India’s Data Protection Bill, 2021: Key Takeaways

In August 2017, a nine-judge bench of the Supreme Court emphasised that privacy is a fundamental right for Indians. While this was a landmark judgement, there were still some serious gaps in the country’s regulatory framework.

Digital Identity

In August 2017, a nine-judge bench of the Supreme Court emphasised that privacy is a fundamental right for Indians. While this was a landmark judgement, there were still some serious gaps in the country’s regulatory framework. Thus, after that, the government appointed the Data Protection Committee, which recommended an all-encompassing law on data privacy. This gave birth to the Personal Data Protection Bill, 2019.

The Personal Data Protection Bill, 2019 remained in the public eye for over two years. It had its share of ups and downs while in the Lok Sabha as well. Recently, the Joint Parliamentary Committee (JPC) submitted its suggestions, and in two years, a lot changed, including the bill’s name. So what are the key features of the Data Protection Bill, 2021? Read on to find out.

Inclusion of Non-personal Data

The first and most significant change came from increasing the bill’s ambit, with the JPC calling it “The Data Protection Bill, 2021”, dropping the word “personal” from the title. The change indicates the inclusion of non-personal data, widening the scope of the previous bill.

As you may be aware, personal data has characteristics or traits of an individual and can be used to identify him. It includes sensitive personal data like financial, health, biometric, genetic, religious, sex, and political affiliation. On the other hand, non-personal data is nonidentifiable data with a person. A simple example would be removing the name and contact details of the person from a grocery bill to make it non-personal in nature. It can also include:

  • Anonymised data of land records
  • Anonymised data vehicle registration or traffic challans
  • Industrial databases
  • Anonymised personal data

The report suggests that it is possible to de-anonymise non-personal data and it can adversely impact individuals even if it remains non-identifiable on our digital systems. Thus, the Committee seeks to introduce the Data Protection Authority (DPA), which will monitor and implement both data categories, i.e., personal and non-personal. This shift in authority is also meant to take some burden off the central government and have a single, holistic legislation for public benefit.

The bill includes both personal and non-personal data.

Appointment of the Data Protection Authority

The JPC has made the Data Protection Authority (DPA) a central and autonomous figure for controlling and regulating data in India. The selection of officials of the DPA, as per the bill, is to be made by a Selection Committee that comprises only members of the executive. While the DPA is being promoted as an independent authority, questions are raised on how skewed the selection process would be towards the government due to their direct involvement.

Even though the bill has laid down that the Selection Committee will include the Attorney General, an independent expert, a director of an IIT, and a director of an IIM, the problem may still persist. This is because even with these appointments, the Central Government can exercise its power to choose the individuals coming in as a part of the Committee from various IITs and IIMs. Additionally, the JPC revised a clause of the previous bill and stated that “the Authority should be bound by the directions of the Central Government under all cases and not just on questions of policy”. This implies that the government’s decision is to be considered final in all circumstances and not that of the DPA.

Social Media Platforms as ‘Publishers of Content’

For a long time, social media platforms were designated intermediaries under the IT Act. However, with the ever-changing and evolving nature of the social media ecosystem, this needed to change. In fact, the JPC categorically points out that adequate regulation was not done under the IT Act. Furthermore, it highlights various issues, such as fake accounts and deliberate instigation, where social media comes under scrutiny. Thus, the latest draft of the bill seeks greater accountability from the various platforms, and they are now being termed as ‘publishers of content’ rather than ‘intermediaries’.

The title change is vital because it gives social media channels the choice of who the recipient of the published content will be, and they can also control the kind of content they host. As a result, the bill will ensure that such platforms are made responsible for the content they publish and verify all unverified accounts with the help of necessary documents. Furthermore, any anonymous accounts can become a potential legal hurdle for social media platforms as they will be held accountable for any adverse situations.

Social media platforms are now ‘Publishers of Content’.

The bill also mandates the parent companies of all social media platforms to set up an office in the country, failing which they will not be permitted to operate in India. It has also recommended establishing a statutory media regulatory authority, on the lines of the Press Council of India, which will regulate the content published on the various social media platforms – whether online or in print.

The JPC also indicated that social media regulation requires deeper deliberation, although it lies beyond the scope of the Data Protection Bill, 2021. It is a different task altogether to assess if such extensive content regulation should be a part of this bill in the first place.

Data Breaches to be Reported in 72 Hours

The new bill recommends that the DPA be notified of any data leak within 72 hours of the organisation getting to know about the breach and/or consequences if a breach is not reported or appropriately handled. This is unlike the previous draft that mandated reporting of only those breaches which had the possibility of causing harm to the data principal. The JPC, thus, has removed any ambiguity that may have come during reporting or assessment.

Once reported, it is then the responsibility of the DPA to assess the severity of the leak and accordingly advice and take appropriate remedial measures. The DPA, in fact, can direct data fiduciaries to take corrective actions or report data leaks directly to the data principals. As against the bill introduced in 2019, the 2021 bill, keeping in mind that often the leaks are of large mixed datasets, allows the DPA to take necessary steps even when the breach is of non-personal data.

Importance of Data Localisation

In the grand scheme of things, data localisation is key to knowing more about consumer behaviour and opinion and helping with timely law enforcement. This, in turn, leads to better informational privacy and creates significant employment opportunities. As far as India is concerned, it is poised to be in a stronger position vis-a-vis other nations with the right kind of data. Moreover, encouraging data-based innovation will also give an impetus to various digital services in the country.

Keeping these points in mind, the bill is batting heavily for data localisation, dedicating an entire section of its report to the same. Talking about its dire need, it directed the centre to prepare a detailed and exhaustive policy on data localisation, which would also help keep the citizens’ data safe.

The new draft of the bill, as against the one of 2019, also recommends prohibiting the transfer of sensitive and critical personal data when it is “against public policy or State policy”. In this context, there has been a reduction in the power that had earlier been assigned to the DPA because the 2021 bill states that the DPA can transfer sensitive personal data only “in consultation with the Central Government”.

A comprehensive data localisation policy is expected.

Greater Government Exemptions

The 2019 version of the bill had been thoroughly criticised by the public and in Parliament since it provided many exemptions to the Government from compliance under the law. However, the 2021 bill has made it even easier for the Government to evade the jurisdiction of a data protection law. The most critical point is that the Central Government will be exempt from the law if it deems the matter expedient, even if not necessary, to prevent offences relating to the “sovereignty and integrity” of the country. Although the bill expects the conditions to be fair and justifiable, protection against exemption may be very limited in scope.

There is no question that some exemptions for the government are necessary, but the exemptions of the current bill are far too broad and can be misused. In 2018, the Justice BS Srikrishna Committee had included an exemption from the data protection law for the government only in cases of threat to national security, grounds for which are well-defined. However, the 2019 draft had many exemptions, such as public order, which were highly ambiguous. These still remain, and the JPC made no effort to curtail any misuse.

Data Portability and Cross-border Transfers

The 2021 bill has laid down the importance of protecting the right to data portability from claims of trade secrets. The Committee suggested that trade secrets are continuously evolving and sector-specific and cannot become grounds for exemption. Instead, it calls for technical feasibility as the primary basis for exemption. Such feasibility, however, can be determined by the data fiduciary “in such a manner as may be specified by regulations”.

Also, when it comes to the transfer of cross-border data, the JPC acknowledged the risks and the need to balance the flow of data with innovation. The bill divides data into three categories – personal data, sensitive personal data, and critical personal data. These will apply to Indian and foreign entities dealing with Indian citizens’ data. The cross-border transfer of such data is defined by the JPC as follows:

  • Personal data: There are no cross-border restrictions.
  • Sensitive personal data: It can be transferred outside of India, but it will continue to be stored in the country.
  • Critical personal data: This data is not allowed to be transferred outside India. Exemptions can be made if the countries are deemed to be making enough efforts to protect data.

Additionally, the DPA is bound to consult the government for its decision-making on cross-border transfers. Government approval is also necessary before any data can be shared with any foreign government or agency. Moreover, it has been proposed that such transfer should not be allowed if it goes against public or state policy.


Parliament will likely pass the Data Protection Bill of 2021 in its next session, which starts in February 2022. Having been in the works for over two years, it should be implemented in the first half of the year itself once passed. This bill indeed aims to replace a very archaic and ineffective data protection law in India and make data usage more transparent and fair. In addition, it comes with the potential to create employment and ensure greater accountability. The bill still has some gaps, but it is indeed a step towards bringing India at par with the data protection laws of other nations.

... Related Stories