India Withdraws Personal Data Protection Bill

On 3 August 2022 the Indian government withdrew the Personal Data Protection Bill 2019 from Parliament after years of deliberation and over 80 proposed amendments from a Joint Parliamentary Committee. The withdrawal reset India data protection legislative process, with the government indicating plans to develop a full new framework addressing not only personal data but also broader digital governance issues.

Background on the Withdrawn Legislation

The Personal Data Protection Bill 2019 was introduced after extensive development beginning with the Justice Srikrishna Committee in 2017-2018. The bill proposed a full data protection framework modeled on GDPR principles but with significant India-specific provisions including data localization requirements and government exemptions.

• Scope and coverage. The bill would have regulated processing of personal data by government and private entities, with additional protections for sensitive personal data and critical personal data categories subject to strict localization requirements.
• Data Protection Authority. The bill proposed establishing a Data Protection Authority of India to oversee setup, receive complaints, conduct investigations, and impose penalties for non-compliance.
• Cross-border transfer restrictions. Controversial data localization provisions would have required certain categories of personal data to be stored and processed exclusively within India, raising concerns among multinational companies.

Reasons for Withdrawal

The government cited the extensive changes recommended by the Joint Parliamentary Committee as requiring a fresh approach rather than attempting to reconcile divergent provisions. Key areas of contention included government exemptions, data localization scope, and enforcement mechanisms.

• Government exemptions. Broad exemptions allowing government agencies to bypass data protection requirements faced criticism from privacy advocates and created concerns about surveillance without adequate oversight.
• Data localization debates. Industry teams argued that strict localization requirements would increase costs, impede innovation, and create barriers to international business operations without proportionate privacy benefits.
• Regulatory complexity. The accumulated amendments created a complex regulatory framework that teams argued would be difficult to implement and enforce effectively.

Implications for Organizations

The bill withdrawal created temporary regulatory uncertainty for organizations that had begun compliance preparations. However, existing sectoral data protection requirements remain in effect, and you should maintain data protection programs aligned with international standards.

• Continued SPDI Rules applicability. The Information Technology Reasonable Security Practices and Procedures and Sensitive Personal Data or Information Rules 2011 remain the primary data protection requirement under IT Act Section 43A.
• Sector-specific requirements. Financial services, healthcare, and telecommunications sectors remain subject to sector-specific data protection and localization requirements that were not affected by the bill withdrawal.
• International standard alignment. If you are affected, continue aligning with international data protection standards like GDPR principles, anticipating that future Indian legislation will probably incorporate similar requirements.

Path Forward for Indian Data Protection

Following the withdrawal, the Ministry of Electronics and Information Technology began developing the Digital Personal Data Protection Bill, which was then introduced in August 2023. If you are affected, monitor legislative developments and prepare for eventual compliance with full data protection requirements.

Lessons for Multinational Compliance Planning

The Indian experience illustrates challenges of compliance planning amid legislative uncertainty. Organizations operating in jurisdictions with pending data protection legislation should develop flexible compliance frameworks that can adapt to eventual requirements while meeting current obligations and stakeholder expectations for responsible data handling.

See also

Selected articles on related subjects.

Data Strategy · Credibility 40/100 · September 1, 2022

China Cross-Border Data Security Assessments Effective

China's Cyberspace Administration began enforcing mandatory security assessments for certain cross-border data transfers on 1 September 2022, requiring exporters to file assessments or adopt standard contracts before…

Data Strategy · Credibility 40/100 · August 11, 2023

India Digital Personal Data Protection Act Assent

After years of debate, India finally has a privacy law. The Digital Personal Data Protection Act establishes consent requirements, cross-border data transfer rules, and fines up to ₹250 crore (about $30 million). If you…

Data Strategy · Credibility 40/100 · June 28, 2022

G7 Elmau Commitments on Data Free Flow with Trust

At the June 2022 Elmau summit, G7 leaders endorsed a roadmap for Data Free Flow with Trust (DFFT) with deliverables on interoperability, trusted data spaces, and SME enablement, signaling policy alignment that data teams…

Data Strategy · Credibility 71/100 · April 6, 2022

EU Data Governance Act adopted by Parliament

The European Parliament formally adopted the Data Governance Act on 6 April 2022, establishing new rules for trusted data intermediaries, public-sector data reuse, and data altruism registers ahead of its June 2022 entry…

Data Strategy · Credibility 85/100 · February 10, 2022

Data Strategy — African Union

The African Union Data Policy Framework adopted 10 February 2022 demands continental coordination on data governance, operational readiness, and sourcing partnerships across member states.

Continue in the Data Strategy pillar

Return to the hub for curated research and deep-dive guides.

Visit pillar hub

Latest guides

• Data Strategy Operating Model Guide

  Design a data strategy operating model that satisfies the EU Data Act, EU Data Governance Act, U.S. Evidence Act, and Singapore Digital Government policies with measurable…

• Data Interoperability Engineering Guide

  Engineer interoperable data exchanges that satisfy the EU Data Act, Data Governance Act, European Interoperability Framework, and ISO/IEC 19941 portability requirements.

• Data Stewardship Operating Model Guide

  Establish accountable data stewardship programmes that meet U.S. Evidence Act mandates, Canada’s Directive on Service and Digital, and OECD data governance principles while…

Coverage intelligence

Published

August 3, 2022

Coverage pillar

Data Strategy

Source credibility

40/100 — low confidence

Topics

Data Protection · Localization · India · Cross-border data · Regulation

Sources cited

3 sources (pqars.nic.in, economictimes.indiatimes.com, iso.org)

Reading time

5 min

Cited sources

1. MeitY parliamentary response withdrawing PDP Bill
2. Press coverage on PDP Bill withdrawal
3. ISO 8000-2:2022 — Data Quality Management — International Organization for Standardization