An Overview of Proposed Changes to India’s Personal Data Protection Bill

Timeline leading to the PDPB

2017 — The Supreme Court of India declares the right to privacy as a fundamental right protected under the Indian constitution and the appointment of a dedicated Data Protection Authority.

Recommendations Made to the PDPB

The report submitted by the Joint Parliamentary Committee has made the following revisions:

Timelines for Implementation (Clause 1)

Existing version — The Personal Data Protection Bill 2019 did not define any time limit to implement its provisions.

Scope of Application (Clause 2)

Existing version — The bill is classified as the “Personal Data Protection Bill.”

Definitions (Clause 3)

The report defines, integrates, or revises multiple vital terms, including:

  • Data auditor,
  • Data breach,
  • Data fiduciary,
  • Data processor,
  • Data protection officer,
  • Harm, and
  • Non-personal data.

Processing of Personal Data Without Consent (Clauses 13 and 14)

Additions have been made to processing non-sensitive personal data for employment purposes. The revision allows the processing of non-sensitive personal data if “such processing is necessary or can reasonably be expected by the data principal and data fiduciary.”

Processing of Personal Data of Children (Clause 16)

Existing version — The earlier version stated that the personal data of children would be processed in the “best interests of the child.”

User Rights (Clauses 17, 19, and 23)

Casualty or Death

The proposed version empowers users/data principals to exercise their right over how their data should be handled in case of casualty or death. Data principals can now nominate a legal heir or a representative they trust to care for their personal information.

Data Portability

Under the proposed bill, trade secrets can no more be the reason for denying data portability. Data fiduciaries are also required to ensure the utmost transparency of processes and complete fairness of mechanisms when processing personal data.

Breach Reporting (Clause 25)

The proposed bill revamps breach reporting, where data breaches now comprise breaches of both personal and non-personal data. Data breach notification requirements have also been overhauled to become more accurate and tough on data fiduciaries.

Social Media Platforms (Clause 26)

The proposed bill treats all social media platforms, excluding intermediaries, as publishers and holds them accountable for material they host on their platform. The principle is that social media platforms can control access to all types of content posted on their platform.

Data Protection Officer (Clause 30)

Previously, the appointment and responsibilities of the Data Protection Officer (DPO) were unclear. The proposed revision adds clarity regarding who can be a DPO. The DPO should be the states’ senior-level officer in the government’s case.

Data Transfer (Clause 34)

The proposed revisions further improve the requirements for sensitive and critical personal data transfers. The Data Protection Authority is now required to consult the government when authorizing a contract or intra group scheme to engage in cross-border data transfer.

Exemptions from the Regulation (Clause 35)

This clause enables agencies and multiple departments under the government’s belt exemption from any or all law provisions. Since this clause empowers independent agencies and their departments, it received growing criticism from the committee members.

Sandbox Environment (Clause 40)

With cybersecurity being a top-notch priority, the government of India encourages startups and innovation culture by introducing the concept of privacy by design through setting up sandbox environments.

Composition of the DPA (Clause 42)

The bill requires the arrangement of the Data Protection Authority to be:

  • Robust, and
  • Independent
  • Technical,
  • Academic fields, and
  • Secretary-level officials.

Testing and Certification of Hardware Devices (Clause 49)

Existing version — Currently, there is no coverage for hardware devices that collect and process the personal data of data principals.

Data Localization

The proposed clause of the bill suggests that the data of Indians stored in data centers abroad should be brought to India within a specified period. Also, the government must devise a comprehensive policy on data localization, meaning that the data of Indians stay in the country.


India’s Data Protection Bill has been in the pipeline for a long time and is expected to change India’s presently outdated and ineffective data protection system.



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store