India, being a developing country, is undergoing fast growth, notably in the field of technology. India’s evolution to a totally internet-driven economy is one such exceptional example. However, in a nation like India, a lack of data protection legislation has compromised the expectation of privacy stipulated in the Indian Constitution; the importance of such laws has been reaffirmed by the court’s decision in the case of K.S. Puttaswamy, J. v. Union of India, and others.

A tremendous quantity of confidential data has been created as a consequence of the increasing number of individuals utilising the worldwide web and the widespread usage of technology. This information has been collected without the consent or responsibility of individuals, raising questions regarding privacy issues.

The Information Technology (IT) Act of 2000 is currently governing the collection and use of personal data in India. This means that this strategy has been judged to be inadequate for maintaining personal data protection. In 2017, the national government created the Committee of Specialists on Data Protection, led by Judge B. N. Sri Krishna, for the purpose of investigating concerns about data protection in the country. The committee presented its report in July 2018.


The need for laws to protect confidential data in India has been brought about by the nation’s continually shifting legislative and governmental environment, in addition to the implementation of GDPR. This paved the way for the 2019 Personal Data Protection “Bill,” which highlighted the need for stiffer repercussions and enhanced information protection. Based on the Committee’s recommendations, the Personal Data Protection Bill, 2019, was put forward in Lok Sabha in December 2019. A Parliamentary Commission was tasked with assessing the bill, and its recommendations were due in December 2021.

Regardless, the combined committee to which the bill originally went forward studied it extensively and recommended 81 changes and 12 comments in order to develop effective data protection laws. After considering the suggestions of the joint parliamentary committee, the administration chose to abandon the bill on August 3, 2022, and replace it with a new one that corresponds to the approved comprehensive legal framework.


Considering a review of numerous issues concerning digital private data and its safeguarding, the MEITY Ministry of Electronics and Information Technology prepared the Digital Personal Data Protection Bill, 2022, which was presented on November 18, 2022.

If passed by the legislature, it will replace the 2011 regulations as well as portions of the present laws. The measure attempts to put obligations on companies that determine the objectives and approaches of data processing (known as “data fiduciaries”). Organisations that collect data that is personally identifiable from users for the sole purpose of marketing and delivering food products, for example, infer that the goal of collecting is to aid in the purchase and transportation of products. It also tries to regulate companies that handle this type of knowledge (also referred to as “data processors”) in keeping with the companies’ wishes.

As an illustration, if an application employed the services of a remote storage provider for keeping sensitive data, the provider would operate solely on guidelines from the company in question. Aside from that, the law determines the legal rights of individuals (commonly referred to as “data principals”) to whom personal data belongs.


The previously announced Digital Personal Data Protection Bill 2022 has been the focus of a heated discussion. It is of the utmost importance to maintain the debate in order to ensure that a greater number of individuals become cognizant of the proposal’s flaws. The Solicitor General additionally indicated on the last day of January 2023, in a speech delivered shortly beforehand to the top court of India, that a data protection bill would be filed with the legislature in the second half of the budgetary session in 2023. As a consequence, this idea might become law in the next few months. The brief includes fresh information that was undertaken to ensure that everyone in the neighbourhood can have a substantive discussion about the strategy.

The DPDPB, which merely attempts to regulate personal data, excludes non-personal data from its scope. For the first time in India, the pronouns “she” and “her” were used when describing persons of any gender in the Digital Privacy Bill 2022.

Between the additional definitions, the DPDPB includes novel concepts such as “data principal” (the person to whom the personally identifiable information relates, which may include the individual’s parent’s or legal guardian if the individual in question is a child) and “data fiduciary relationships (the person who defines what it means and implies to collect and make use of personal data, either alone or jointly with others).

The revised DPDPB only handles computerised or digital information; information that is manually entered is not addressed. In other areas, the draught bill provisions are deemed vague. For example, it is conceivable to misinterpret what “in the public interest” means and to what degree. The measure gives the centre additional authority.

Another, and possibly the most significant, change made regarding the bill in this version is the problem of cross-border data flow. This Digital Personal Data Protection Bill 2022 allows for unlimited data transfer across international borders. It enables the cross-national transfer of data that would otherwise be notified only by the central authority.

The DPDPB proposes the formation of a “Data Protection Board,” which would serve as a regulatory body. According to the Information Protection Bill, the Board’s primary responsibility is to determine whether the provisions of this Act have been violated and to apply fines in line with their terms. The law further states that later rules will be issued establishing the chairman’s and other members’ composition, strength, supplementary qualifications, selection procedure, appointment terms, and removal. The Digital Security of Personal Data Bill 2022 further states that the federal government would choose the Chief Executive of the Board of Directors, and the Chief Executive’s qualifications and conditions for being employed will be determined by the government.


In a nutshell, the new Personal Information Protection Bill 2019 is an attempt by the government to develop a simplified yet intelligible data protection law, as opposed to the previous version of the bill, which was attacked by enterprises and start-ups for simply being compliance-intensive. Despite the fact that the current draught seems to have discussed issues such as localization, a consent-heavy organisation, and greater adherence to responsibilities, among others, specific provisions such as those that provide exemptions from the state’s processing of an individual’s data, insufficient justification in up-and-running details, and inadequate protections for data administrators are among the primary complaints raised by experts.

Click Here : Privacy Law in India