India is the second-largest internet market in the world, with more than 760 million active internet users. While the Supreme Court of India recognized the right to privacy in a 2017 verdict, India has not yet passed a comprehensive data protection bill. The current iteration, India’s Digital Personal Data Protection Bill 2022, is expected to be tabled during the Monsoon Session of Parliament in July 2023.
This article provides an overview of India’s Personal Data Protection Bill, the evolution of data privacy laws in India, and the rights, responsibilities, and obligations set forth in the proposed bill.
India’s Digital Personal Data Protection Bill 2022 is the latest version in an attempt to create a comprehensive data privacy law. The Bill is part of a group of legislations including the National IT Governance Framework Policy and a new Digital India Act.
According to the draft legislation, the aim of PDPB 2022 “is to provide for the processing of digital personal data in a manner that recognizes both the right of individuals to protect their personal data and the need to process personal data for lawful purposes, and for matters connected therewith or incidental thereto.”
A Brief History of India’s Privacy and Personal Data Protection Laws
Prior to 2022, India did not have a comprehensive privacy law. In 2017, the Supreme Court of India recognized the right to privacy as a constitutionally protected right in the Puttaswamy judgement, also known as the Right to Privacy verdict. The court also noted India’s lack of a comprehensive privacy law and the limitations of the existing Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules or SPDI Rules, implemented in 2011.
Following the Right to Privacy verdict, the government of India developed draft legislation designed to protect the privacy of Indians. Earlier versions of the Personal Data Protection Bill received significant scrutiny and were ultimately unsuccessful, including the Data Protection Bill 2021, which beared some similarities to the European Union’s General Data Protection Regulation (GDPR). It was withdrawn in August 2022.
On November 18, 2022, the Ministry of Electronics and Information Technology proposed the Digital Personal Data Protection Bill 2022, which would replace some parts of existing law (Section 43A of the IT Act) and the SPDI Rules if passed.
Scope of India’s Digital Personal Data Protection Bill
India’s PDPB 2022 applies to digital personal data processed in the territory of India and excludes any personal data that’s not digitized and offline personal data.
The PDPB 2022, like the GDPR and similar data privacy laws, also applies to any entity that processes personal data outside the territory of India that relates to any data principal within the territory of India.
The Data Protection Board of India
The PDPB 2022 would create the Data Protection Board of India (DPB), which will be the first regulatory body in India focused on protecting personal data privacy. Like similar regulatory bodies, the DPB will oversee compliance and impose penalties on noncompliant organizations.
Rights of Data Principals
India’s Digital Personal Data Protection Bill 2022 establishes numerous rights of citizens, known as Data Prinicipals in the Bill. These include:
- Right to information: This gives data principals the right to information about the processing of their personal data and a summary of their personal data that has been or is being processed.
- Right to withdraw consent: Data principals have the right to withdraw consent should they decide they don’t wish their data to be processed. Principals also have the right to request details about third parties their data has been shared with and what types of data have been shared. Note that this right is available to data principals only when data is being processed based on their prior consent.
- Right to correction and erasure: Data principals have the right to correct inaccuracies in their personal data and the right to request erasure of their personal data.
- Right of grievance redressal: This gives data principals the right to register a grievance with the data fiduciary. Should the fiduciary not respond or provide an unsatisfactory response, data principals have the right to escalate a grievance to the Data Protection Board.
- Right to nominate: This gives data principals the right to nominate another individual to exercise their rights on their behalf in the event of death or incapacity.
Responsibilities of Data Principals and Organizations
The PDPB 2022 assigns restrictions and obligations to both data principals as well as organizations deemed significant data fiduciaries.
Obligations of Data Principals
Data principals must not:
- Register false complaints or reports with a data fiduciary or the Data Protection Board
- Provide any false information, suppress material information, or impersonate another individual
- Provide any false or fraudulent information while exercising their right to data erasure or correction
Responsibilities of Data Fiduciaries
Many of the rights and responsibilities set forth in the PDPB are similar to those in the GDPR. Some of the main obligations of data fiduciaries include:
- Clearly explain to data principals what personal data the data fiduciary wants to collect and the purpose of collecting the data
- Obtain informed consent to collect an individual’s personal data
- Allow data principals to withdraw consent at any time
- Allow data principals to correct, update, or request erasure of personal data where it is no longer needed
- Take steps to ensure that data processed is accurate and complete
- Implement appropriate security measures to prevent personal data breaches
- Only retain an individual’s data as long as it is needed for the purpose it was collected
- Notify the Data Protection Board and all data principals impacted if a data breach occurs
- Implement a contract before sharing or transferring data to another fiduciary or to a data processor
- Implement necessary technical and organizational measures to ensure compliance
Additional Responsibilities of Significant Data Fiduciaries
In addition to the above obligations, organizations deemed significant are also required to:
- Appoint a data protection officer
- Appoint an independent auditor to conduct periodic audits to ensure ongoing compliance
- Perform data protection impact assessments
Penalties for Noncompliance
Violations of the requirements for data principals may result in fines of up to 10,000 rupees (approximately $120).
Noncompliance for violations by data fiduciaries and significant data fiduciaries may result in fines of up to approximately INR 500 crore (approximately $61 million). The amount of the penalty imposed depends on the violation, its impact or potential impact, the type of personal data affected, and other factors.
Status of India’s Digital Personal Data Protection Bill
In April 2023, the Union government notified the Supreme Court that the Digital Personal Data Protection Bill 2022 is ready. It’s expected to be tabled during the Monsoon Session of Parliament in July 2023.
Frequently Asked Questions
Has the Personal Data Protection Bill been passed in India?
India’s Digital Personal Data Protection Bill has not yet been passed. Introduced in November 2022, it underwent a public consultation period, with the last public comment received on January 2, 2023.
The government notified the Supreme Court of India that the Bill is ready to proceed. It is anticipated that it will be tabled in the Monsoon Session of Parliament in July 2023.
What is a data subject in the Indian Personal Data Protection Bill?
India’s Personal Data Protection Bill uses the term “data principals” rather than “data subjects,” referring to individuals “to whom the personal data relates and where such individual is a child includes the parents or lawful guardian of such a child.”
Why is there no data protection act in India?
The Supreme Court of India first recognized the right to privacy in a landmark 2017 decision in the case of Justice K. S. Puttaswamy (Retd.) & Anr. vs. Union Of India & Ors., known as the Right to Privacy verdict.
Since that time, the government has made numerous attempts to introduce a data protection bill, but due to significant scrutiny, those efforts have been unsuccessful. However, the current proposed bill, the Digital Personal Data Protection Bill 2022, will be considered by Parliament in July 2023.
Is data privacy a human right in India?
While the Constitution does not explicitly state the right to privacy, the Supreme Court of India recognized the right to privacy in the Justice K. S. Puttaswamy (Retd.) & Anr. vs. Union Of India & Ors. (2017) verdict, which is also known as the Right to Privacy verdict.
The verdict was a landmark decision by a bench of nine judges who unanimously agreed that the right to privacy is a fundamental right under Articles 14, 19, and 21 of the Constitution of India.
The order issued by the Supreme Court of India states, “The right to privacy is protected as an intrinsic part of the right to life and personal liberty under Article 21 and as a part of the freedoms guaranteed by Part III of the Constitution.”