As expected, the provisions of the Bill seek to overhaul India’s data protection regime
and addresses the many loopholes and inadequacies presently plaguing the country’s information
ecosystem.
We have summarised below certain key aspects of the Bill.
1) Extraterritorial Applicability: The provisions of the Bill extend to Data Fiduciaries2 (discussed
below) or Data Processors3 who operate outside the country, if they process Personal Data in
connection with:
a) any business carried on in India; or
b) systematic offering of goods and services to Data Principals4 (i.e. individuals) in India; or
c) any activity which involves profiling of Data Principals within India.
2) Personal Data, Sensitive Personal Data and Critical Personal Data: The Bill envisages
and regulates 3 (three) categories of data – Personal Data5
, Sensitive Personal Data (“SPD”),
and Critical Personal Data. SPD consists of existing categories of sensitive information such
as, financial data, health data and biometric data, and also includes new categories of data such
as official identifiers, sex life, sexual orientation, genetic data, transgender status, intersex
status, caste or tribe, religious or political belief or affiliation. The Bill does not define Critical
Personal Data and instead leaves it to the Government of India to formulate a definition by
way of rules. Notably, the Bill does not regulate anonymized data and exempts such data from
its purview.
3) Data Fiduciary and Data Principal: The Bill replaces the traditional terms “Data Controller”
and “Data Subject” with “Data Fiduciary” and “Data Principal”, in an effort to emphasize
accountability and trust between these players.
4) Profiling: The Bill introduces and regulates a new form of processing referred to as Profiling.
Profiling involves the processing of Personal Data to analyse or predict the behaviour,
attributes or interest of a Data Principal.
5) Notice Requirements: The Bill introduces a more extensive notice requirement in relation
to the processing of Personal Data. Any Data Fiduciary, who intends to collect Personal Data,
is required to notify the Data Principal of several details, including:
a) The purpose of the collection and the categories of Personal Data to be collected;
b) The contact details of the Data Protection Officer (discussed below);
c) The right of the Data Principal to withdraw consent;
d) The period for which Personal Data will be retained;
e) The details of the entities with whom Personal Data may be shared, including details of
any cross-border transfers; and
f) The procedure of grievance redressal and the right of the Data Principal to file complaints
with the Data Protection Authority (“Authority”) established under the Bill (discussed
below).
6) Data Storage Limitation: The Bill mandates that Personal Data will be retained as long as
may be necessary to satisfy the purpose for which it is processed. A periodic review needs to
be undertaken by the Data Fiduciary to ascertain whether it is necessary to retain Personal
Data. Personal Data may be retained for a longer period only if explicit consent has been
provided by the Data Principal.
7) Consent: The Bill provides that the consent provided for any processing is required to be free,
informed, specific, clear and capable of being withdrawn. The Data Fiduciary is not allowed
to make provision of any goods and services, the performance of a contract or the enjoyment
of any legal right or claim, conditional on consent to processing of any Personal Data not
necessary for that purpose.
8) Withdrawal of Consent: The Data Principal is allowed to withdraw consent for processing
of any Personal Data necessary for the performance of a contract. However, all legal
consequences of the effect of such withdrawal will be borne by the Data Principal.
9) Processing of Personal Data and SPD: Personal Data and SPD may be processed with the
consent of the Data Principal. Such processing may also be undertaken without consent:
a) for functions of the State;
b) for compliance with law or an order of a court/tribunal;
c) for prompt action in case of emergencies; and
d) if required for ‘reasonable purposes’ of the Data Fiduciary. ‘Reasonable purpose’ has been
defined to include amongst other the ‘operation of search engines’.
Further, Personal Data which is not comprised of any SPD may be processed in relation to
the employment of the Data Principal without consent.
10) Processing of SPD: SPD may be processed on the basis of explicit consent of the Data
Principal. Explicit consent must contain requirements in addition to ordinary consent.
3
11) Protection of Children: A “Child” is defined as someone who is less than 18 years of age.
The Bill requires a Data Fiduciary to have appropriate mechanisms for age verification and
parental consent in order to process Personal Data from Children. Data Fiduciaries who
operate commercial websites or online services directed at Children or process large volumes
of Personal Data of Children will be notified as ‘Guardian Data Fiduciaries’ by the Authority.
Notably, profiling, tracking or behavioural monitoring of or targeted advertising towards
Children is not permitted for such Guardian Data Fiduciaries.
12) Rights of the Data Principal: The Bill provides several rights to Data Principals including,
the right to confirm and access, the right to correction, right to erasure, right to data portability
and right to be forgotten. Notably, the right to be forgotten is not an absolute right and may
only be exercised after the Data Principal has obtained an order from the concerned
‘adjudicating officer’.
The Bill further provides that the Data Principal will have the right to access the identities of
Data Fiduciaries who access, use, process and store Personal Data of the Data Principal. Such
information must be made available to the Data Principal at a centralised location. The Bill has
also introduced the concept of a ‘consent manager’. A ‘consent manager’ is a Data Fiduciary
which enables a Data Principal to gain, withdraw, review and manage his consent through an
accessible, transparent and interoperable platform.
13) Privacy by Design Policy: Every Data Fiduciary is required to prepare a privacy by design
policy which amongst other criteria, must contain information such as obligations of the Data
Fiduciary, technology used in processing of Personal Data and measures adopted for
protection of privacy during the processing of the Personal Data. This privacy policy is
required to be certified by the Data Protection Authority.
14) Security Safeguards: Data Fiduciary and Data Processors are required to implement security
safeguards, including methods such as de-identification and encryption.
15) Data Breach Notification: Data breach notifications are required to be made by Data
Fiduciaries to the Authority if the breach is likely to cause harm to any Data Principal. The
breach notification must include nature of Personal Data, number of Data Principals affected,
possible consequences of the breach and measures being taken by the Data Fiduciary to
remedy the breach.
16) Data Protection Impact Assessment: Any data processing which involves new technologies
or large-scale profiling or use of SPD such as genetic data or biometric data, or any other
processing which carries a risk of significant harm to Data Principals, would require the Data
Fiduciary to undertake an impact assessment.
4
17) Data Audit: Data Fiduciaries also have the obligation to conduct an annual audit of their
policies and the conduct of its processing of Personal Data.
18) Data Protection Officer: All Data Fiduciaries are required to appoint a data protection officer
(“DPO”) to carry out certain functions prescribed under the Bill. Notably, Data Fiduciaries
established outside India to which the Bill will apply, are required to appoint a DPO based in
India.
19) Significant Data Fiduciary: Based on factors such as the volume of Personal Data processed,
sensitivity of Personal Data processed, turnover of the Data Fiduciary, risk of harm resulting
from any processing, use of new technologies, the Authority will notify certain Data Fiduciaries
as “Significant Data Fiduciary”. Such Significant Data Fiduciaries are required to be registered
with the Authority and are required to implement trust scores, data audits as well as data
protection impact assessments.
20) Social Media Intermediaries: Any Social Media Intermediary6 (i) who has users exceeding a
certain threshold; or (ii) whose actions have or are likely to have a significant impact on
electoral democracy, security of the State, public order or the sovereignty or integrity of India,
will be notified by the government as a Significant Data Fiduciary. Further, those Social Media
Intermediaries that are notified as Significant Data Fiduciaries must enable users to voluntarily
verify their accounts. When a user voluntarily verifies his account, the Social Media
Intermediary must also provide a visible mark of verification, visible to all other users.
21) Data Localisation and Cross Border Transfers: The Bill places specific restrictions on
cross-border transfers of SPD and Critical Personal Data. SPD may be transferred outside
India for the purpose of processing, with the explicit consent of the Data Principal and if such
transfer is made subject to standard contractual clauses or intra-group schemes that comply
with requirements prescribed by the Authority. However, the Bill mandates storing a copy of
or ‘mirroring’ all SPD within the territory of India.
The Bill further mandates the storage and processing of all Critical Personal Data exclusively
within India.
22) Non-resident Data Principals: The Bill is applicable to such individuals who do not reside
within India, but whose Personal Data is processed by Data Processors in India. However, the
government can provide an exemption by way of a notification.
23) Sandbox: The Bill mandates the Authority to put in place a sandbox to encourage innovation
in artificial intelligence, machine learning and other emerging technology in public interest.
Data Fiduciaries whose privacy by design policy is certified by the Authority, can make an
application for inclusion in the Sandbox.
24) Authority: The Bill establishes an independent authority called the ‘Data Protection Authority
of India’, that is empowered to oversee the enforcement of the Bill. The adjudication process
will be looked after by the adjudication wing of the Authority. The Authority will have the
power to, among other things, temporarily suspend or discontinue the business activity of the
Data Fiduciary or Data Processor, cancel any registration or suspend or discontinue any crossborder flow of Personal Data. The Authority, where it has reasonable grounds to believe that
any contravention of any provisions of the Bill has occurred, has the power to enter and search
any building, access any computer resource or seize all books and records of a Data Fiduciary.
25) Penalties: The Bill lays down financial penalties for non-compliance ranging from INR 5
crores or 2% of total worldwide turnover to INR 15 crores or 4% of the total worldwide
turnover. The Bill also provides for compensation for Data Principals for any harm caused to
them due to contravention of the provisions of the Bill. Further, the Bill recognises the right
of a class action suit, where an identifiable class of Data Principals have suffered harm. There
are certain cases which have criminal liabilities prescribed under the Bill, such as obtaining,
transferring or selling Personal Data knowingly or intentionally in contravention of the Bill or
re-identification and processing of de-identified Personal Data.
26) Criminal Liability: Any person who knowingly or intentionally re-identifies anonymised data
and processes the same without due consent is punishable with imprisonment for a maximum
term of three years and/or a fine extendable to INR 2 lakhs.
27) Anonymised Data: The Bill provides the government a right of access to anonymised
Personal data or Non-Personal Data7 held by Data Fiduciaries/Data Processors.
28) Amendment to IT Act: Section 43A8 and Section 87 of the Information Technology Act,
2000 will be omitted after the Bill comes into force.
Copyright © 2025 - Business News This Week