India's Data Protection Law

India’s Data Protection Law


The impending data protection law in India and the challenges and gaps in the proposed Digital Personal Data Protection (DPDP) Bill, which is likely to be presented during the ongoing monsoon session of Parliament.


GS-02 (Government Policies and Intervention)


  • Digital Personal Data Protection (DPDP) Bill
  • Right to Privacy, Puttaswamy Judgement, Data Protection Laws of Other Nations.

Mains Questions:

  • Discuss the critical gaps and challenges in India’s Digital Personal Data Protection (DPDP) Bill as compared to the European Union’s General Data Protection Regulation (GDPR). How can policymakers address these gaps to ensure a more future-proof and effective data protection law for over 1.4 billion Indians? (250 words)

Dimensions of the Article:

  • Issues around data use
  • Limited reach of data protection board

Issues around data use

  • The DPDP Bill’s scope and definition solely protect personal data, which pertains to information directly or indirectly identifying individuals. However, the contemporary data economy involves the utilization of various data types, both personal and non-personal, for purposes such as targeting, profiling, prediction, and user monitoring. Non-personal data, though seemingly anonymous, can, when combined with other datasets, lead to the identification of individuals, thus affecting user privacy.
  • For example, seemingly anonymous data about Uber rides in New Delhi can be linked to prayer timings, enabling identification of specific community members, including their home addresses.
  • Such re-identification of non-personal data poses significant privacy risks. The earlier versions of India’s draft data protection Bills from 2018 and 2019 accounted for these risks, but the latest draft overlooks them.

Limited reach of data protection board

  • This board serves as the authority responsible for enforcing the law, but it can only take action when someone affected files a complaint or if directed by the government or a court.
  • There exists a single exception where the board can act independently—to enforce specific duties listed in the Bill for users and adjudicate disputes related to these duties, rather than those between users and data-processing entities.
  • In the dynamic data economy, users often lack control and comprehensive knowledge about data transfers and exchanges, leaving them at a disadvantage compared to data-processing entities.
  • For instance, a food delivery app could sell user data to data brokers, breaching the users’ contractual agreements without their knowledge. Due to limited individual resources and incentives, users may find it challenging to approach the data protection board to address such violations.

Way Forward

  • Addressing the gaps identified in the DPDP Bill is paramount to ensure that India’s data protection law stands the test of time and effectively safeguards its citizens’ privacy.
  • By expanding the Bill’s scope to cover re-identification of non-personal data and granting the data protection board the ability to initiate complaints autonomously, policymakers can enhance the legislation’s future-proof nature.
  • Moreover, it is essential for India to learn from the experiences of other countries, like the EU with its GDPR, to avoid pitfalls and improve implementation. Collaborative efforts involving various stakeholders, including government agencies, industry players, privacy experts, and civil society, will be indispensable in shaping a robust and effective data protection framework.