Emerging changes in Data Protection Law

Emerging changes in Data Protection Law

The year 2020 was the year when the whole world became more digital than ever before, thanks to a global epidemic that changed lives as we knew it. One of the silverware trends of 2020, focused on data value and data flow. By taking this urgently, the Government of India has taken the necessary steps toward technology policy and data management by 2020, viz. non-personal data, health data, financial data, e-commerce-related data, and other consumer-oriented services. Lawmakers also looked at individual rights with regard to data privacy, and the Personal Data Protection Bill, 2019 (“PDP Bill”) was a touching part of Government discussions during the year. The Government introduced the Information Technology Regulations (Digital Liaison Guidelines and Code of Conduct for Digital Media), 2021 February 25, 2021. These were notified under Section 87 of the Information Technology Act (IT Act) and repealed the Information Technology (Medium Terms) Act 2011. This change is due to the increasing use of cybercrime, which includes false stories, pornography, profanity, hate speech, pornography, financial fraud, violence, incitement to violence, national security threats, and public order.


Persuaded by the GDPR, the PDP Bill was introduced in 2019 to encourage broader or comprehensive development in the present Indian data protection government, now governed by the Information Technology Act, 2000, and its laws.

For the Department of Electronic Technology and Information Technology, the Indian Government has set up an advisory committee (“NPD Committee”) to oversee non-private data management (“NPD”). The terms of reference of the NPD Committee were:

  • concentrating on various problems relating to non-personal data; and

  • to make clear suggestions for the Central Government considerations regarding non-personal data management. From now on, NPD processing is not regulated under the law. Additionally, "anonymous data" is clearly prohibited from using the current draft of the PDP Bill.

On July 12, 2020, a report was presented by the NPD Committee on the Non-Individual Data Framework for public comment. The report was needed which is why he called for the establishment of a separate NPD governance framework. However, the report wasn’t a well-defined document in terms of definitions, proposed provisions, and purpose intended by the framework.

Next, in January 2021, the NPD Committee released an upgraded version of its report mentioning certain aspects. The revised report states that the PDP Bill and the proposed NPD framework will work together, clarifying that only anonymous data will fall under the NPD framework. The updated report, among other things, identifies forms of NPD that can be collected, examines the rights of public and private that may survive such data and provides a detailed data sharing mechanism that frees transfers between private organizations. The report provides different guidelines for ‘Data Entities’, or data collection businesses that reach certain limits, calls for separate management of ‘High-Value Database’, and requires the creation of separate autonomous control.

However, as mentioned above, some reports indicate that the JPC may be looking to expand the scope of the PDP Bill to integrate with the NPD. These reports are contrary to the NPD Committee's recommendation that all NPD-related provisions in the PDP Bill be repealed. We expect further clarification when the JPC releases its report on the PDP Bill.


The PDP Bill incorporates prerequisites for notice and prior approval for the use of individual data, objective limits on which data can be processed by organizations, and restrictions on ensuring that only the data required to provide a service to the person in question is collected. In addition, it covers the requirements for local data processing and the appointment of data protection officers within organizations.

India has not yet enacted a specific law on data protection. However, the Indian legislature amended the Information Technology Act (2000) to insert Section 43A and Section 72A, which provide for the right to compensation for improper disclosure of personal information.


Finally, in today’s environment of highly regulated data, Indian organizations need to adapt and develop an effective compliance strategy, as those that do so will reap positive business benefits and will undoubtedly reap rewards. Those with low levels of data privacy protection and adoption of data governance software need to change - and change quickly. But, in general, companies need to get a better look at their data before they consider themselves complying with appropriate data protection laws. By taking a horizontal approach to data security and using a human-centered approach, process, and technology, Indian organizations can confidently adopt the new PDP Bill and, once compliant, should view this as a competitive advantage.

eStartIndia is a professional tech-based online legal service providing the platform that assists the clients to simplify the procedures of all kinds of registration, implementation, tax concerns, and any additional legal compliance and services related to the business in India.


Priya Goel
Graduate in B.A LLB (Hons) from GGSIP University

Leave a Comment

Previous Comments

Related Blogs