• By Nirav Goti



  • The bill is much more ‘simplified’ and ‘stripped down’ compared to the earlier versions. Sticks to the key aspects of Personal Data Protection articulating core privacy principles, individuals’ rights and organizational obligations succinctly. 
  • The quantum of penalties outlined is HUGE – several orders beyond what had been proposed thus far. (500/250/150 crores ranges)
  • No mention of any classification of Personal Data (so, no ‘Sensitive PD’ or ‘Critical PD’). Children’s data is under added focus, though – a trend we are seeing in the rest of the world. 
  • Cross Border Data Transfer has been cut down to just saying Personal Data can be transferred to countries that the government will notify. 
  • Exemption from certain requirements for small entities. However, the core principles of using data only for purposes that the individual has consented to are not exempt.


Data Principal (DP) = Individual whose Personal Data it is. (Globally, the term used is ‘Data Subject’).

Data Fiduciary (DF) = The Organization who determines the purpose and means of processing. (Globally, the term used is ‘Data Controller’).


  • Only to Digital Data. (this is new!)
    • Includes even ‘digitised’ data, btw. So, if you are scanning paper forms, they come under the purview of the Act.
  • Covers any entity – even outside India – that processes the Personal Data of Data Principals in India.



  • Give an ‘itemized’ notice that specifies all purposes for which the DP’s Personal Data is going to be processed – in all Indian languages.
  • For any past data collected, even with consent/via a contract, fresh notice & consent required post the passing of the Act.


  • Specific Consent required for all purposes.
  • ‘Deemed consent’ is covered in detail and can be used in certain use cases that cover areas like:
    • ‘reasonable expectations’ (for eg, giving your name and number to a restaurant to make a reservation)
    • For a function of state
    • Processing related to employment or while under employment (this is new!)
    • Vital interest (eg: Medical Emergency) or public interest (law and order related, to address fraud, security, credit scoring, etc) o “Fair and reasonable purposes” (Along the lines of ‘legitimate interest’ in GDPR)

Collection Limitation 

  • Collect only what is needed for specified purpose(s). 
  • For anything ‘extra’ being collected, give a choice to the DP.

Use Limitation

  • Use data only for the purpose(s) the DP has consented to.

Storage Limitation

  • Retain data only as long as it is required for the purpose(s) outlined and delete/anonymize after usage.


  • To 3rd parties only with consent.


  • Ensure Data processed is accurate.

Security Safeguards

  • Institute proper security safeguards.
  • Failure to do so can lead to penalties upto Rs.250 Cr


  • DF will remain accountable at all times. Implies that organizations would need to build ‘demonstrability of accountability’ into operations – a trend we are seeing globally.

RIGHTS & DUTIES of a Data Principal:

Data Principals would have the following four rights they can invoke with a Data Fiduciary:

  • Right to Information:
    • Right to confirmation – whether a DF has processed/is processing your Personal Data
    • Right to Access – summary of Personal Data in custody and what processing is being done
    • Identities of all DFs with whom data has been shared and categories of PD shared (this is new!)
  • Right to correction & erasure: Of the PD in the DF’s custody
  • Right of Grievance Redressal: (this is new!) DP needs to receive a response within 7 days or shorter – else can complain to the Data Protection Board.
  • Right to nominate: (this is new!) As to who will have the right to act on behalf of the DP in case of death or incapacitation

Duties for a DP: (this is new!)

Essentially the DP has a duty to ensure nothing false or fraudulent is shared. Penalty upto 10K is also proposed for any transgressions here.


Breaches to be notified to:

  • the Data Protection Board (that would be set up to oversee compliance with the law).
  • The Data Principal as well.
  • Failure to notify can invoke penalties upto Rs.200 Cr.


A Data Fiduciary needs to

  • obtain verifiable parental consent
  • not undertake such processing of personal data that is likely to cause harm to a child, as may be prescribed
  • shall not undertake tracking or behavioural monitoring of children or targeted advertising directed at children
  • Failure to comply: Penalty upto 200 crore


The Bill has not spelt out exactly who would come under the SDF category. Only listed factors that would be used to determine who would come under this category. Left it to the government to notify later. The surmise is that essentially anyone doing Data Processing that can be risky would come under this umbrella.

Key Obligations on an SDF:

  • Appoint a DPO. Based in India. Reporting to the Company Board/ equivalent governing body
  • Appoint a Data Auditor to audit compliance with the Act
  • Undertake DPIA & audits (to be prescribed)
  • Failure to comply: Penalty upto 150 Crore


Government will whitelist countries/territories where Personal Data transfer is allowed. (this is new!)


Certain Data Fiduciaries – based on the volume and nature of Personal Data processed -would be exempt from certain clauses. However, the basic principles of sticking to processing data only for the purposes the Data Principal has consented to will apply without exception.


Over and above the penalties indicated earlier in this note,

  • Non-Compliance with other aspects of the act can invite penalties upto Rs.50 cr
  • the Data Protection Board has the power to issue penalties upto Rs.500 cr for noncompliance/ post investigation of complaints.