Search Your Queries Related To Trilegal


The Data Protection Bill, 2021

24 Dec 2021

The data protection thumb image
On 16 December 2021, the Joint Parliamentary Committee has published its report along with the finalised Data Protection Bill, 2021. When passed into law, this has the potential to change the way in which data is used by businesses.

India does not presently have an omnibus data protection legislation. Given the rising importance of technology-based businesses, the Parliament had undertaken an exercise to formulate India’s data protection regime. On 11 December 2019, the Ministry of Electronics and Information Technology (MeitY) introduced the draft Personal Data Protection Bill, 2019 (PDP Bill) before the Parliament, which was referred to a Joint Parliamentary Committee (JPC) for further consideration. After carrying out a series of consultations with stakeholders, on 16 December 2021, the JPC published its report along with the finalised Data Protection Bill 2021 (DP Bill).

This update provides a brief overview of the key provisions of the DP Bill relating to the rights of data principals, obligations of data fiduciaries, grounds for which personal data can be processed, data breach reporting requirements, classification of significant data fiduciaries, and an enhanced penalty regime.


The DP Bill applies to the processing of personal data that has been collected, disclosed, shared or otherwise processed in India, or to the processing of personal data by the State or State bodies, Indian corporate entities and Indian citizens. Personal data is defined as data about or relating to a natural person who is directly or indirectly identifiable, having regard to a feature of identity or a combination of such features(whether virtual or physical) and also includes inferences drawn from such data for the purpose of profiling.

A separate class of data – sensitive personal data is also recognised in the DP Bill and is subject to enhanced thresholds. Sensitive personal data is personal data that reveals, is related to, or constitutes financial data, health data, official identifiers,sex life and sexual orientation, biometric data, genetic data, transgenderstatus, intersex status, and caste or tribe, religious, political belief or affiliation, and any other category as may be notified. The term ‘financial data’ is defined narrowly in the DP Bill. Section 3(21) defines financial data as any number or other personal data that is used to identify (i) an account opened by a data fiduciary, or (ii) a card or payment instrument issued by a financial institution. It also includes personal data regarding the relationship between a financial institution and a data principal including financial status and credit status. Other types of data like account statements, data relating to other financial products and investment information are not included within the definition of financial data.

The DP Bill also applies to the processing of any personal data by entities located outside India if the personal data is processed with respect to any business or activity that involves offering goods or services to individuals located in India or the profiling of data principals within India. However, any such activity must specifically target Indian citizens and the provision of goods or services must not be incidental. Additionally, the DP Bill gives powers to the Central Government to exempt from the application of the Bill, the processing of personal data of data principals not within the territory of India, pursuant to a contract entered with any person/company incorporated outside India, by any data processor incorporated under Indian law.

In a departure from previous drafts of this law, non-personal data has also been included within the scope of the DP Bill. Non-personal data has been defined to include all data other than personal data. This will potentially include anonymised data (personal data which has undergone anonymisation). Anonymisation is defined as an irreversible process of transforming or converting personal data to a form in which the data principal cannot be identified as per the standards of irreversibility laid down by the Data Protection Authority (DPA). Accordingly, until the DPA specifies the technical threshold for anonymisation, it will not be possible to categorically stipulate what constitutes anonymised data. Unlike in relation to personal data, the DP Bill does not clarify whether there are any territorial limitsto the applicability of its provisionsin respect of non-personal data. However, the provisions of the current draft regulate such data only to the extent of data breaches, and the Central Government’s ability to issue directions to data fiduciaries and processors to provide such data for targeted delivery of services or evidence-based policy formulation.

Key Obligations of Data Fiduciaries

The DP Bill creates a concept of a data fiduciary – similar to the GDPR notion of a data controller. The entity that determines the purpose or means of processing the personal data of the data principal is referred to as the ‘data fiduciary’. Data fiduciaries can include the State, corporate entities and individuals. On the other hand, the natural person whose personal data is collected is referred to as the ‘data principal’. The DP Bill conceptualisesthe processing of data broadly to include most operationsthat are carried out on data including storage, adaptation, retrieval, dissemination, and erasure or destruction.

Similar to other privacy legislations, the DP Bill imposes several obligations on data fiduciaries with respect to the collection and processing of personal data as follows:

  • Notice

    The data fiduciary is obliged to provide notice to the data principal at the time of collection of personal data of the data principal, even if such personal data is not being collected from the data principal directly. This notice must contain thefollowing:

    • the various purposes for which personal data is to be processed
    • The nature and categories of personal data being collected
    • The identity and contact details of the data fiduciary (including its data trust score, if applicable) and Data Protection Officer (DPO)
    • The rights of the data principal
    • Information pertaining to sharing, cross-border transfer and retention of personal data
    • The procedure for grievance redressal
    • Any other information as specified by the regulations.

    Such a notice must be clear, concise, easily comprehensible and in multiple languages to the extent necessary and practicable.

    Data fiduciaries will not be required to provide notice in specific instances where the provision of notice substantially prejudices the purpose of processing of personal data, such as processing personal data for performance of certain functions of the State, for compliance with any order of a court, or to respond to medical emergencies, disaster relief, or public order situations.

Download PDF to read more

Subscribe to our Knowledge Repository

If you would like to receive content directly in your inbox from our knowledge repository, please complete this subscription form. This service is reserved for clients and eligible contacts.


    Under the rules of the Bar Council of India, Trilegal is prohibited from soliciting work or advertising in any form or manner. By accessing this website,, you acknowledge that:

    • You are seeking information about Trilegal of your own accord and there has been no form of solicitation, advertisement or inducement by Trilegal or its members.
    • This website should not be construed as providing legal advice for any purpose.
    • All information, content, and materials available on this website are for general informational purposes only.
    • Any information obtained or material downloaded from this website is completely at the user’s volition, and any transmission, receipt or use of this website is not intended to, and will not, create any lawyer-client relationship.
    • Information on this website may not constitute the most up-to-date legal or other information. Trilegal is not liable for the consequences of any action taken by any person based on any material or information available on this website, or for any inaccuracy in or exclusion of any information or interpretation thereof.
    • Readers of this website or recipients of content or information available on this website should not act based on any or all such content or information, and should always seek advice of competent legal counsel licensed to practice in the appropriate jurisdiction.
    • Third party links contained on this website re-directing users to such third-party websites should neither be construed as legal reference / legal advice, nor considered as referrals to, endorsements of, or affiliations with, any such third party website operators.
    • The communication platform provided on this website should not be used for exchange of any confidential, business or politically sensitive information.
    • The contents of this website are the intellectual property of Trilegal.

    We prioritize your privacy. Before proceeding, we encourage you to read our privacy policy, which outlines the below, and terms of use to understand how we handle your data:

    • The types of information we collect and why we collect them.
    • How we use your information to provide a personalized experience.
    • The measures we take to ensure the security of your data.
    • Your rights and choices in managing your personal information.
    • How we may share information with trusted partners for specific purpose.

    For more information, please read our terms of use and our privacy policy.

    Up arrow