Market Updates

India’s - Personal Data Protection Act, 2018

September, 2018

Right to privacy is a fundamental right which makes it essential to protect personal data. Unless and until there has been given explicit consent by an individual, personal data cannot be processed or shared. In India until now, the protection offered by privacy laws against misuse of personal data did not met the expectation and proved to be inadequate.

The establishment of Personal Data Protection Act, 2018 essentially makes individual consent vital for data sharing. This Data Protection bill was released on 27th of July 2018 under the chairmanship of Justice B N Srikrishna with the report by the Experts of Committee. This Act extends to all individuals and organizations having a presence in India. The Bill is broadly based on the framework and principles of the General Data Protection Regulation (the "GDPR") which is the European Union law on data protection and privacy for all individuals within European Union.

According to the act, “Data fiduciary” indicates any person, including any individual, the State, a company, or any juristic entity who in conjunction with others or alone determines the purpose and means of processing of personal data and “Data principal” refers to the natural person to whom the personal data is referred to. “Sensitive Personal Data” includes financial data, passwords, health data, official identifier, caste or tribe, sex life, sexual orientation, biometric data, genetic data, transgender status, intersex status, religious or political belief or affiliation and any other category of data specified by the Authority under section 22.

Data Protection Obligations

Fair and reasonable processing: Data fiduciary which is responsible for processing personal data has a duty towards Data principal for processing personal data in fair and reasonable manner.

Purpose limitation - Personal data should only be processed for specified purposes which are clear and lawful.

Collection limitation - Collection of data should be limited to data which is needed for processing.

Lawful processing - Personal data should be processed only based on one or a combination of grounds of processing mentioned in Chapter III of Personal Data Protection Act, 2018.

Notice - Under the act, data fiduciary has a duty to provide the data principal with clear and concise notice before collection of personal data, or as soon as possible if the data has not been collected from the data principal directly.

Data quality - Data fiduciary must ensure that the data which is processed is accurate, complete, not misleading and updated.

Data storage limitation - Personal data must only be retained by Data fiduciary as long as it is needed to satisfy the purpose.

Accountability - Data Fiduciaries must ensure that compliances are met with provisions of bill as data fiduciary is responsible for protecting the personal data of the data principals.


The Personal Data Protection Act 2018 in India establishes the right to privacy as one of the fundamental rights and follows implementation of the GDPR. It is the responsibility of Data fiduciary to protect personal and sensitive data of data principal. If Data fiduciary fails to meet provisions of act, penalties can be laid on them which can go up to ₹15 crores or 4% of a company’s total worldwide turnover. The companies in India needs to change the way they work to comply with stringent regulations of the act.

Sonam Chawla,
Research Associate,
Infoholic Research