Indian data privacy bill: the road ahead

By Tejas Karia and Shashank Mishra, Shardul Amarchand Mangaldas


The European Commission recently released a set of statistics reflecting on the “compliance, enforcement and awareness” of the General Data Protection Regulation (GDPR), which has been in force for over 10 months now. It shows a growing number of complaints and data breach notifications in Europe, and fines being imposed. This clearly indicates the success of the GDPR framework.

India has a lot to learn from this as the proposed Personal Data Protection Bill, 2018, is in the pipeline. The bill is expected to bring about a huge shift in personal data protection regime in the country.

Tejas Karia


The provisions of the bill require the government to notify the proposed act within 12 months from enactment. The government is required to establish a Data Protection Authority (DPA) within three months from the notification date, and within 12 months the DPA is required to notify the grounds of processing personal data, as well as codes of practice for several aspects under the proposed act.

The remaining provisions of the proposed act will come into force 18 months from the notification date, whereas the government may notify the provision mandating mirroring of personal data within India at its discretion. Overall, it is expected to take 18 months from the notification date for the provisions of the proposed act to fully take effect.


The government and the DPA also has the responsibility to formulate by-laws on several granular aspects of data privacy. The present Information Technology Act, 2000, has provisions for disclosure of personal information and implementation of reasonable security standards for sensitive personal information, which are supplemented with by-laws. While the proposed act has detailed provisions granting substantive rights to data principals, there are several key areas where it leaves scope for the government or the DPA to frame rules and regulations.

Shashank Mishra


The government has the power to establish the DPA, and appoint its chairperson and members. It also has the power to permit cross-border transfer of personal data to a particular country, sector or international organization. Both these powers are to be exercised in a time-bound manner upon the notification of the proposed act. The government also has to prescribe an adjudication mechanism under the proposed act – including an appellate tribunal, or notify an existing tribunal as the appellate tribunal. Given the merger of the Telecom Disputes Settlement and Appellate Tribunal (TDSAT) with the Cyber Appellate Tribunal, the government may notify the TDSAT to be the appellate tribunal under the proposed act as well. Further, the government may also notify what biometric data are barred from being processed by data fiduciaries, companies or entities that are collecting data, and exempt certain data processors from the proposed act.


The DPA has been vested with the power to specify additional information that data fiduciaries may need to provide to data principals. The DPA may also specify categories of personal data that are sensitive, grounds for processing such data, and additional safeguards for, or restrictions on, processing it. The DPA has been granted the power to specify factors for age verification by data fiduciaries for processing personal data of children as well as to notify their guardians. While data principals have substantive rights under the bill, the DPA has to specify the period within which a data fiduciary is required to comply with the requests of data principals, and also the time period for reporting a data breach. The DPA may also specify classes of data fiduciaries or circumstances or operations

where data protection impact assessment is mandatory, and where a data auditor has to be engaged, along with related aspects of audit and record keeping. The DPA is also required to classify and register significant data fiduciaries. The role of the DPA in particular would be important in arriving at a holistic framework, given its expansive responsibilities. The law, however, would have to evolve based on issues reaching relevant agencies such as the DPA, appellate tribunal and ultimately the Supreme Court.

Shardul-Amarchand-Mangaldas-&-CoTEJAS KARIA is partner and head of arbitration, and SHASHANK MISHRA is a senior associate at Shardul Amarchand Mangaldas. They can be contacted at and