Home     Articles      DATA PROTECTION BILL, 2021: THE ROAD AHEAD


April 8, 2022


India is expanding as a digital economy and requires a powerful data protection law to safeguard the
privacy of the stakeholders of the evolving economy.

The Supreme Court in the famous case of Justice K.S. Puttaswamy v Union of India [1] passed a
unanimous verdict affirming that Right to Privacy is a fundamental right guaranteed by the
Constitution of India. The Hon’ble Court further recommended the Central Government to draft a
concrete data protection law for the country which fosters the interests of individuals and the state
while promoting an environment of technological innovation and entrepreneurship in the country. The
Court believed that that as there is no effective data protection law in place, it is hard to establish what
rights citizens have, rendering the basic right to privacy practically useless. A data protection
legislation will offer a legal foundation to the citizens’ entitlement as it will help outlining the scope
of the basic right to privacy as well as what data fiduciaries, who gather personal data, may and
cannot do with it.

This led to the formation of an expert committee headed by Justice B.N Srikrishna for the purpose of
drafting a Personal Data Protection Bill. The bill was to be drafted keeping in mind the aim to “ensure
growth of the digital economy while keeping personal data of citizens secure and protected”. [2]

The committee released the first draft of the data protection bill in 2018. Subsequently, Personal Data
Protection Bill, 2019 (the “PDPB”), a revised version of the draft, was introduced in India’s
Parliament in late 2019. Confusion surrounded the PDPB, particularly in regards to the exemptions
granted to government organisations, the management of anonymized data, the necessity of data
localization, and the regulation of cross-border data transfers. The proposed law was sent to a Joint
Parliamentary Committee, which included members of both Houses of Parliament, for a more
thorough assessment.

It was on December 16th, 2021, that the “Report of the Joint Committee on the Personal Data
Protection Bill, 2019″ was ultimately delivered to the Parliament. The Committee’s overall
suggestions for the PDPB are included, as is an updated draft of the PDPB. Newly renamed “The Data
Protection Bill, 2021,” this revised draft law carries on its predecessor’s mission to safeguard citizens’
digital privacy and build confidence between those processing their data and the people who are
collecting it, while also going a step further.

The committee observed the following revisions to the PDPB, 2019:

a) Timelines for implementation (Clause 1): As stated in Clause 1 of the 2019 bill, execution of its
provisions was not limited in any way. When it comes to implementing any and all of the
provisions of the Act, the revised bill states that “approximately 24 months may be provided for implementation” so that “data fiduciaries and data processors have enough time to make the
necessary changes to their policies; infrastructure; processes, etc.” Data protection authorities
should begin their work within six months, data fiduciaries should be registered by nine months,
and the appellate tribunal should begin its work within 12 months from the date of notice,
according to this guideline. [3]

b) Scope (Clause 2): The scope of the Personal Data Protection Bill has been expanded to include
both personal and non-personal data. Due to this the bill’s title has been changed to “Data
Protection Bill (Bill)” from “Personal Data Protection Bill.” As stated by the committee, “it is
impossible to discern between personal data and non-personal data, when mass data is acquired
or conveyed,” because of which only a single regulator is anticipated to govern both types of data. [4]

c) Definitions (Clause 3): Several key terms have been defined, consolidated or revised, including
“consent manager,” “data auditor,” “data breach,” “data fiduciary,” “data processor,” “data
protection officer,” “harm” and “non-personal data.

d) Processing of personal data without consent (Clauses 13 and 14): The processing of non-
sensitive personal data for the purposes of employment now includes scenarios where “such
processing is necessary or can reasonably be expected by the data principal.” Personal data can be
processed provided “the processing is necessary for reasonable purposes as may be established by
legislation,” which balances the interests of both the data principal and the data fiduciary. [5]

e) Processing of personal data of children (Clause 16): Those Data fiduciaries who exclusively
deal with the data of children are expected to register themselves with the Data Protection
Authority (DPA). Data fiduciaries have an obligation to inform a child three months prior to the
majority age he/she attains in order to provide consent again. They must continue to provide
services to the child until he/she withdraws his/her consent. Earlier personal data of children was
processed keeping in mind their best interest; however, the new recommendation places the rights
of the child on a pedestal.

f) User rights (Clauses 17, 18, 19, 20, 23 and 64): In case of casualty or death, the data principal
will now to able to nominate a legal heir or representative to decide how his/her data will be
handled. Porting of data can only be denied on the grounds of technical feasibility and not on
grounds of trade secrets. Data fiduciaries are obligated to ensure transparency and fairness of
algorithms with regard to methods of processing personal data. Other rights include the Right to
correct, complete, erase and update Personal Data; Right to be forgotten (which can only be
exercised by filing an application with the DPA) and the Right to be compensated in case of any
breach by the data fiduciary. [6]

g) Breach reporting (Clause 25): A data breach today encompasses breach of both personal and
non-personal data. The breach reporting standards are tougher and more specific. The form of
notice will now be established by regulations rather than constraining the scope of the form within
the bill itself. Most significantly, the time for reporting has been explicitly specified as within 72
hours of being aware of a breach. A provision has been included where the DPA can instruct the
data fiduciary to implement any immediate measures to repair such a breach or limit any harm
caused to the data principal.

h) Data protection officer (Clause 30):  It has been clarified who can be a data protection officer
(DPO). He/she should be a senior-level officer of the state or a key management of the
corporation to as the DPO in both the public and private sectors.

i) Transfer of sensitive and critical personal data (Clause 34): The standards for such transfers
have been further clarified. Now, the DPA should confer with the government before authorising
a contract or intragroup plan that permits cross-border data transmission. In cases when the
contract or intragroup plan in question violates public or state policy, it should not be accepted.
Such data should not be given to any foreign government or agency unless it has been authorised
by the government. [7]

j) Exemptions from the regulation (Clause 35): As per this clause, any agency of the government
can be exempt from all or some of the provisions of the bill. This clause raised maximum
opposition from the members of the committee. To resolve this dissent, the present bill states that
the procedure for such exemption to be applied has to be “just, fair, reasonable and proportionate

k) Sandbox environment (Clause 40): The government may establish up sandbox settings for live
testing of innovative goods, technology, and services to stimulate startup and innovation culture with privacy by design (this was earlier a mandatory obligation). Small and new enterprises
would benefit from this by being able to comply with data protection regulations.

l) Composition of the DPA (Clause 42): It’s important that the DPA’s composition be inclusive,
robust, and independent, with members from the legal, technical, and academic disciplines, as
well as secretary-level officials, capped at six. Data protection, IT, data management, data
science, and security services will each be represented by a government-appointed expert. The
attorney general of India must be a member of the DPA. One director from Indian Institute of
Management and one from Indian Institute of Technology must also be appointed to the DPA. [8]

m) Testing and certification of hardware devices (Clause 49): Dedicated testing labs or facilities
and mechanisms to provide formal certification of integrity, reliability, and security for digital and
IoT devices should be established by government, as there is no coverage for hardware devices
involved in personal data collection and processing in the PDPB (Clause 49). Personal data
security standards should be established so that individuals may have their devices certified by the
DPA and take action against their manufacturers if their devices do not satisfy these criteria. [9]

n) Data localization: In conjunction with relevant sectors regulators, it is proposed that the
government create and announce a comprehensive policy on data localization, which must be
presented to India in a time-bound way

0) Privacy-centric alternative financial payment system: An alternative indigenous financial
system to the society for Worldwide Interbank Financial Telecommunication system should be to
introduced in order to boost digital economy and usage in domestic space and also to ensure
privacy in financial transaction. Customers’ fear of financial fraud should be reduced in order to
increase the use of digital payment methods by consumers.


The recommendations of Joint Parliamentary Committee has resulted in positive growth of the data
protection regime in the country, however, just as a coin has two sides, the Bill is not devoid of its

One of the major grey areas in the Bill is with respect to the creation of two parallel universes by the
Bill- one for the private sector, where it would be applied strictly, and one for the public sector, where
it is filled with exemptions and escape clauses. A Fundamental Right is primarily enforceable against
the state, therefore, a statute that purports to grant blanket exemptions to the ‘state’ and its
instrumentalities in perpetuity or even for a short term can be considered ultra vires to the
Fundamental Right to Privacy. According to experts, these broad exemptions would make it more
difficult for India’s data protection regime to achieve sufficient status under the GDPR, impeding the
government’s efforts to make it compatible with other regimes. [10]

Further, Indian laws are infamous for punishing business houses and their executives criminally,
whereas the rest of the world employs contractual damages or penalties. The recommendations
suggest criminal penalties for legal violations under the Bill. In a society where police officers
routinely violate fundamental investigative standards, it is believed that this approach is once again
setting the way for persecution of young digital-company entrepreneurs. [11]

Though not translated into amendments in the Bill, the recommendations of the Joint Parliamentary
Committee with regard to those social media platforms that don’t act as intermediaries, being treated
as publishers is a major concern for companies. As per the Bill such publishers shall be held liable for
the information they host. Currently, social media companies that primarily facilitate online contact
between users are controlled as “social media intermediaries” by the Information Technology
(Intermediary Guidelines and Digital Media Ethics Code) Rules 2021, which have been formulated
under the Information Technology Act 2000. The usage of the phrase “intermediaries” is essential
because, under the IT Act, such businesses are not responsible for user-generated material if they
satisfy certain standards under the legislation. The Joint Parliamentary Committee’s report has
proposed to swap the word “intermediaries” with “platforms”, to imply that such firms might be
viewed as publishers and be accountable for the information they host. However, considerable
suggestions on the accountability of social media platforms are out of place in a data protection legislation, whose principal objective is to defend the rights of persons over their data. A more
suitable method to address concerns over the liability of social media companies may have been to
contribute to ongoing talks over revising the IT Act. Further, if the report’s proposal to regard social
media companies as “platforms” rather than “intermediaries” is kept, it might lead to a disagreement
in the interpretation of their liability under the IT Act. [12]

Joint Parliamentary Committee ‘s report has been submitted to both chambers of Parliament, although
reports currently indicate that the Bill may not be introduced until Parliament’s next session, which
generally occurs in February-March. It is possible that the Bill would undergo more amendments as a
result of debates in Parliament. According to the Bill, data fiduciaries and processors are required by
law to adhere to a variety of rules and regulations. Additional requirements for compliance, however,
are still up to the DPA. Therefore, the true essence of the Bill will be understood only when the DPA
is constituted and its rules are published.


There are similarities and differences that can be identified between the recommendations by the Joint
Parliamentary Committee on the Personal Data Protection Bill (Data Privacy Bill 2021) and global
standards such as European Union’s General Data Protection Regulation (GDPR)

The following similarities can be identified between the two regulations: [13]

Consent Users must be able to opt in or out of data processing based on their informed consent.A fair and transparent approach to data processing, as well as privacy protection, must be maintained at all times. Consent is the primary ground for processing data, however, in certain mentioned situations data can be possessed without consent.  
Data Fiduciary Any public authority, natural/legal person, agency/body that determine the purpose and means of data processing can be a data fiduciary.Data fiduciaries are defined in the similar manner to that of GDPR. Further, even NGOs which process data are considered as data fiduciaries. 
BreachA breach must be reported within 72 hours of its occurrence, so that the users of such data can take appropriate steps to protect the information. The Data Protection Authority must be informed of all breaches within 72 hours of occurrence, post which DPA decides whether users need to be informed of such breach and subsequently what steps are to be taken.
Transition period Two years Two years 

Differences between GDPR and the Data Privacy Bill 2021 are as follows: [14]

Punishment Under this Act, an offender is charged fines up to 20 million euros, or in the case of an undertaking, up to 4 % of their total global turnover of the preceding fiscal year. The act does not provide for imprisonment as a form of punishment. Under this Bill, an offender can be charged for imprisonment up to 3 years or a fine of Rs 2 lakh or both.


The Data Protection Bill is a long-awaited and desperately needed piece of legislation that would
replace India’s present antiquated, obsolete, and inadequate data protection regulations.   In
comparison to present regulations, it will assist, safeguard individuals’ privacy rights and encourage
the equitable and transparent use of data for innovation and growth, therefore unleashing the digital
economy. It has the potential to generate jobs, raise user knowledge about their privacy, and hold data
fiduciaries and processors accountable.

Though the EU General Data Protection Regulation served as a model, India ultimately developed its
own approach to data protection with several unique provisions: combining personal and non-personal
data under one umbrella, data localization, coverage of hardware devices, and management of social
media platforms. Though it still has some gaps, when fully implemented, it would bring India’s data
protection regulations up to level with those of other developed countries. Businesses would be well
to begin planning for compliance with the different rules.

Compliance with data privacy requirements can be challenging in today’s age of information
explosion. However, this does not have to be the case if organisations are proactive and plan ahead of
the enforcement date. Businesses in India must have a comprehensive privacy and compliance plan,
and those who do so will reap enormous rewards. The time is right for organisations that have not yet
begun or are just beginning their compliance journeys, as data privacy will play a critical role in the
coming years. By implementing a tiered, comprehensive data security strategy, organisations may
confidently embrace the DPB and, once compliant, can consider it as a competitive advantage.


[1] K.S. Puttaswamy v Union of India, (2017) 10 SCC 1.
[2] Smitha Krishna Prasad, Data Bill: Safe from prying Govt,DECCAN HERALD (Mar 23, 2022),
[3] Summary and Primer on Joint Parliamentary Committee Report and Data Protection Bill, 2021, DSCI, (Mar 23, 2022) Report-and-Data-Protection-Bill-2021.pdf.
[4] Key Takeaways: The JPC Report and the Data Protection Bill, 2021, INTERNET FREEDOM FOUNDATION (Mar 23, 2022)
[5] Mathew Chacko, Aadya Misra, A Guide to the Data Protection Bill, 2021, LEGAL500 (Mar 23, 2022),
[6] Id.
[7] supra note 5.
[8] supra note 5.
[9] supra note 3.
[10] Adnan Ahmad Ansari, India’s Data Protection Bill- the long wait continues, ATLANTIC COUNCIL (Mar 25, 2022)
[11] Waiting for the Data Protection Bill, FINANCIAL EXPRESS (Mar 24, 2022)
[12] Aditi Chaturvedi, Shweta Venkatesan, JPC report on Data Protection Bill has loopholes & more bad news for social media companies, THE PRINT (Mar 25, 2022)
[13] Aashish Aryan, Explained: How India’s Data Protection Bill compares with EU regulation, THE INDIAN
EXPRESS (Mar 24, 2022),
[14] Id.

Author: Aishwarya Sinha, Associate.

Disclaimer: The content of this article is intended to provide a general guide to the subject matter and that the same shall not be treated as legal advice. For any queries, the author can be reached at 

Join Our List To Stay In Touch

Leave your email id to receive regular updates on
corporate law changes that have impact on businesses.