Significant changes proposed to Personal data protection law in India


last updated on 5 March 2020 | Reading time approx. 4 minutes


In today’s time, globally data is being recognised as one of the most valuable assets of organisations and triggering the need for a stringent level of data protection. It is against this backdrop that in July, 2017, Government of India though its Ministry of Electronics and Information Technology, formed a committee, to examine and propose changes to the data protection laws in India (which are presently not as advanced and extensive as compared to European countries.)


The committee introduced Personal Data Protection Bill, 2018 (2018 Bill). Thereafter, various stakeholders gave several suggestions and the committee then introduced Personal Data Protection Bill, 2019 (2019 Bill) in the Indian House of People ( Lok Sabha) on 11.12.2019. The Bill presently has been referred to a joint parliamentary committee for approval. It is speculated that the 2019 Bill will be given the shape of a legislation in the near future and we will very soon have the (Indian) Personal Data Protection Act, in force.



Impact on foreign investors

The 2019 Bill once enacted into law will bring India at par with several global jurisdictions in terms of the checks and balances for data protection especially, in line with the European Union’s General Data Protection Regulation (GDPR). The 2019 Bill is modelled on GDPR, but in some forms, is understood to have certain provisions far more stringent than GDPR.

2019 Bill has several noteworthy provisions such as scope of applicability, categorisation of data, stringent and detailed notice requirements prior to collection of personal data, consent requirement and parameters, processing and restriction on retention of data, rights of data principal, powers and duties of Data Protection Officer, data localisation, cross border transfers and penalties for breaches. It is critical to have an in-depth understanding of the legislation to ensure preparedness and compliance with the law once the same is enacted.
However, our analysis in this article is limited to certain provisions of the 2019 Bill which would have a direct impact on foreign investors (present and potential) in India while exchanging, processing and otherwise dealing in data.


We deal with three key topics here:

  • Overview of Categorisation of Data in the 2019 Bill;
  • Extra- Territorial Application of 2019 Bill; and
  • Cross Border Data Transfer


Overview of categorisation of data

It is relevant to note that the 2019 Bill regulates 3 categories of data which are as follows:

  1. Personal Data (PD): all data related to a natural person directly and indirectly identifiable, in relation to any characteristic, feature of the identity of such natural person, either online or offline, or combination of such features.
  2. Sensitive Personal Data (SPD): sub-set of personal data which includes financial data, health data, data being in the nature of official identifier, sexual orientation, biometric data, genetic data, caste, tribe, religious or political belief.
  3. Critical Personal Data (CPD): sub-set of personal data, but not currently defined. The Government has to notify rules setting out the definition of CPD.  

2019 Bill sets out certain specific compliances for SPD and CPD, such as data localization and restriction on processing of CPD, respectively. Further, industries which deal with collection of financial data, biometric and health data need to carefully examine the scope of 2019 Bill and the resultant compliances for collecting and processing of such specific data.   

The 2019 Bill appears to be modelled in principle around the GDPR. To such extent, GDPR compliant organisations would have lesser challenges in implementing the Indian framework, as may be applicable. 
However, the 2019 Bill has certain key variations from GDPR such as the fact that categorisation of data under the 2019 Bill is more explicit than GDPR; there is also likely to be a difference in the frame work around deciding whether or not data can leave the country.

Therefore a careful detailed analysis of the legislation in India will be required once the legislation is in its final form, and likely additional points for consideration and compliances (if any) would need to be examined. A GDPR based health check of practises of the Indian operations continues to be a useful tool, ensuring compliance under European norms and laying the structures for upcoming regulations in India.


Contact Person Picture

Dharm Veer Singh Krishnawat

Partner, Head of Ahmedabad office

+91 976 990 0330

Send inquiry

Contact Person Picture

Ritika Arora

Senior Associate

+91 124 6749 771

Send inquiry

 How we can help!

Deutschland Weltweit Search Menu