Data protection 1, 2018

Personal Data Protection Bill



Ministry of Electronics & Information Technology


Data privacy, transparency, right to be forgotten, automated decision-making


The draft bill proposes a complex new legal framework for data protection that is similar to the European GDPR.

The bill will apply to every organization (State, companies, individuals) that processes personal data, and extends to entities offering goods or services in India and those who profile Indian individuals. It defines personal data as “any data that allows an individual to be directly or indirectly identified.” According to the bill, data processing must be based on consent, obtained no later than at the commencement of data processing, and this consent must be free, informed, specific, clear, and capable of being withdrawn. The bill grants data subjects (principals) similar rights as the GDPR: right to access, correction, data portability and the right to be forgotten. However, the right to be forgotten is not erasure, rather, prevention or restriction of disclosure of personal data by a fiduciary. Unlike the GDPR, which allows data subjects to object to decisions made solely on the basis of automated processing, the Indian bill doesn’t have such a provision.

Data protection obligations include fair and reasonable processing, purpose limitation, collection limitation, lawful processing, notice, data quality, data storage limitation, and accountability. The bill also establishes a Data Protection Authority (DPA), with members appointed by the Central Government.

The bill calls for several transparency and accountability measures.

First and foremost, every data fiduciary must implement Privacy by Design policies extending to managerial, organisational, business practices and technical systems to anticipate, identify and avoid harm. Business interests should be pursued without compromising privacy interests and data processing should be carried out in a transparent manner.

Moreover, a record of data processing must be kept, and there is an obligation to run data protection impact assessments, annual audit of policies and conduct. The impact assessment is mandated when a data fiduciary undertakes large-scale profiling or uses sensitive personal data, such as biometric data. Such an impact assessment must at minimum include a detailed description of the proposed processing and its purpose, as well as the data to be used; an assessment of the potential harm to data principals; and measures for managing or removing the risk of such harms occurring. The Data Protection Authority will review these assessments and set further conditions or direct the fiduciary to stop its  relevant activities. Organizations involved in such high-risk processing are considered “significant data fiduciaries” and will need to appoint a data protection officer (“DPO”). Organizations not present in India who are under the scope of the Bill will need to appoint a DPO who is based in India.

The data localization requirements mandate that copies of recorded data must be stored on Indian servers. In addition, the government defines certain ‘critical’ types of data, which may only be processed on Indian servers.

AI Governance

This database is an information resource about global governance activities related to artificial intelligence. It is designed as a tool to help researchers, innovators, and policymakers better understand how AI governance is developing around the world.

We're collecting more examples as we find them. If you'd like to add yours to this map, please suggest an entry.

Suggest an entry
  • Filter by:
  • Current filters:
256 entries are listed below
  • Sort by: