India Topic Page

Here, you can find the IAPP’s collection of coverage, analysis and resources related to privacy in India.

Featured Resources


Top 6 operational impacts of India’s DPDPA

This six-part article series serves as a walkthrough of the most important components of India’s Digital Personal Data Protection Act.
Read More


Examining India’s efforts to balance AI, data privacy

This piece takes a look at efforts in India to balance the benefits of AI with the protection of personal data and privacy.
Read More


5 steps to prepare for India’s DPDPA

This article outlines key steps to take to build proactive DPDPA compliance roadmaps: determine applicability, build data inventories and maps, develop consent mechanisms, enable data principal rights, and implement technical measures.
Read More


Why AI may hit a roadblock under India’s DPDPA

This article looks at the PDPBA from an AI lens, revealing a clear rift between its data protection principles and the full deployment of the power of AI.
Read More


India’s digital lending guidelines attempt to regulate data privacy concerns

This article analyzes how the growth of India’s digital lending industry has created a trade-off between quick access to loans with higher interest rates for creditors and lack of transparency and security to lenders’ financial identity.
Read More


Consumer privacy and the dispatch system in India

COVID-19’s shift to digital has brought a rise to online retail and dispatch systems, which help suppliers direct consumers to the proper resources. This article reviews how dispatch technology’s usage doesn’t stem from the onset of the pandemic.
Read More

Additional News and Resources

India DPDPA rules, Data Protection Board appointees imminent

India Minister of State for Electronics and Information Technology Rajeev Chandrasekhar said the government will finalize Data Protection Board appointments and Digital Personal Data Protection Act rules within 30 days, MoneyControl reports. Now in force, the bill will likely have a one-year grace period. However, Chandrasekhar said breaches occurring in the interim period will "get accumulated" and addressed by the DPB once its members are in place.Full story... Read More

India developing parental consent mechanism

The Economic Times reports Indian officials plan to build a parental consent system by using Digilocker, a government-supported data governance repository. The system would create a database of parent and child identities that platforms can refer to for age verification and consent purposes. India's Digital Personal Data Protection Act has children's privacy and age verification requirements for children under 18.Full story... Read More

Specifics within India's data protection law take shape

Indian officials have begun drafting secondary regulations for the Digital Personal Data Protection Act while also establishing the Data Protection Board, Inc42 reports. Clarifying rules on data breach reporting and business obligations are being crafted at the same time the government is mulling DPB appointments and recruiting guidelines. Meanwhile, Business Insider India reports startup businesses are not likely to be exempt from the DPDPA and may seek a two-year implementation period.Full sto... Read More

India's proposed data protection bill introduced to Parliament

After years of debate and delays, Indian Parliament can now consider the proposed Digital Personal Data Protection Bill. The 2023 version of the draft bill was introduced in the lower house of Parliament, the Lok Sabha, 3 Aug. following approval by the Union Cabinet of Ministers 5 July. According to ANI News, the Lok Sabha is expected to open its consideration of the DPDPB 7 Aug. "We're living in a time where we are finding ourselves in a much more digital world than ever before," Indian Minis... Read More

Industry stakeholders make pitches for India's proposed Digital Personal Data Protection Bill

Industry stakeholders took a firm stance on holding India's government to phased implementation of the proposed Digital Personal Data Protection Bill, The Economic Times reports. In comments to Indian Parliament's public consultation on the bill, industry players opined the 24-month grace period found in India's past privacy proposals should be carried over to the latest bill. Additionally, BSA|The Software Alliance called for implementing regulations to be finalized 12 months following potentia... Read More

India's Digital Personal Data Protection Bill 2022: Does it overhaul the former PDPB?

Four years ago India received the landmark Puttaswamy judgment, which enshrined the right to privacy for the world's largest democracy. Since then, through various iterations, the government of India has attempted to devise an act that can adequately ensure the privacy of its more than 760 million active internet users. Versions of the Personal Data Protection Bill were proposed in 2018 and 2019, each receiving extensive scrutiny from experts across the country and alarming tech giants with requ... Read More

Indian government reiterates intent to table reworked data protection bill

The Government of India told the Supreme Court of India that a revised data protection bill will be tabled in Parliament's Winter Session, ANI reports. During a hearing challenging WhatsApp's privacy notice, Solicitor General Tushar Mehta told the court the government is "alive" to India's lack of a privacy framework and a reworked bill is "underway." Supreme Court justices asked Mehta and the government to bring the bill before Parliament to resolve the WhatsApp case or they will move to a fina... Read More

India proposes telecom, online messaging bill

TechCrunch reports Indian Parliament published the draft Telecommunication Bill 2022, which aims to regulate digital communications. The bill allows the government to view all online communications in cases of perceived national security or public safety concerns while giving agencies immunity from potential lawsuits stemming from such intervention. The legislation also addresses spam messages, proposing consent requirements and a "Do Not Disturb" registry. The government opened a public consult... Read More

Call to protect customer privacy in India's new draft data protection bill

The Hindustan Times reports Reserve Bank of India deputy governor T Rabi Sankar said the new draft data protection bill should include protections for customer data. He also cautioned that monetization of customer data should offer “some level of consent.” Last month, Indian Minister of Railways, Communications and Electronics and Information Technology Ashwini Vaishnaw suggested a new data protection bill could be tabled during Parliament's next budget session in January 2023.Full Story... Read More

CERT-In releases guidance on cyber-incident reporting

On 28 April, the Indian Computer Emergency Response Team issued guidance on information security practices, procedure, prevention, response and reporting of cyber incidents under the Information Technology Act. Effective 60 days after issue, the guidance includes mandatory cyber-incident reporting to CERT-In and follows the agency’s identification of gaps and issues in facilitating incident-response measures. “These directions shall enhance overall cyber security posture and ensure safe & tr... Read More

The evolution of India’s data privacy regime in 2021

In 2017, the Supreme Court of India pronounced a landmark judgment declaring the right to privacy as a fundamental right under the framework of the right to life (Article 21) as per our Constitution. However, a standalone and comprehensive privacy law does not exist in India. Currently, the Information Technology Act 2000 read with supplementary Rules, acts as the legal cornerstone to ensure the protection of personal information. Lawmakers and regulators progressively recognize the importance ... Read More

An examination of the DPO requirements in India’s proposed Data Protection Bill

The Indian Parliament moved one step closer to passing what would be the nation’s first comprehensive data protection law when, in December, a joint committee released a long-awaited report that recommended substantial changes to the original version of the comprehensive legislation. Although Parliament has yet to submit a version of the bill for a final vote, many experts think that will happen this year.  The report is the result of a two-year deliberation by the committee during which it con... Read More

Consent manager framework under India's Personal Data Protection Bill

On Dec. 16, 2021, the Joint Parliamentary Committee submitted its report on the Personal Data Protection Bill, 2019 to Parliament. Interestingly, the report reinstates the concept of “consent managers” and recommends its insertion into the definition clause of the upcoming Data Protection Act. Now, Clause 3 (11) of the Bill defines consent managers as a “Data Fiduciary which enables a Data Principal to give, withdraw, review and manage his consent through an accessible, transparent and interoper... Read More

Supreme Court of India rules on privacy rights of citizens, journalists, social activists

In response to surveillance efforts by NSO Group’s “Pegasus” software, the Supreme Court of India ruled citizens have as much right to privacy as journalists or social activists, The Times of India reports. “Members of a civilized democratic society have a reasonable expectation of privacy. Privacy is not the singular concern of journalists or social activists. Every citizen of India ought to be protected against violations of privacy,” the ruling said. “It is this expectation which enables us t... Read More

Handbook on Data Protection and Privacy for Developers of Artificial Intelligence in India

The Data Security Council of India published a handbook outlining best practices for implementing data protection into artificial intelligence technologies from the design stage. The handbook maps out key privacy-by-design principles for developers to consider, including transparency, accountability, mitigating bias, fairness, security and privacy. Additionally, developers are provided tools such as checklists, a compliance map and examples of data security techniques to aid proper implementatio... Read More

Indian biometric law stirs privacy concerns

Reuters reports on the privacy concerns surrounding a proposed biometric law in India. The DNA Technology Regulation Bill allows for the storing of DNA information in national and regional data banks, which can be tapped for criminal investigations and missing persons cases. "The bill creates an umbrella databank for multiple purposes; the main concern is the lack of clarity on what data may be stored," Takshashila Institution Technology and Policy Programme Research Fellow Shambhavi Naik said.F... Read More

Indian farmer database raises privacy concerns

Reuters reports on the privacy concerns surrounding India's plan to build a digital database of Indian farmers. The database would give each farmer unique digital identification containing personal information and linked to India's Aadhaar system. More than 50 farmers' groups have expressed their concern over the proposal, arguing the project was created without their consultation and does not include a legal framework to properly protect their data.Full Story... Read More

Privacy Updates in China and India: 2 Giants Legislating Data Protection

Original Broadcast Date: April 2021 This LinkedIn Live is part of the IAPP Global Privacy Summit Online 2021 web series. China and India, two of the world’s largest markets that account for roughly 2.7 billion people, are both moving toward comprehensive data protection laws. There are expectations in both jurisdictions to see major developments by the end of this year. The two comprehensive data protection bills that have been introduced have some similarities, and certain influences of the E... Read More

WhatsApp sues Indian government over IT rules

Reuters reports WhatsApp filed a lawsuit to the Delhi High Court against India's government, claiming new Indian regulations would force the messaging application to violate users' privacy. WhatsApp claims the rules would require messaging apps to trace users' chats, which it believes to be "the equivalent of asking us to keep a fingerprint of every single message sent" and asks apps to "break end-to-end encryption and fundamentally undermines people's right to privacy."Full Story... Read More

Installation of facial recognition in Delhi schools raises privacy fears

Digital rights advocates said facial recognition technology installed in at least a dozen schools in Delhi, India, is an invasion of children’s privacy, Reuters reports. Internet Freedom Foundation Associate Counsel Anushka Jain said there is no law regulating the collection and use of data, adding “the use of facial recognition technology is an overreach and is completely unjustified.” Software Freedom Law Centre Legal Director Prasanth Sugathan said facial recognition “could cause real harm to... Read More

DPO hiring gains momentum in India

ETCIO reports on the trends around hiring data protection officers in India. Should the Personal Data Protection Bill become law, companies will be required to bring DPOs on staff. In the interim, Catenon Managing Director-APAC Gaurav Chattur has seen chief information officers place an emphasis on having privacy professionals on the chief information security officer's team. CIEL HR Services Director and CEO Aditya Narayan Mishra has also observed IT professionals are increasingly placed into p... Read More

Privacy program management in India — How to get started

With rapid changes in the global privacy landscape, Indian businesses and most importantly privacy professionals are constantly embroiled in critical questions. Are we doing privacy management right? With data breaches increasingly common and affecting organizations of all sizes and scale — from startup sharks, like Dunzo and Unacademy, to giant whales, like Facebook and Twitter — privacy management is undeniably a pivotal project for all in-house legal and compliance teams. We do expect to eve... Read More

Media trials in India: An unwritten carve-out to the right to privacy?

The trending topic in India at this moment is the phrase “media trial.” A media trial is a popular expression referring to the media acting as judge, jury and executioner in news cases and declaring a verdict before the court passes its judgment. A media trial is often conducted in “parallel” alongside the police investigation. The deaths of Aarushi Talwar in 2008 and Sheena Bora in 2015 were targeted by Indian media, and most recently, the death of Indian actor Sushant Singh Rajput has garnere... Read More

Digital marketing and privacy: Navigating the Indian landscape

How many times has an advertisement for a beauty product or electronic gadget appeared on your social media feed while you were having a real-time conversation about a similar subject? This is the subtlety and sophistication of the world of digital marketing, a world heavily reliant on customer data, as it is beneficial in providing a more targeted, personalized experience to a customer. Moreover, accelerated internet penetration in India, along with the proliferation of mobile telephony, has i... Read More

India moving forward with centralized health database

The COVID-19 pandemic expedited India's plans to create a centralized database containing the health data of its 1.3 billion citizens, Reuters reports. Prime Minister Narendra Modi and National Health Authority Director Praveen Gedam both acknowledged India is moving ahead with its plan to ease pressure on the country's health care system. However, Access Now Asia Policy Director Raman Jit Singh Chima pointed out the move on health data "is being done in the absence of a data protection law and ... Read More

How would India's surveillance regime stack up in a 'Schrems II' scenario?

The recent judgment by the Court of Justice of the European Union in the case of Max Schrems v. Facebook Inc. invalided the previously used Privacy Shield mechanism for the transfer of data between the EU and the U.S. The European Commission now needs to search for a different way to have a privacy-friendly data transfer regime between the two jurisdictions. The judgment placed emphasis on essentially three aspects to analyze the Privacy Shield arrangement between the EU and U.S. They are, firs... Read More

Op-ed: Unanswered questions in India’s proposal to regulate non-personal data

In an op-ed for The Wire, Mozilla Fellows Divij Joshi and Anouk Ruhaak write there are unanswered questions in India’s proposed framework to regulate non-personal data. An expert committee’s report fails to adequately address inequities in the digital economy and its recommendations “are substantially underdeveloped,” they say. “A mature policy on non-personal data that truly respects the rights of communities” to control data “needs to carefully consider questions of community representation, g... Read More

Op-ed: How the 'Schrems II' decision effects India

In an op-ed for Mint, Trilegal Partner Rahul Matthan writes about the impacts India faces from the Court of Justice of the European Union's decision on standard contractual clauses. Matthan discussed how India's government surveillance practices impinge on data transfers as SCCs would not be a sufficient mechanism to constitute compliance with the data transfer obligations. Matthan goes on to admit data localization might be the only alternative for countries to settle on with all the entangleme... Read More

How to update your processes to be compliant with India's privacy bill

A large number of tourists visit India to get access to the wide array of health care services due to affordable prices, large number of highly skilled medical professionals, world-class infrastructure, quality and cost-effective treatments, ease of communication and travel, limited waiting time, and medical technology that is on par with the global industry standards. Services opted for by the tourists range from basic elective procedures to complex specialized surgeries. With the steps taken ... Read More

Privacy advocates question facial-recognition use at Delhi rally

Reuters reports the first-time deployment of facial-recognition technology at a political rally in Delhi has stirred privacy concerns. The system, which was originally devised for identifying missing children, was used to scan a crowd gathered to hear Prime Minister Narendra Modi speak amid ongoing protests across India. A Delhi Police spokeswoman insisted "standard checks and balances against any potential misuse of data are in place"; however, privacy advocates remain skeptical about the tech'... Read More

Will complying with India's privacy law mean violating GDPR?

Since July 27, 2018, when a committee of experts appointed by the Indian government first published a draft of a comprehensive data protection law until approval of its revised version in the form of the Personal Data Protection Bill 2019 by the same government, a lot has been contributed to the literature on data privacy laws (or the lack of them) in India. The most common conclusion emerging from such literature is the Privacy Bill being referred to as a replica of the EU General Data Protect... Read More

What you should know about India's forward-moving privacy bill

India’s proposed Personal Data Protection Bill — which would regulate how data of the country’s 1.3 billion people is stored, processed and transferred — could be on track for approval early next year. Following the legislation’s introduction in Parliament last week, a Joint Select Committee of 20 members of Lok Sabha and 10 members from Rajya Sabha was formed. The committee will review the bill and submit a report with its findings to Parliament in January before the end of the 2020 budget ses... Read More

Localization conundrums: The Indian context

We are at a point in time when privacy has become a standard to be complied with unanimously, considering that we find ourselves in a digital and cyber world. Hence, unauthorized access, data breaches or personal information theft are no longer wild conjectures, but prevalent realities that we must wrap our heads around to ensure the privacy of individuals' data, every bit and byte of it. Keeping in mind the current but ever-evolving regulatory landscape, India too joined the bandwagon with its... Read More

The Indian Supreme Court's Aadhaar judgment — A privacy analysis

The Supreme Court of India recently, by a 4 to 1 majority, upheld the constitutional validity of the Aadhaar project, after some minor tweaks and suggestions. This 1148-page judgment was delivered after a 38-day hearing, the second longest hearing in the history of the court. This post only concerns itself with the challenge that the project was violative of the right to privacy, which was given fundamental-right status under Article 14, 19 and 21 of the Constitution of India in a landmark priva... Read More