Data protection is a new age concept that arose as the technology grew and synced with people on various numbers of data that they had generated like the passwords, their lifestyle activities, shopping preferences etc. The Countries under the European Union recognize the gravity of personal data and how it should be preserved.

There have been laws governing for the same as well. In its latest iteration, the EUGDPR (European Union General Data Protection Rights) was passed in 2018 and it was made applicable to the other MNCs those were not from the EU as well. This is much regarded to protect the individuals from being pried by the Corporates that tend to offer goods and services. The Indian counterpart of this could be the proposed bill of Data Protection Bill, 2018. This is yet to be passed and is now currently being reviewed.

The primary question of letting an individual take control of what data of theirs must be shared anywhere becomes the very challenge as well. With the increase of service-oriented establishments, one individual participates in and shares their data with, the challenge becomes a tougher job to identify, trace and control the data that is being shared. On this note, the EUGDPR was somehow able to foresee the line of control by implementing strict control and policies over the Companies that were belonging to the third-party nations as well.

With the impositions of heavy penalties on the offending corporates, the corporates are now forced to review their policies and mend any clauses to accordingly comply with the EUGDPR as to not violate it.

The EUGDPR has been extensively referred to and discussed by the Expert Committee in its white paper. While concepts from the EUGDPR such as privacy by design, right to be forgotten, extra-territorial applicability etc., have been reflected in the Bill, the Bill has been drafted in a manner such that these concepts are moulded to fit Indian data protection requirements.  Akin to EUGDPR the Bill has subjected sensitive personal data to greater protection.

While the concept of data fiduciary in the Bill is similar to EUGDPR’s data controller concept, the use of the term fiduciary instead of controller is intentional as the Bill intends to impose fiduciary responsibility on any person handling personal data.


As under the EUGDPR, the Bill also has extra-territorial applicability and would apply to the processing of personal data by data fiduciaries/processors outside India if the data processing occurs in connection with:

1. any business carried on in India;
2. any systematic activity of offering of goods and services to data principals within the territory of India; or
3. the profiling of data principals within the territory of India.

Further, while the Bill recognizes the right to be forgotten of a data principal, unlike the EUGDPR, it does not entitle the data principal to seek right to deletion of personal data but only provides for a limited right to restrict or prevent continuing disclosure of personal data subject to fulfilment of certain criteria. Similar to EUGDPR, the Bill prescribes hefty penalties for violation of its provisions based on the total worldwide turnover of the entity of the previous financial year.   

While the Bill has been drafted along the lines of EUGDPR, the two are not identical. The Bill has taken cognizance of India’s unique data protection requirements and has attempted to address the same. 

Issues relating to the classification and categorization of data and the attendant regulation of data practices and activities, which are at the core of any data protection framework, are not clearly established in the Bill. For example, the Bill creates a new category of personal data called critical personal data, which would be subject to local data processing requirements and prohibitions from any movement across the border.

However, neither the Bill nor the Committee’s report provides any objective criteria for such classification by the Central Government. Further, even though the Bill exempts anonymized data from its purview, it does not adapt legal requirements in circumstances where other de-identification techniques are used to mitigate privacy risks, including with respect to data breach notification obligations and risk assessments, which would encourage use of these practices. Other data categories, like non-personal data and community data, are mentioned in passing, but are neither adequately discussed nor explained in the report or the Bill.[i]


The Bill also does not adopt a pragmatic approach with respect to supervisory and enforcement functions. The Bill establishes an independent regulator called the Data Protection Authority (DPA), but its current formulation would make it ineffective.[ii] While the report recognizes the lack of regulatory capacity and expertise in India to carry out the DPA’s proposed functions, the Bill continues to burden the DPA with such functions, including wide discretionary powers that could disrupt business operations in India.

There is also no clarity on whether the Bill adopts a collaborative approach to rule-making, wherein industry stakeholders will have an opportunity to participate in the formulation of codes, standards and regulations. The lack of clarity in the Bill on these underlying principles, which lie at the core of any data protection framework, creates an environment of uncertainty for businesses, which could have a spill over effect on commercial operations, R&D activities, and future investments in India. Further, the unpredictability of rules – as several provisions will be determined after the enactment of the Bill - impinge on the ability of organisations to define appropriate data protection programs, policies and practices.

End-Notes:

1. https://www.businessworld.in/article/The-Personal-Data-Protection-Bill-2018-An-Answer-To-India-s-Data-Protection-Issues-/01-01-2019-165633/ (Last Accessed on 14.05.2020).
2. https://www.bsa.org/files/policy-filings/09282018BSACommentsonIndiaDataProtectionBill.pdf (Last Accessed on 16.05.2020)