India’s Digital Personal Data Protection Bill Paves the Way for a Secure Future


The Digital Personal Data Protection Bill passed by the Rajya Sabha today is a welcome step. This marks  a significant leap forward for India to establish a robust framework for personal data protection and  build India as a trusted data destination. Ensuring comprehensive data protection is paramount for  accelerating India’s digital economy and the bill strikes a harmonious balance between flexibility and  data privacy measures. 

Ms. Debjani Ghosh, President, nasscom said, “The passage of the Data Protection Bill by both the  houses of the Parliament is a landmark moment. The technology industry and nasscom have been  working collaboratively with the government from the start to share insights and industry experiences  from global regulations, the India differentiators and provided detailed submissions through the  evolution of this Bill”. She further added, “We truly appreciate the consultative approach that engaged  all relevant stakeholders at each phase in defining the digital data protection bill and is really looking  forward to India having its own Data Protection law. This is a giant step forward towards establishing  India as a Trusted Innovation Partner for the world.” 

Some of the key recommendations which are reflected in the Bill include: 

Protection of data principals: Concept of purpose limitation and data minimization should be  provided in the law. Inclusion of these concepts together with the novel concept of consent  manager in the law is welcome and it should empower the users to effectively exercise their rights.  

Export Sector: The law should enhance trust in processing data in India. Processing of foreign  data in India should avoid overlaps with the laws of the countries whose data is being  processed. Accordingly, the bill provides that companies processing foreign data in India will  need to adhere to security safeguards to prevent personal data breaches under the law. 

Start-ups: Obligations should be risk-based so that start-ups and small and medium enterprises  are not unduly burdened. The bill provides the power to exempt startups from certain obligations and imposes additional obligations on significant entities. This risk-based  framework is welcome. 

Cross-border data transfers: There should not be default data localisation in the law and the  approach of whitelisting countries to permit data transfers should be avoided, as it is not  practicable. This has been addressed in the bill which now enables the government to provide  safeguards without a complex permission-led process. 

Research, Search Engines, AI: Emerging technologies adoption should not get unduly  hampered and training of data sets, or operation of search engines should be permitted. The  law enables publicly available data to be processed by search engines and training of AI data  sets as long as such data is made publicly available by the person to whom it pertains or is  made available under any law.