Home » What is India’s Data Security Regime?

What is India’s Data Security Regime?


India’s privacy protection has been challenged regularly, but detractors have rarely offered detailed reform recommendations. Recently, there has been a lot of interest in addressing the privacy of personal information at both federal and state levels.

India is not a signatory to any personal data privacy treaty comparable to the General Data Protection Regulation (GDPR) or the Data Protection Directive. On the other hand, India has accepted or is a party to several international declarations and conventions that recognize the right to privacy, such as the Universal Declaration of Human Rights (UDHR) under Article 12 and the International Covenant on Civil and Political Rights (ICCPR) under Article 16-17.

cyber security, information security, data privacy-3400657.jpg

Evolution of Data Privacy in India

India has not yet established what could be strictly termed as a data protection legislation. However, there are a few provisions which serve similar functions. The Information Technology Act, 2000 was amended by the Indian legislature to include Sections 43A and 72A, which provide a right to compensation for false disclosure of personal information. Similarly, The Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 were created by the Indian national government in response to the IT Act’s Section 43A. On August 24, 2011 a clarification to the preceding Rules was released. The Rules place extra duties on Indian commercial and corporate enterprises concerning acquiring and disclosing sensitive personal data or information, which are analogous to the GDPR and the Data Protection Directive.

The Supreme Court of India recognized the right to privacy as a fundamental right under Article 21 of the Constitution, as part of the right to “life” and “personal liberty,” in a historical verdict handed down in Justice K.S Puttaswami & others Vs. Union of India.  

Informational privacy has been recognized as a part of the right to privacy. The court has ruled that information about a person, as well as the ability to access such data, must be afforded personal protection. The court stated that everyone should have the right to control the commercial use of their identity and that this right includes the “right of individuals to exclusively commercially exploit their identity and personal information, to control the information available about them on the internet, and to disseminate certain personal information for limited purposes only.” The Supreme Court, for the first time, explicitly recognized an individual’s right to control their personal data. 

As a result of all this, the Indian government finally formed a committee to create a data privacy act. The committee submitted a draft law, which the Indian government adopted as the Personal Data Protection Bill, 2019.  

If this bill is passed, S. 43A of the IT Act would be repealed and replaced by this more comprehensive data protection policy. The Bill has yet to become an act as of December 2021, The Bill is also likely to be implemented in phases in even after it is enacted. There is currently no information on a timetable for implementation.

Features of the PDP Bill

The PDP Bill adheres to the following principles:-

  • processing of personal data must be just and equitable;
  • it must be for an appointed motive; 
  • only personal data necessary for the aim should be collected;
  • it must be lawful; 
  • adequate notice of the processing must be provided to the individual;
  • personal data processed must be complete, accurate, and not misleading; 
  • personal data processing must be done accurately.

This Bill, in short, regulates or monitors how the government, firms established in India, and international companies handle or deal with the personal data of Indian individuals. Personal data refers to information that may be used to identify the individual to whom the information pertains. In addition, the Bill recognizes some sensitive personal data, such as financial information, biometric information, caste, or religious or political opinions, as being the most vulnerable to cybercrime.

Several exclusions are proposed in the PDP Bill. It would not apply to data that has been anonymized or data that has been de-identified. The government can also exclude data processors in India from processing personal data of persons who are not based in India if the processing is done under a contract with a firm situated outside of India. Furthermore, the PDP Bill lists several government and national-security based exclusions, including processing personal data for reasons such as state security, law enforcement, judicial procedures, research and archiving, or processing by small companies.

Detractors and the opposition have also pointed out a few shortcomings of the bill. Firstly, the Central Government can exclude any government agency from complying with the Bill under section 35. Government agencies will subsequently be free to process personal data without adhering to any of Bill’s safeguards. This might put consumers’ privacy in danger.

Secondly, users may find it challenging to implement numerous user protections under the Bill due to a weakened concept of consent. For example, a third party threatening legal implications for users who refuse to agree to a data processing activity is not seen as a separate category of coercive. This means that, effectively, this may deter users from withdrawing consent for processing activities they wish to opt out of. 


Nowadays, Computer systems hold vast volumes of sensitive data, making data protection a fundamental human right. Non-authorized access to computers, computer systems, computer networks/resources, or unlawful alteration, deletion, addition, modification, destruction, duplication, or transport of data, as well as data breaches and privacy, are all defined under information technology regulation. Financial data, health data, business ideas, intellectual property, and sensitive data are all examples of data that may need to be protected.

Today, anyone’s personal information may be viewed at anytime from anywhere, posing a new danger to safeguard confidentiality. People’s engagement in the digital economy has expanded due to the pandemic. Sadly, the incidence of personal data breaches from major digital service providers has grown alarmingly during the same period. Even while India is attempting to establish and create legislation for data protection and privacy, there are still specific gaps to be addressed. As a result, given the critical necessity of data protection and privacy legislation in today’s world, our Indian legislature must take a step ahead in implementing and developing this new branch of law. There are several data protection regulations worldwide that, if accepted and executed carefully in India, might help reduce data protection difficulties.

Author: Usha Saha, Legal Intern at PA Legal.

In case of any queries, kindly contact us here.