India’s New Data Protection Law. Where Does It Come From, and What Does It Mean?

In 2017, the Indian Supreme Court, in a landmark judgment (the “Puttaswamy Judgement”), found privacy to be a fundamental right granted to every person under the Indian Constitution. The right was read into the right to life and personal liberty granted under Article 21.

Fundamental rights, however, while enforceable against the state, are not necessarily so against private entities or individuals.1 This created a need for a robust legislation setting out provisions on data protection for data subjects and data fiduciaries in India. In the Puttaswamy Judgement, reference was made to an Expert Group which had published a Report in 2012 regarding a framework for protection of privacy concerns which would expectedly be used to draft a legislation for India’s data protection regime. Additionally, the Puttaswamy Judgement also referred to a memorandum submitted by the Government where the Government had constituted a Committee to review data protection norms and make recommendations. In light of these, the Puttaswamy Judgement stated that it would be appropriate for this committee to make determinations for putting in place a robust data protection regime and called upon the Government to take all necessary steps to put such a law in place.

Prior to the Puttaswamy Judgement, India’s data protection laws were limited to the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (“SPDI Rules”), a set of rules framed under the provisions of the Information Technology Act, 2000. The SPDI Rules provide a rudimentary set of data protection rules, with obligations for corporates who collect personal information to provide a privacy policy, obtain consent before collecting personal information, and put in place the prescribed security standards and procedures. An overhaul of the law had thus been long overdue.

The Committee constituted in 2017, chaired by Justice BN Srikrishna, presented the Draft Personal Data Protection Bill, 2018 to the Ministry of Electronics and Information Technology (“MeitY”), which was then further amended and formed the Personal Data Protection Bill, 2019 (“PDPB 2019”).