India’s First Major Personal Data Protection Bill.

Flag of India

Photo taken by Naveed Ahmed

India’s first major Personal Data Protection Bill.

On the 11th of December 2019, a new bill was tabled in Indian parliament and is the country’s first attempt to introduce legislative mechanisms for protection of personal data, creating a new level of Data Protection of Authority within the nation. Much like the European equivalent, General Data Protection Regulation (GDPR), the Personal Data Protection Bill (PDPB), will regulate how processing of an individual’s personal data can be conducted. The PDPB shares many similarities with the GDPR. They both seek to:

•    Impose tough penalties on organisations that fail to comply with the regulation or abuse an individual’s personal data.
•    Provide additional rights and freedoms to data subjects.
•    Place accountability on organisations for protecting an individual’s personal data.

However, there are also some stark contrasts, with some facets being particularly contentious. Most notably is the extensive freedom that will be given to Government bodies, law enforcement agencies, and authorised third parties to access citizen data. As such, these government agencies will be essentially be exempt from any legal obligations. Naturally, this has led to some resistance with fair criticism highlighting the risk of data misuse through all this potentially unaccounted access to personal data. The flip side of this is that the Government would have more control of the data itself to better track malicious activities.

Despite these concerns, the Bill should be acknowledged as a step in the right direction as India begins building a culture of ‘digital trust’ in cyber oriented world we live in.

The PDPB is expected to be passed into official law sometime in 2020 and will inevitably affect foreign trading companies with significant impact with new obligations for conducting business with its citizens. For a complete break-down of the differences of the GDPR and the PDPB, download the attached PDF below by Covington and Burling.

It is interesting to note that the analysis of the differences by the comparison indicates that in some instances ‘major operational change likely to be required’. Therefore, it is recommended that if you are currently dealing with India, it is advised that you gain familiarity with the PDPB, as changes may be needed to the way that data is processed.

About Us: Tacita is a leading General Data Protection Regulation (GDPR) compliance specialist operating from their base in the United Kingdom. This company helps clients maintain their GDPR compliance by undertaking independent external GDPR assessments in a cost-effective manner with minimal disruption to the client. Offering clear and actionable solutions, the company offers an unbiased service ensuring their clients save time, money, and energy when it comes to their GDPR requirements. Tacita provides a three-step process, which includes assessments, recommendations and resolutions with detailed reporting and data processing, record processing and privacy policies. Full details can be found at

Send us a message

Telephone: +44 20 4526 5699

To see how we use your data, see our Privacy Notice.