million euros, or in the case of an undertaking, up to 4 % of their total global turnover of the preceding fiscal year. The act does not provide for imprisonment as a form of punishment. Under this Bill, an offender can be charged for imprisonment up to 3 years or a fine of Rs 2 lakh or both.


The Data Protection Bill is a long-awaited and desperately needed piece of legislation that would replace India’s present antiquated, obsolete, and inadequate data protection regulations.   In comparison to present regulations, it will assist, safeguard individuals’ privacy rights and encourage the equitable and transparent use of data for innovation and growth, therefore unleashing the digital economy. It has the potential to generate jobs, raise user knowledge about their privacy, and hold data fiduciaries and processors accountable. Though the EU General Data Protection Regulation served as a model, India ultimately developed its own approach to data protection with several unique provisions: combining personal and non-personal data under one umbrella, data localization, coverage of hardware devices, and management of social media platforms. Though it still has some gaps, when fully implemented, it would bring India’s data protection regulations up to level with those of other developed countries. Businesses would be well to begin planning for compliance with the different rules. Compliance with data privacy requirements can be challenging in today’s age of information explosion. However, this does not have to be the case if organisations are proactive and plan ahead of the enforcement date. Businesses in India must have a comprehensive privacy and compliance plan, and those who do so will reap enormous rewards. The time is right for organisations that have not yet begun or are just beginning their compliance journeys, as data privacy will play a critical role in the coming years. By implementing a tiered, comprehensive data security strategy, organisations may confidently embrace the DPB and, once compliant, can consider it as a competitive advantage.


[1] K.S. Puttaswamy v Union of India, (2017) 10 SCC 1.
[2] Smitha Krishna Prasad, Data Bill: Safe from prying Govt,DECCAN HERALD (Mar 23, 2022),
[3] Summary and Primer on Joint Parliamentary Committee Report and Data Protection Bill, 2021, DSCI, (Mar 23, 2022) Report-and-Data-Protection-Bill-2021.pdf.
[4] Key Takeaways: The JPC Report and the Data Protection Bill, 2021, INTERNET FREEDOM FOUNDATION (Mar 23, 2022)
[5] Mathew Chacko, Aadya Misra, A Guide to the Data Protection Bill, 2021, LEGAL500 (Mar 23, 2022),
[6] Id.
[7] supra note 5.
[8] supra note 5.
[9] supra note 3.
[10] Adnan Ahmad Ansari, India’s Data Protection Bill- the long wait continues, ATLANTIC COUNCIL (Mar 25, 2022)
[11] Waiting for the Data Protection Bill, FINANCIAL EXPRESS (Mar 24, 2022)
[12] Aditi Chaturvedi, Shweta Venkatesan, JPC report on Data Protection Bill has loopholes & more bad news for social media companies, THE PRINT (Mar 25, 2022)
[13] Aashish Aryan, Explained: How India’s Data Protection Bill compares with EU regulation, THE INDIAN
EXPRESS (Mar 24, 2022),
[14] Id.

Author: Aishwarya Sinha, Associate.

Disclaimer: The content of this article is intended to provide a general guide to the subject matter and that the same shall not be treated as legal advice. For any queries, the author can be reached at 

Join Our List To Stay In Touch

Leave your email id to receive regular updates on
corporate law changes that have impact on businesses.