What is the Personal Data Protection Bill 2019?

The Personal Data Protection Bill, 2019, was a draft legislation introduced in the Indian Parliament, aiming to provide a comprehensive framework for the protection of personal data. It was based on the recommendations of the Justice B.N. Srikrishna Committee. While it underwent extensive review by a Joint Parliamentary Committee, it was eventually withdrawn and replaced by the Digital Personal Data Protection Act, 2023, which is now the enacted law. The 2019 Bill's core principles, such as consent, data principal rights, and data fiduciary obligations, largely influenced the final Act.

How does India's data protection law differ from GDPR?

India's Digital Personal Data Protection Act, 2023, shares similarities with GDPR (e.g., consent, data principal rights, penalties) but also has key differences. DPDP Act has a narrower definition of 'personal data' (excluding non-digital data), introduces 'deemed consent' for certain legitimate uses, and offers more flexibility on cross-border data transfers (to 'notified countries' rather than strict adequacy decisions). It also provides broader exemptions for government agencies and does not mandate data localization for all sensitive data, unlike the earlier PDB 2019.

What powers will the Data Protection Authority have?

The Digital Personal Data Protection Act, 2023, establishes the Data Protection Board of India (DPBI). Its powers will include inquiring into data breaches and non-compliance, imposing significant monetary penalties (up to INR 250 crore), issuing directions to data fiduciaries, and adjudicating disputes related to data protection. The DPBI will act as the primary enforcement and regulatory body, ensuring adherence to the Act's provisions and providing a mechanism for grievance redressal for data principals. Its specific rules of procedure are yet to be notified.

What are the penalties for data protection violations in India?

The Digital Personal Data Protection Act, 2023, prescribes substantial monetary penalties. For instance, failure to take reasonable security safeguards to prevent a personal data breach can attract a penalty up to INR 250 crore. Failure to notify the Data Protection Board and affected data principals of a breach can also lead to significant fines. The exact penalty depends on the nature, gravity, duration of the contravention, and the type of personal data involved, as determined by the Data Protection Board of India.

Which data requires localization in India?

The Digital Personal Data Protection Act, 2023, has moved away from the stringent data localization requirements proposed in the earlier Personal Data Protection Bill, 2019. The current Act permits cross-border transfer of personal data to 'notified countries or territories' by the Central Government, subject to prescribed terms and conditions [DPDP Act, 2023, Section 16]. This means that specific data categories are not inherently localized; rather, the government will designate countries deemed safe for data transfer, offering more flexibility for businesses.

How does the right to privacy relate to data protection?

The right to privacy is the constitutional bedrock upon which data protection laws are built. In India, the Supreme Court's landmark judgment in Justice K.S. Puttaswamy v. Union of India (2017) declared privacy as a fundamental right under Article 21. Data protection, specifically informational privacy, is a crucial facet of this broader right. It ensures individuals have control over their personal data, preventing its misuse and unauthorized access, thereby upholding their dignity and autonomy in the digital sphere. The DPDP Act, 2023, is a legislative embodiment of this fundamental right.

What are the key obligations of a Data Fiduciary under the DPDP Act?

Under the DPDP Act, 2023, a Data Fiduciary (the entity determining data processing) has several obligations. These include obtaining explicit consent from data principals, ensuring data minimization (collecting only necessary data), maintaining data accuracy, implementing robust security safeguards to prevent breaches, notifying the Data Protection Board and affected individuals in case of a breach, and erasing data once its purpose is served. Significant Data Fiduciaries may also need to appoint a Data Protection Officer and conduct Data Protection Impact Assessments.

Data Protection

Science & Technology

Constitution VerifiedUPSC Verified

Version 1Updated 10 Mar 2026

Explore This Topic

Definition Detailed Explanation Key Discoveries Scientific Principles Tech Evolutions UPSC Importance Prelims Strategy Mains Strategy Prelims MCQs Mains Questions MCQ Practice Predicted 2026 Revision Notes Current Affairs

The Digital Personal Data Protection Act, 2023, Section 2(j) defines 'personal data' as 'any data about an individual who is identifiable by or in relation to such data.' This foundational definition underpins the entire framework, establishing the scope of data that falls under the protective ambit of the law. It emphasizes the direct or indirect identifiability of an individual, moving beyond me…

Quick Summary

Data protection is the legal and technical framework safeguarding personal information in the digital realm. In India, its foundation lies in the Supreme Court's 2017 Puttaswamy judgment, which recognized privacy as a fundamental right under Article 21 of the Constitution.

This led to the enactment of the Digital Personal Data Protection Act, 2023 (DPDP Act), India's comprehensive data protection law. The DPDP Act defines 'personal data' as any data identifiable to an individual and establishes roles like 'Data Principal' (the individual) and 'Data Fiduciary' (the entity processing data).

Key principles include obtaining explicit consent for data processing, ensuring data minimization, and implementing robust security measures. Data Principals are granted rights such as access, correction, and erasure of their data.

The Act mandates the establishment of the Data Protection Board of India (DPBI) to enforce its provisions, investigate breaches, and impose significant monetary penalties for non-compliance. While the DPDP Act allows cross-border data transfers to 'notified countries,' it emphasizes accountability for Data Fiduciaries.

Technical aspects like encryption (AES, RSA, TLS), hashing, anonymization, and security-by-design are crucial for practical implementation. India's model is a hybrid, balancing individual privacy rights with the needs of a growing digital economy and national security, drawing lessons from both GDPR and US approaches.

Understanding this framework is vital for UPSC, connecting to constitutional law, cybersecurity, and digital governance.

Vyyuha

Your 6-Month Blueprint, Updated Nightly

AI analyses your progress every night. Wake up to a smarter plan. Every. Single.…

Puttaswamy (2017): Privacy = Fundamental Right (Article 21).

DPDP Act, 2023: India's comprehensive data protection law.

Data Principal: Individual whose data is processed.

Data Fiduciary: Entity processing data, determines purpose/means.

Consent: Primary basis for data processing; 'deemed consent' for legitimate uses.

DPBI: Data Protection Board of India, enforcement & adjudication.

Penalties: Up to INR 250 crore for major violations.

Cross-border transfer: Allowed to 'notified countries'.

IT Act 2000: Section 43A repealed by DPDP Act.

Technical: Encryption (AES, RSA), Anonymization vs. Pseudonymization.

Vyyuha Quick Recall: DATA-SHIELD

Data Principal Rights: Access, Correction, Erasure. Act 2023: Digital Personal Data Protection Act, India's law. Technical Safeguards: Encryption, Anonymization, Security-by-Design. Article 21: Privacy as a Fundamental Right (Puttaswamy).

State Exemptions: Broad powers for government, a point of debate. Hybrid Model: Blends GDPR (rights) and US (pragmatism). Interface: DPBI (Data Protection Board of India) for enforcement. Economic Value: Data as an asset, balanced with individual rights. Localization: Flexible, to 'notified countries', not strict mandate. Deemed Consent: For 'legitimate uses', without explicit consent.

Data Protection

Quick Summary

Related Topics