personal data protection bill 2018

The author is Head of Compliance at Bellwether. A strong advocate of 'privacy by design and by default' principle, he leads the Privacy compliance consulting practice at Bellwether with the help of a team of experienced consultants in the fields of internet privacy, compliance, digital transformation and litigation.


Right to privacy

It all started when the supreme court of India, in it’s landmark judgement in 2018, has ruled that ‘Right to privacy‘ is a fundamental right of every citizen of India. This judgement also paved a way for the government of India to work towards a comprehensive law to protect the personal data or personally identifiable information (PII) of it’s citizens, similar to European Union’s General Data Protection Regulation.


What is Personally Identifiable Information / PII?

Personal data or personally identifiable information (PII) is any data that can directly or indirectly recognize a person with great accuracy. For example, name of a person combined with the date of birth is a PII. Similarly, postal address, email id, phone number are PII. Apart from these, an individual’s health information, political and religious beliefs are all personal data under the Indian Personal Data Protection Bill.

Since, you are visiting this website, your IP address is recorded in our web server logs and can be used to identify you as a person. Hence IP addresses are also included in the definition of personal data.

Key takeaways from the Bill

Data protection obligation

Till now, there are no laws in India to ensure personal data stored with businesses (Banks, Telcos, Insurance firms, Social media platforms e.t.c.,) is protected from data breaches. 

The proposed bill intends to make it an obligation to safeguard the data and impose hefty penalties for data security breaches.

Personal data processing

The bill mandates that companies who process personal data for business purposes should be doing so only if they have one of the below grounds – 

a. Consent from the person

b. To fulfill a contract

c. To comply with law

d. Legitimate interest to carry out their business

Rights of Data principal

 The bill proposes certain rights related to personal data of an individual, namely:

a) Right to confirmation and access – For example, an individual can ask any business or service provider about his/her personal data they hold.

b) Right to correction – In case incorrect personal data is stored with a provider, an individual will have the right to ask for correcting the same. This right has several implications including sending a information correction request to search engines like Google and social media companies like Facebook to correct any personal data with those companies.

c) Right to Data Portability – An individual can request a soft copy of his personal data that is stored and processed by a company.

d) Right to Be Forgotten – Also known as “the right to be left alone”, this right ensures that all the copies of the data is deleted when requested by the individual. This right also will have wider implications like asking a search engine like Google to delete certain references to an individual from the search results.

Data localization

While the bill permits transfer of personal data of Indian citizens outside the territory of India, it mandates that a copy of data to be stored within India. This restriction may increase the IT costs for companies that do not store the data inside India already. 


The bill proposes several accountability measures for organizations that process personal data like privacy by design, appointing a Data Protection Officer/DPO, Carrying out Data Protection Impact Assessment/DPIA, data breach notifications among others.


Looking for Privacy Compliance?
Our consultants can drive your Enterprise Risk Management

Bellwether has developed a world-class Enterprise Risk Management framework by combining functional, information security and legal expertise. Our privacy consulting clients range from start-ups to large enterprises.

Get in touch today to talk to a Privacy Compliance Consultant and explore the ways to manage your enterprise risk and uncover value.

Indian Data Protection Bill - penalties

The Indian Data Protection Bill proposes hefty fines for organizations for non compliance of the regulation.

With fines up to INR 15 crore or 4% of the global revenues, whichever is higher, organizations processing personal data need to follow rigorous compliance processes in order to avoid penalties.

A similar Privacy law of European Union – GDPR, that came into effect in May 2018, has resulted in a whopping 3300 crores of penalties so far to organizations across the world for non-compliance.

Similar trend is expected in India once the bill is passed by the Indian parliament and becomes an act.

Indian Data Protection Bill - In the news

India’s first privacy regulation is closer to reality

The Personal Data Protection Bill gets Union Cabinet’s nod on December 3rd, 2019. Read more on LiveMint.

Tech companies and the Personal Data Protection Bill

India’s privacy bill could be a cause of concern for Facebook, Google as well as for smaller tech companies as the bill extends the power of government to request user data to help policy making. Complete story is here.

How India’s new privacy law is set to disrupt the operations of global firms

Wikimedia Foundation has sent a letter to IT minister Ravi Shankar Prasad over a clause in the bill that proposes web content filtering. Read more here.

Happy Clients
Privacy Implementations

Ready to comply with data privacy regulation?
Our consultants can drive your Enterprise Risk Management