Data Protection Policy in India



This Article is written by Ritansha Lakshmi, a student of Lloyd Law College, Greater Noida.    

The 21st century has observed such a rapid growth in the number of ways in which we use information, that it is widely referred to as “the information age”.

 Digital technologies are in a phase of rapid development and are being adopted widely. This revolution has infused in India as well. Given the foreseeable inescapability of data technology in modern societies, it is legitimate and necessary to incorporate this technology to support the maintenance and strengthening of constitutional democracy of our country recognizing its significance, and as it is foreseeable to bring large disruptions in almost all sectors of society, the Indian Government has predicted and implemented the “Digital India” initiative with nearly 450 million Internet users and a growth rate of 7-8%, India is well on the path to becoming a digital economy, which has a large market for global players.


The Internet has given rise to entirely new markets and we can see this as some of the largest companies in the world today are data-driven!!

These big companies dealing in the collection, organization, and processing of personal information, whether directly, or as a critical component of their business model.

The world’s largest taxi company, Ola owns no vehicles.

The world’s most popular media owner, Twitter creates no content.

The most valuable retailer, Amazon has no inventor.


Without data protection, it results in increased unregulated surveillance and Profiling of individuals leads to Infringing the sovereignty of an Individual.

Any technology or process which has the potential to impact citizens have to be regulated so that it can be applied in a free and fair manner. The benefits are not unfairly benefiting one particular section of people or deliberately or otherwise, harming another section of people in the society. To prevent unwanted changes humans must have the ability to foresee law must have the power to rule to check any evil use of Data or to ensure that there must not be any negligence for a quick profit. As data can be put to advantageous use, the unregulated and arbitrary use of data, especially personal data, has raised alarms regarding the privacy and sovereignty of an individual. This was also the subject matter of the landmark judgement of “K.s Puttaswamy, 2017” the Supreme Court, which recognized the right to privacy as a fundamental right.

Government of India in 2018 has established a High-level Experts group to study various issues relating to data protection in India and suggest to draft Data Protection Bill.

This bill aims to “ensure the growth of the digital economy and digitally connected India while keeping personal data of citizens secure and protected.” Instrumentally, a stable legal framework for data protection will:

  1. Keep personal data of citizens secure and protected
  2. Act as the foundation on which data-driven innovation and entrepreneurship can flourish in India.
Also Read:  Cyber Crime and it's Subject Matter


 Section 43-A of the IT Act, 2008 provides that a body corporate possessing, dealing with or handling any sensitive personal data or information in a computer resource, if they are negligent in implementing and maintaining reasonable security practices and procedures to protect sensitive personal data or information which are owned, controlled or operated by it would be liable to pay damages as compensation to affected persons.

Section 72-A of the IT Act, 2008 mandates punishment for disclosure of ‘personal information’ in breach of lawful contract or without the information provider’s consent.

Expanding existing scope

This Data protection bill will widen the scope by contributing a comprehensive data protection framework which shall apply to the processing of personal data by any means, and processing activities carried out by both the State as well as the non-state entities.


A data protection legal framework in India is based on the following principles:

All-inclusive approach

  • The law must apply to both state and non-state entities.

Informed consent of data owner

  • Consent is an expression of human sovereignty. For such consent, to be honest, it must be informed and expressive.

Data minimization

  • Data that is generated must be nominal and necessary for the purposes for which such data is required.

Operator accountability and social responsibility:

  • The data operator shall be held accountable for any processing of data, whether by itself or entities with whom it may have shared the data.

Deterrent penalties:

  • Penalties on wrongful processing must be adequate to ensure deterrence.

“Data protection is an important for the upcoming development of the Indian digital economy and digitally connected India. The approval of the new proposed Bill by the Cabinet will be a new dawn for the digitally connected Indians. The government will have to maintain an equilibrium between protection of personal data and digital liberties connected of sovereign interests of the government on the other hand. The proposed Bill should also be seen as an instrument to promote and protect Indian cyber sovereignty. The need is for the administrations to understand –

Is the law of the land allowing the administrations to collect, store and process the data?

What is the responsibility of the entity storing the data? and

the laws about whether or what kind of data can be collected, what should be stored and how the ownership of the data should be established?

Read the bill here


Leave A Reply

Subscribe For Latest Updates

Signup for our newsletter and get notified when we publish new articles for free!