Electronic data protection in India is currently governed by the Indian penal code, the information Technology Act 2000 – IT Act Amendment 2008, and therefore the Information Technology Rules, first introduced in 2011. the non-public Data Protection Act (PDPA) emerged from a Supreme Court ruling in 2017 that found privacy to be a fundamental right, and therefore the new changes replace an initial draft produced in 2018.

In its latest version, the PDPA, which can govern how personal information is handled by business and government bodies within India, highlights, specifically, how technology companies must manage the information of Indian citizens and the way are they collecting and processing the identical. The bill, while requiring sensitive data to stay on servers within India’s territory, at the identical time permits non-sensitive data to be stored outside of the country with certain conditions set by the PDPA. The scope of sensitive, or critical data – that which is to be stored locally – is defined by the Indian government and ensured to be followed throughout.

Who will Comply?

The bill imposes hefty new compliance requirements for data protection on most businesses in India.

Almost all businesses across India’s economy will should meet the bill’s conditions set within the PDPA. this may include not just e-commerce, social media, and IT companies, but also property companies, hospitals, and pharmaceutical domains. the sole exceptions are going to be “small entities” (businesses like small retailers that collect information manually and meet other conditions to be specified by the PDPA).

Some financial and telecommunications firms are already subject to privacy and confidentiality requirements taken off by their sectoral regulators so that they already follow some practices required by the bill. except for all other businesses, these rules would be new and a tug-of-war to make sure compliance for the identical.

 Penalties for Non – Compliance for PDPA – GDPR

The bill gives the PDPA the facility to find any business that doesn’t adjust to the bill or the regulations made by either the PDPA or the govt of the Republic of India.

The maximum amount of penalties that will be imposed is 150 million Indian rupees (about $2.1 million), or 4 percent of the worldwide turnover of the firm within the preceding twelvemonth as per the most recent revision.

So far the Indian Government has not imposed a fine on any organization for the PDPA since the act is in pipeline.

In the case of GDPR on 21 January 2019, the French National Commission on Informatics and Liberty, or CNIL, fined Google with a €50 million fine. this can be the largest GDPR fine ever collected to the current date, issued for violation of:

  • Information to be provided where personal data are collected from the information subject – Article 13,
  • Information to be provided where personal data haven’t been obtained from the information subject – Article 14,
  • The lawfulness of processing – Article 6,
  • And Principles regarding the processing of non-public data – Article 5

This fine was imposed on Google for Lack of transparency by the organization on how they were collecting and harvesting data.

Other Similar Data Protection Laws

With passing time we will see many countries turning out with their privacy law’s to confirm data privacy is achieved and that they hold the monopoly for data of their citizens in transit and rest. Few mentioned as below.

  1. Brazil – Brazil’s Lei Geral de Proteçao de Dados (LGPD)
  2. Australia – the Privacy Amendment (Notifiable Data Breaches) to Australia’s Privacy Act
  3. USA – while there’s currently no data privacy law applicable to any or all organizations on the federal level, every state within the Union has their own data privacy laws for compliance
  4. Japan – Japan’s Act on Protection of private Information
  5. South Korea-South Korea’s Personal Information Protection Act
  6. Thailand-Thailand Personal Data Protection Act (PDPA) – May 2019

How PDPA is different from GDPR?

There are some major differences between the 2. First, the bill gives India’s central government the ability to exempt any administrative body from the bill’s requirements. This exemption may be given on grounds associated with national security, national sovereignty, and public order.

While the GDPR offers EU member states similar escape clauses, they’re tightly regulated by other EU directives. Without these safeguards, India’s bill potentially gives India’s central government the facility to access individual data over and above existing Indian laws like the knowledge Technology Act of 2000, which prohibited cyber-crime and e-commerce.

Second, unlike the GDPR, India’s bill allows the govt to order firms to share any of the nonperson data they collect with the govt. The bill says this is often to boost the delivery of state services. But it doesn’t explain how this data are going to be used, whether it’ll be shared with other private businesses, or whether any compensation are going to be obtained the employment of this data.

Third, the GDPR doesn’t require businesses to stay EU data within the EU. they will transfer it overseas, ciao as they meet conditions like standard contractual clauses on data protection, codes of conduct, or certification systems that are approved before the transfer.

The Indian bill allows the transfer of some personal data, but sensitive personal data can only be transferred outside India if it meets requirements that are kind of like those of the GDPR. What’s more, this data can only be sent outside India to be processed; it can’t be stored outside India. this may create technical issues in delineating between categories of information that must meet this requirement, and boost businesses’ compliance costs


  1. https://portswigger.net/daily-swig/indias-answer-to-gdpr-data-protection-legislation-set-to-pass-this-year
  2. file:///F:/Blogs/Personal-Data-Protection-Bill-2019.pdf
  3. https://www.wipo.int/edocs/lexdocs/laws/en/in/in098en.pdf
  4. https://www.meity.gov.in/content/information-technology-act-2000
  5. https://carnegieindia.org/2020/03/09/what-is-in-india-s-sweeping-personal-data-protection-bill-pub-80985
  6. https://dataprivacymanager.net/5-biggest-gdpr-fines-so-far-2020/
  7. https://insights.comforte.com/countries-with-gdpr-like-data-privacy-laws



Omkar Gaikwad,

Audit & Compliance Team,

Varutra Consulting Pvt. Ltd.