Policy Briefing — August 11, 2021

Executive briefing: India's Ministry of Electronics and Information Technology released the first draft of the Digital Personal Data Protection Bill on August 11, 2021, following years of deliberation after Supreme Court established privacy as fundamental right in 2017 Puttaswamy judgment. The draft bill establishes consent-based framework for personal data processing, creates data principal rights including access and erasure, imposes obligations on data fiduciaries and processors, and restricts cross-border data transfers to approved jurisdictions. While resembling European GDPR in structure, the Indian framework incorporates distinct provisions addressing digital literacy challenges, government access authorities, and sovereignty concerns appropriate for developing economy context. The bill underwent multiple revisions with subsequent drafts in 2019, 2021, and 2022 before passage as Digital Personal Data Protection Act in August 2023. Organizations processing data of Indian residents should track legislative evolution, assess compliance obligations under emerging framework, and prepare for implementation requirements expected 12-18 months after enactment. The Indian market represents over 700 million internet users growing rapidly, making data protection compliance strategically critical for global technology companies, e-commerce platforms, and business process outsourcing providers.

Scope and applicability framework

The draft bill applies to processing of digital personal data within India and processing of data of individuals located in India by entities outside India in connection with offering goods or services to such individuals. This extraterritorial reach mirrors GDPR Article 3(2) establishing global compliance obligations for organizations targeting Indian market regardless of physical presence. Personal data definition encompasses any data about individual who is identifiable by or in relation to such data, including both directly identifying information and indirect identifiers capable of singling out individuals when combined with other data. The bill creates lighter obligations for small data fiduciaries processing limited volumes below government-specified thresholds, recognizing compliance burden disproportionately affects startups and small enterprises. Certain processing activities receive exemptions including data processed for prevention, detection, investigation of offences, national security, sovereignty and integrity of state, and research, statistical, or archival purposes when appropriate safeguards exist. However, exemptions remain narrowly scoped compared to broader public interest derogations in European frameworks, reflecting India's emphasis on data protection even when balanced against legitimate governmental interests.

Consent requirements and data principal rights

The bill establishes consent as primary legal basis for data processing, requiring consent be free, specific, informed, unconditional, and unambiguous with clear affirmative action. Data fiduciaries must provide notice of processing purposes, categories of personal data collected, data retention periods, rights available to data principals, and contact information for grievance redressal. Unlike GDPR which permits multiple legal bases including legitimate interests, the Indian framework centers almost exclusively on consent except for narrow statutory exemptions. This approach creates compliance challenges for processing types difficult to consent-model including fraud prevention, network security, and analytics where real-time consent impractical. Data principals receive rights to access their personal data, obtain copies in machine-readable format, seek correction of inaccuracies, request erasure when no longer necessary for purposes collected, and nominate representatives for posthumous data management. The bill establishes data portability obligations enabling individuals to transfer data between service providers, facilitating competition and reducing lock-in effects. However, portability scope remains ambiguous regarding derived insights, analytics outputs, and value-added processing beyond raw personal data supplied by individuals. Organizations should establish technical capabilities for data subject request fulfillment within response time limits specified by draft regulations following bill enactment.

Cross-border transfer restrictions

The draft imposes restrictions on cross-border transfers of personal data, permitting transfers only to jurisdictions approved by central government based on adequacy determinations assessing data protection standards, rule of law, and access rights available in destination countries. This approach resembles GDPR adequacy decisions but centralizes authority in executive branch rather than independent data protection authority. In absence of adequacy findings, organizations may transfer data based on standard contractual clauses approved by government or binding corporate rules for intra-group transfers subject to government approval. Critical personal data—defined by government notifications covering sensitive categories requiring enhanced protection—faces absolute localization mandate prohibiting foreign storage or processing. The localization provisions generated significant controversy from technology industry, trade partners, and privacy advocates concerned about costs, security implications, and incompatibility with global cloud architectures. Subsequent bill versions modified cross-border provisions reducing mandatory localization while retaining government discretion to designate categories requiring domestic storage. Organizations operating global platforms should assess data residency obligations, evaluate India-specific infrastructure investments, and monitor government notifications designating critical personal data categories as regulations develop following bill passage.

Data fiduciary and processor obligations

Data fiduciaries bear primary compliance obligations including implementing reasonable security safeguards, conducting data protection impact assessments for high-risk processing, appointing data protection officers for specified entity categories, and maintaining processing records documenting compliance activities. The bill introduces data auditor concept requiring periodic independent audits of data protection practices with audit reports submitted to Data Protection Authority. Security safeguard requirements will be detailed in technical standards and regulations following bill enactment, likely incorporating ISO 27001, SOC 2, and industry-specific frameworks as baseline expectations. Breach notification obligations require informing Data Protection Authority and affected individuals within prescribed timelines when breaches create risk of harm, with specific notification content requirements including breach circumstances, categories of data affected, likely consequences, and remediation measures undertaken. Data processors acting on behalf of fiduciaries must process data only on documented instructions, implement appropriate security measures, assist fiduciaries in responding to data principal requests, and delete data upon instruction or contract termination. Organizations should establish vendor risk management programs assessing processor compliance capabilities, incorporating data protection clauses in service agreements, and conducting periodic audits of processor practices consistent with bill obligations.

Regulatory authority and enforcement

The bill establishes Data Protection Authority of India as independent regulatory body responsible for monitoring compliance, investigating complaints, conducting audits, issuing codes of practice, and imposing penalties for violations. The Authority receives powers to summon persons, examine witnesses, require production of documents, conduct search and seizure operations, and issue binding directions to data fiduciaries. Penalty framework permits fines up to greater of 15 crore rupees (approximately 2 million USD) or 4 percent of global turnover for serious violations including processing without consent, failing to implement security safeguards, or obstructing Authority investigations. Lesser violations attract penalties up to 5 crore rupees. The tiered penalty structure resembles GDPR approach distinguishing serious infringements warranting maximum fines from procedural violations meriting lower penalties. However, absolute fine caps significantly lower than GDPR percentages create asymmetric deterrence where small entities face material penalties while large global platforms absorb fines as cost of business. The Authority must establish adjudication procedures providing fair hearing, evidentiary standards, appeal mechanisms, and proportionate penalty determination considering violation severity, harm caused, compliance history, and corrective actions undertaken. Organizations should establish data protection governance programs, conduct compliance assessments, implement technical and organizational measures, and train employees on India-specific requirements to demonstrate good faith compliance efforts mitigating penalty exposure.

Evolution toward final legislation

The August 2021 draft represented early stage in multi-year legislative process involving stakeholder consultations, parliamentary committee reviews, and political considerations balancing innovation, privacy, and sovereignty interests. Subsequent developments included December 2021 withdrawal of initial bill, release of new draft in November 2022, and passage as Digital Personal Data Protection Act 2023 in August 2023. Key changes during legislative evolution included simplification of consent frameworks, narrowing of cross-border transfer restrictions, removal of social media intermediary obligations, and clarification of government access authorities. Organizations tracking Indian data protection should monitor rule-making processes following Act passage as detailed obligations emerge through technical standards, security frameworks, breach notification timelines, and Data Protection Authority operational procedures. Implementation timelines likely provide 12-18 month transition periods given infrastructure investments, process changes, and technical implementations required for compliance. Early preparation positions organizations advantageously when enforcement commences, enabling market access while competitors scramble to achieve baseline compliance. India's framework development provides lessons for other emerging markets establishing data protection regimes balancing privacy rights, economic development, and regulatory capacity constraints.

Action plan

Conduct data inventory mapping processing activities involving Indian residents including data collection sources, processing purposes, retention periods, cross-border transfer destinations, and third-party sharing arrangements. Assess current consent mechanisms against draft bill requirements evaluating whether existing consents meet specificity, granularity, and documentation standards. Review data security practices benchmarking against expected standards and identifying gaps requiring remediation. Evaluate cross-border data flows determining transfer mechanisms, adequacy status of destination jurisdictions, and potential localization requirements for critical data categories. Establish data subject request handling procedures enabling individuals to exercise access, correction, erasure, and portability rights within response timeframes. Designate data protection officer role with appropriate authority, resources, and reporting lines if entity meets threshold requirements. Engage India-specific legal counsel monitoring legislative developments, participating in industry association policy engagement, and advising on compliance implementation. Update vendor contracts incorporating data processor obligations, security requirements, and audit rights consistent with bill provisions. Develop breach response procedures addressing detection, assessment, notification, remediation, and documentation obligations. Budget for compliance investments including technical implementations, process changes, legal reviews, and training programs required for bill obligations.

Zeph Tech analysis

India's data protection journey reflects tensions between protecting fundamental privacy rights established by Supreme Court, fostering digital economy growth central to economic development, and asserting data sovereignty amid geopolitical competition. The bill's consent-centric approach creates compliance friction compared to GDPR's flexible legal basis framework, potentially hindering beneficial processing types including fraud prevention, security monitoring, and service improvement analytics. Organizations may resort to overlapping consent requests covering multiple processing purposes or rely on exemptions stretching statutory language to accommodate operational realities. Cross-border transfer restrictions represent most contentious provisions pitting data sovereignty concerns against cloud computing architectures, global service delivery models, and international trade obligations. Mandatory localization for critical personal data categories creates cost barriers particularly affecting small Indian startups lacking resources to maintain dual infrastructure while benefiting entrenched players with existing domestic operations. Data Protection Authority independence remains critical variable determining framework effectiveness. Adequate funding, technical expertise, enforcement discretion, and insulation from political pressure will determine whether Authority develops into credible regulator commanding voluntary compliance or toothless bureaucracy issuing symbolic penalties. India's market size ensures global technology platforms will invest in compliance regardless of regulatory effectiveness, but Indian businesses and startups may face disproportionate burden without corresponding privacy benefits if regulations become box-checking exercises. The legislative evolution demonstrates importance of stakeholder engagement, iterative drafting, and implementation realism when developing comprehensive privacy frameworks. Organizations should treat India compliance as strategic market access requirement rather than pure compliance cost, recognizing that privacy-respecting practices build consumer trust essential for customer acquisition and retention in digitally maturing market.

Related briefings

Curated signals from the same pillar or overlapping topics.

Policy · Credibility 88/100 · January 2, 2022

Policy Briefing — UAE Personal Data Protection Law Commences

The UAE Personal Data Protection Law entered into force on 2 January 2022, triggering enterprise-wide data governance, board oversight, and vendor sourcing programmes ahead of Executive Regulation enforcement.

Policy · Credibility 91/100 · April 1, 2022

Policy Briefing — Japan’s Amended APPI Commences

Japan’s April 1, 2022 APPI amendments tighten breach reporting, cross-border transparency, and data subject rights, pushing global privacy teams to upgrade governance, vendor oversight, and consumer response workflows…

Policy · Credibility 94/100 · July 16, 2020

Policy Briefing — Schrems II voids Privacy Shield and tightens SCC due diligence

The CJEU’s Schrems II judgment invalidated the EU–U.S. Privacy Shield and reaffirmed Standard Contractual Clauses while requiring exporters to assess destination surveillance regimes and apply supplementary safeguards…

Policy · Credibility 90/100 · October 17, 2022

Policy Briefing — Indonesia Personal Data Protection Law Enacted

Indonesia enacted Law No. 27 of 2022 on Personal Data Protection, establishing comprehensive controller duties, fines, and criminal sanctions that organisations must operationalise within a two-year transition period.

Policy · Credibility 90/100 · March 7, 2024

Policy Briefing — India Publishes Draft DPDP Rules for Consultation

India’s Ministry of Electronics and Information Technology released draft Digital Personal Data Protection Rules on 7 March 2024, outlining consent, notice, and cross-border transfer obligations ahead of the DPDP Act’s…