Personal Data Protection Bill (India)

Personal Data Protection Bill (India)
Name	Personal Data Protection Bill (India)
Enacted by	Lok Sabha; Rajya Sabha
Introduced by	Ministry of Electronics and Information Technology (India)
Status	Draft / Proposed / Under consideration

Personal Data Protection Bill (India) The Personal Data Protection Bill proposed a statutory framework for protection of personal data in the Republic of India by defining obligations, rights, and institutional mechanisms for handling personal information. It sought to reconcile regulatory approaches from jurisdictions such as the European Union and the United States with sovereign considerations evident in legislation like the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016 and policies from the Ministry of Electronics and Information Technology (India). The Bill catalyzed debates across stakeholders including corporate entities such as Tata Consultancy Services, Infosys, Wipro, civil society actors like the Internet Freedom Foundation and academic bodies including the Indian Institute of Technology Delhi.

Background and Legislative History

The origins trace to the 2017 report by a committee chaired by B. N. Srikrishna which built upon orders of the Supreme Court of India in the Justice K. S. Puttaswamy (Retd.) vs Union of India judgment that recognized privacy as a fundamental right. Subsequent drafts were tabled in the Lok Sabha and the Rajya Sabha across successive sessions, interacting with parallel initiatives such as the Aadhaar (Targeted Delivery... Act) litigation, engagements with the Reserve Bank of India, and consultations with multinational firms like Google, Facebook, Amazon (company), and trade bodies such as the Confederation of Indian Industry. Committees including parliamentary panels and expert groups from the NITI Aayog examined provisions amid interventions by civil society NGOs like Access Now and legal scholars from National Law School of India University.

Key Definitions and Scope

The Bill defined terms including "personal data" and "sensitive personal data" with reference to identifiers found in contexts like Aadhaar (Targeted Delivery... Act), biometric databases maintained by the Unique Identification Authority of India, and financial records overseen by the Reserve Bank of India. The scope contemplated applicability to data fiduciaries located in India and certain extraterritorial activities involving entities such as Google LLC's India operations and Microsoft Corporation subsidiaries. Exemptions and delineations interacted with statutes including the Information Technology Act, 2000 and compliance regimes used by multinational corporations like Apple Inc..

Rights of Data Principals

The Bill enumerated rights for data principals including rights of confirmation, access, correction, and data portability reminiscent of rights in the General Data Protection Regulation of the European Union. It proposed mechanisms for consent management that implicated platforms such as WhatsApp and Twitter, Inc. and contemplated supervisory roles for academic institutions like Indian Institute of Technology Madras in research exemptions. Judicial and administrative remedies were to be adjudicated through forums including the Supreme Court of India and regulatory orders modelled after enforcement actions by authorities like the Information Commission of India.

Obligations of Data Fiduciaries and Processors

Data fiduciaries were required to implement data protection impact assessments analogous to practices at IBM and Cisco Systems, ensure storage localization in some cases, and adopt security safeguards similar to standards used by the International Organization for Standardization. Cross-border transfer controls referenced mechanisms found in international agreements such as the Privacy Shield discussions between the European Commission and the United States while raising compliance issues for corporates including Flipkart and Paytm.

Governance, Regulatory Framework, and Enforcement

The Bill envisaged a statutory authority, the Data Protection Authority, with powers to investigate, levy penalties, and issue codes of practice, operating in an ecosystem alongside enforcement bodies like the Central Bureau of Investigation for criminal violations and sectoral regulators including the Telecom Regulatory Authority of India and the Securities and Exchange Board of India. The institutional design was debated with comparisons to regulators such as the Information Commission of Bangladesh and the Office of the Privacy Commissioner of Canada.

Exemptions, National Security, and Public Interest Provisions

Clauses permitting exemptions for national security, law enforcement, and public order invoked interactions with agencies like the Ministry of Home Affairs (India), National Investigation Agency, and intelligence entities historically associated with surveillance disputes, e.g., controversies involving Project Pegasus. Provisions allowed the state to process data for welfare delivery systems similar to Aadhaar implementation models, prompting litigation references to the Supreme Court of India privacy jurisprudence.

Impact, Criticisms, and Legislative Developments

The Bill influenced corporate compliance strategies at firms such as Infosys, HCLTech, Google LLC, and Meta Platforms, Inc. while attracting criticism from civil liberties organizations including Human Rights Watch and policy analysts at institutes like the Centre for Internet and Society. Key criticisms targeted broad exemptions for state access, data localization burdens affecting startups including Ola Cabs and Zomato, and potential conflicts with transnational frameworks like the General Data Protection Regulation. Parliamentary debates and subsequent amendments continued to shape the statute amid comparative law dialogues with jurisdictions such as the United Kingdom and the European Union.

Category:Data protection legislation in India