Data Protection & Privacy

India’s long awaited data protection law was enacted in 2023. 

In the absence of a dedicated data protection regime, the Information Technology Act, 2000 read with its supplementary Rules [Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011] acted as a framework for data protection and privacy in India. In certain instances, sectoral regulators such The Reserve Bank of India (RBI), The Bureau of Indian Standards (BIS), and The National Health Authority (NHA) issued data protection guidelines and standards specifying data protection obligations for the sector.

To address rising privacy concerns, a Group of Experts was constituted in 2011 to understand privacy issues and identify interventions to effectively address them. The group studied national and international privacy laws and practices and in their 2012 report issued nine national privacy principles which were central to the interpretation of the right to privacy.

In 2017 the Supreme Court of India recognized the right to privacy as an element of the fundamental right to life and personal liberty under Article 21 of the Indian Constitution in the Puttaswamy judgment. It advised the Central Government establish a data protection policy that balances the needs of individuals with legitimate concerns of the state, while encouraging entrepreneurship and innovation. Consequently, the government formed an expert committee tasked with preparing a draft Data Protection Bill. The committee submitted its report along with the draft Personal Data Protection Bill 2018. This Bill along with recommendations of the Committee and suggestions from various stakeholders formed the basis of the Personal Data Protection Bill, 2019 which was subject to significant contention. Thus, it was referred to a Joint Parliamentary Committee (JPC) which undertook a clause-by-clause examination of the Bill and submitted the Data Protection Bill, 2021 along with it’s report. This preceded the withdrawal of the Personal Data Protection Bill 2019 from parliament in 2022 and the subsequent release of the Digital Personal Data Protection Bill 2022 for public consultation.

In August 2023, the Digital Personal Data Protection Bill, 2023 was introduced in Parliament. While the Bill had a few key differences from the draft released for public consultation, it was passed by both houses, received the president’s assent and became the Digital Personal Data Protection Act, 2023.

During the process to draft India’s data protection law, the Ministry of Electronics and Information Technology (MeitY) also constituted an Expert Committee to study issues relating to non-personal data. The committee published its report in 2020 containing the draft of a Non-Personal Data Governance Framework for public consultation. After receiving extensive feedback, the Expert Committee released its revised report on a Non-Personal Data Governance Framework which outlined conditions wherein data would fall under this framework .

In February 2022, MeitY published the Draft India Data Accessibility & Use Policy, 2022 which proposed that government data, which has been collected at the Central level and has “undergone value addition/transformation”, can be sold in the open market for an “appropriate price”. After widespread criticism MeitY published the draft National Data Governance Framework Policy in May 2022 as its substitute.