India: An overview of the Data Protection Act (2024)

The scope of the Act

The Act applies to:

  • the processing of personal data within India, where such data has been collected, stored, disclosed, shared, or otherwise processed within India;
  • the processing of personal data by any person under Indian law; and
  • the processing of personal data by data fiduciaries or data processors not present within India if the processing is in connection with any:
    • business carried out in India, or any systemic activity of offering goods or services to data principals within India; or
    • activity that involves the profiling of data principals in India.

The Act empowers the Central Government of India ('the Government')to exempt from its applicability the processing of personal data of citizens not within India pursuant to a contract with such persons outside India.

The Committee has recommended bringing the regulation of 'non-personal data' (that is, data that is not personal data) within the ambit of the Act. Accordingly, the Act now regulates personal data, sensitive personal data, and non-personal data. While the Committee has gone on to clarify within the Report that the Act should protect the digital privacy of individuals and 'non-digitised' data ought not be included within its ambit, the provisions of the Act continue to regulate non-digitised data as well.

The main regulator for data protection

The Act empowers the Government to establish a Data Protection Authority of India ('the Authority'), which will be the umbrella authority that regulates both personal and non-personal data. The Committee recommends that the Authority should be constituted within three months of enactment and commence its activities within six months of the notification of the new law.

The Authority's overarching responsibility is to protect the interests of data principals, protect the misuse of personal data, ensure compliance with the Act, and promote awareness of data protection. Other functions include, without limitation, monitoring and enforcing the application of the Bill, taking prompt and appropriate actions in response to data breaches, monitoring cross-border data transfers, advising the Government on data protection aspects, and dealing with complaints, among other obligations.

The Committee has also underscored the Authority's obligations and responsibilities in relation to data breaches and has prescribed certain principles that the Authority ought to follow while governing data breaches.

Separately, the Committee has recommended that the Authority promote innovation, and in this regard, keep in mind interests of startups and encourage sandboxes.

Finally, the Committee has recommended that the Authority ensure that governmental interests are upheld while framing policies. This raises questions on the independence of the Authority – and we expect further debate on the segregation between the Authority and the executive.

Key definitions under the Act

Data fiduciary

Similar to a data controller under the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'), a 'data fiduciary' is any person (including the state, companies, non-governmental organisations, juristic entities, and individuals) who either alone, or with others, determines the purpose and means of processing personal data.

Data processor

A 'data processor' is any person (including the state, companies, non-governmental organisations, juristic entities, and individuals) who processes personal data on behalf of a data fiduciary.

Personal data, non-personal data, and sensitive personal data

'Personal data' is data about or relating to a natural person who is directly or indirectly identifiable, having regard to any characteristic, trait, attribute, or any other feature of the identity of such natural person, whether online or offline, or any combination of such features with any other information, and includes any reference drawn from such data for the purpose of profiling. On the other hand, 'non-personal data' is data that is not personal data, and it includes anonymised personal data.

'Sensitive personal data' is personal data which may reveal, be related to, or constitute financial data, health data, official identifiers, sex life, sexual orientation, biometric data, genetic data, transgender or intersex status, caste or tribe, or religious or political beliefs or affiliations. The Government, in consultation with the Authority and applicable sectoral regulators, has the powers of classifying certain categories of personal data as sensitive personal data.

Data principal

Similar to a data subject under the GDPR, a 'data principal' is the natural person to whom the personal data relates.

Legal bases for processing personal data


Consent is the primary ground for processing personal data under the Bill.

  • Personal data can only be processed by a data principal providing free, informed, specific, and clear consent, that is capable of being withdrawn at the commencement of processing.
  • Sensitive personal data can only be processed with the explicit consent of data principals.
  • The burden of proving if consent of a data principal has been sought vests with data fiduciaries.
  • Data fiduciaries can only process personal data for purposes that are consented to by the data principal or purposes which are incidental or connected to such purpose and where the data principal would reasonably expect the processing in regard to the purpose, in the context and circ*mstances in which the personal data was collected.
  • The provision of goods or services, contractual performance, or the enjoyment of a legal right or claim cannot be:
    • made conditional to the consent for the processing of any data not necessary for the purpose; and
    • denied based on the exercise of choice.

Legal obligations

The Act permits the processing of personal data without consent:

  • for the performance of certain state functions;
  • as required under applicable laws; and
  • for compliance with a judgment or order of a court, quasi-judicial authority, or tribunal in India.

Public interest

The Act permits the processing of personal data without consent:

  • to respond to a medical emergency involving a threat to the life or a severe threat to the health of a data principal;
  • to provide medical treatment or health services during threats to public health such as epidemics or outbreak of diseases; or
  • to undertake measures to ensure the safety or provide assistance or services to any individual during a disaster or breakdown of public order.

Legitimate interest

The Act permits the processing of personal data after accounting for the legitimate interest of the data fiduciary, but only for certain reasonable purposes that may be prescribed by the Authority. Examples include whistleblowing, mergers, acquisitions, and other similar corporate restructuring or combination transactions in accordance with applicable laws, processing of publicly available personal data, and operating search engines.

Employment-related purposes

The Act permits the processing of personal data (except for sensitive personal data) without consent for processing necessary for the purpose of employment such as recruitment, termination, or verification of employees.

The Act does not recognise grounds such as processing for the interests of data principals or processing in connection with contracts with data principals.

Data processing principles

The Act imposes the following obligations on data fiduciaries (as further detailed in Section 7 below) in relation to personal data processing:

  • processing must only be in accordance with the Act, and data fiduciaries remain responsible for compliance;
  • processing must be done in a fair and reasonable manner, and ensure the privacy of the data principal;
  • processing must only be for the purpose consented to by the data principal or purposes that are incidental to or connected with such purpose (except where consent is not required) and which the data principal would reasonably expect that the personal data will be used for, having regard to the purpose, context, and circ*mstances in which the personal data is collected;
  • personal data must be collected only to the extent that is necessary for the purposes of processing such personal data;
  • data fiduciaries must provide data principals with notice of processing;
  • personal data processed must be complete, accurate, not misleading, and up-to-date; and
  • personal data must not be retained beyond the period necessary to satisfy the purpose for which it was collected.

Controller and processor obligations

Data processing notification

The Act requires 'significant data fiduciaries' to register themselves with the Authority, which has the power to create sub-categories of data fiduciaries called 'significant data fiduciaries', depending on the volume of personal data processed, sensitivity of such data, risk of harm posed by the processing, and the turnover of the data fiduciary.

Data transfers

The Committee has adopted a pro-localisation stance and recommends that the Government prepare and implement a policy on data localisation to uphold the sovereignty and integrity of India, national security, and promotion of businesses, innovation, and investments. Under the Act:

  • sensitive personal data may be transferred outside India but a copy of such data must continue to be stored within India; and
  • critical personal data (the categories of which are not yet notified) may only be processed in India.

Sensitive personal data may only be transferred outside India with the explicit consent of the data principal and on the basis of:

  • a contract or an intra-group scheme approved by the Authority in consultation with the Government, provided that the contract or intra-group scheme will not be approved if it is against public or state policy and contains provisions governing protection of data principal rights and the data fiduciary's liability for harm caused due to non-compliance;
  • the approval of the Government for transfer to a country or organisation that is approved or judged 'adequate', where the transfer would not affect the enforcement of laws. For transfers in accordance with an adequacy decision, sensitive personal data cannot be shared with a foreign government or agency unless approved by the Government; or
  • an approval from the Authority (where such approval is provided in consultation with the Government).

Separately, critical personal data may only be transferred outside India if the transfer is to a:

  • person or entity(s) engaged in health or emergency services or purposes; or
  • country or an entity approved by the Government with respect to security and strategic interests of the State.

Data processing records

Data fiduciaries are required to maintain and make available certain information such as the categories of personal data collected, purposes of collection, existence and procedure for data principal rights, right of the data principal to file a complaint against the data fiduciary, data trust scores, information relating to cross-border transfers, and fairness of the algorithm or method used for personal data processing, among others.

Significant data fiduciaries are required to maintain additional records relating to the important operations in the data lifecycle, periodic review of security safeguards, impact assessments, and other aspects of processing.

Data Protection Impact Assessment

The Act requires significant data fiduciaries to conduct Data Protection Impact Assessments ('DPIAs') where they:

  • undertake any processing using new technologies;
  • undertake large scale profiling;
  • use sensitive personal data; or
  • the processing carries a risk of significant harm to data principals.

A DPIA must contain:

  • a detailed description of the proposed processing operation, its purpose, and the nature of personal data processed;
  • the assessment of any potential harm caused to the data principal; and
  • measures for the management, mitigation and removal of such harm.

The data protection officer ('DPO') appointed must review the DPIA and submit their findings to the Authority. The Authority has the right to either require data fiduciaries to cease processing or direct the data fiduciary to comply with additional conditions if it finds that processing is likely to cause harm to data principals.

DPO appointment

Only significant data fiduciaries are required to appoint DPOs, who will be required to fulfil certain qualification criteria and must be based in India.

Data breach notification

A data breach has been defined as including both a personal data breach, as well as a non-personal data breach. Regarding the notification of breaches:

  • Data fiduciaries are required to mandatorily report any breach of personal data processed by them to the Authority within 72 hours of becoming aware of the breach.
  • The Authority has the right to determine whether the occurrence of such breach should be notified to data principals by accounting for the personal data breach and the risk of harm to the data principal. Additionally, the Authority may direct the concerned data fiduciary to take steps to remedy the breach or mitigate the harm caused to the data principal.
  • The Authority has the right to determine steps and processes in the event of a breach of non-personal data.

Data retention

The Act does not prescribe any exact retention periods. However, data fiduciaries must not retain personal data beyond the period necessary to satisfy the purpose for which it was collected. The data must be deleted at the end of such period.

Children's data

The Committee has observed that the Bill was unclear on consent requirements when a child attains the age of majority (which is 18 years in India). The Committee goes on to recommend that forthcoming rules issued under the Act must incorporate the following provisions:

  • data fiduciaries dealing exclusively in children's data must be registered with the Authority;
  • the Majority Act, 1875 should apply to a contract between data fiduciaries and data principals when they attain majority;
  • the data fiduciary should, three months prior to a data principal attaining majority, inform the data principal to provide consent again on the date of attaining majority; and
  • services must only be discontinued if data principal opts-out of processing.

Processing of the personal data of a child (i.e., someone below the age of 18 years) must be done in a manner that protects the rights of the child. A data fiduciary must, before processing the personal data of a child, verify the age of the child and obtain their parent's or guardian's consent in a prescribed manner.

Data fiduciaries are prohibited from profiling, undertaking the tracking or behavioural monitoring of or direct advertising directed at children, or undertaking any processing that can cause significant harm to a child.

Sensitive personal data

  • explicit consent: For processing sensitive personal data, the consent of the data principal must be explicitly obtained:
    • after informing them of the purpose of or information in processing, likely to cause significant harm to the data principal;
    • in clear terms without recourse to inferences drawn from conduct or context; and
    • after giving them the choice of separately consenting to the purpose of operations in the use of different categories of sensitive personal data relevant to the processing; and
  • the Authority has the right to specify additional safeguards or restrictions for the repeated, continuous and systematic collection of sensitive personal data and the profiling based on it.

Controller and processor contracts

Data fiduciaries are required to enter into a contract with the processors they engage with for processing. A data fiduciary is responsible for compliance with the Act and for any processing undertaken by it or on its behalf, and the contract must be drafted accordingly.

Rights of data principals

The Committee recommends striking a balance between the exercise of data principal rights, which must be simplified and enable data fiduciaries to implement data principals' rights in a practical manner.

Right to be informed

Data fiduciaries are required to provide data principals with a notice, either at the time of the data collection or as soon as reasonably practicable (if such data is not collected from the data principal).

The notice must contain details relating to the purposes of processing, nature ,and categories of data being processed, the identity or contact details of the data fiduciary or data protection officer, rights of data principals, legal basis for processing, source of the data collected, third party recipients, details of cross-border transfers, the grievance redressal procedure, the right to file a complaint with the Authority, the entity's data trust score, and any other prescribed details.

Right to access

Data principals have a right to:

  • seek confirmation on whether the data fiduciary is processing or has processed the personal data of such data principal;
  • access all personal data being processed or a summary of such data;
  • be provided with a brief summary of processing activities undertaken with respect to their data;
  • access such information in a clear and concise manner easily comprehensible to a reasonable individual in a similar context; and
  • access the identities of the data fiduciaries with whom personal data has been shared by any data fiduciary, together with the categories of personal data shared.

While the Bill was silent on the privacy rights of deceased individuals, the Committee has identified a need for data principals to have specific rights upon death. Accordingly, data principals have the right to nominate legal heirs or representatives as nominees who can exercise specific data principal rights on behalf of data principals upon their death.

Right to rectification

Data principals have a right to correct inaccurate or misleading personal data and otherwise complete and update their data. Data fiduciaries must take necessary and practicable steps to notify any correction, completion, or updation of any personal data to all entities to which they have disclosed such data.

Data fiduciaries have a general obligation to take steps to ensure that the personal data processed is complete, accurate, not misleading, and updated. Such steps must consider whether the personal data may be used to make a decision about the data principal, whether it will be disclosed to third parties, and whether it is kept in a form that distinguishes personal data based on facts from personal data based on opinions or assessments.

Right to erasure

Data principals have a right to the erasure of their personal data that is no longer necessary for the purpose for which it was processed. When data is erased, data fiduciaries are required to take necessary and practicable steps to notify all relevant entities and individuals to whom such data was disclosed.

Right to object/opt-out

Through the right to be forgotten, data principals have the right to restrict the continued disclosure or processing of their personal data where the disclosure or processing:

  • has served the purpose for which it was collected, or is no longer necessary for the purpose;
  • was done with the consent of the data principal and such consent has been withdrawn since; or
  • is contrary to the Bill or any other law in force.

Right to data portability

Data principals have the right to receive data in a structured, commonly used, and machine-readable format, if the processing has been undertaken through automated means, and transfer this data to any other data fiduciary, except where:

  • processing is necessary for state functions, compliance with the law, any judgment or order of any court, quasi-judicial authority, or tribunal; or
  • compliance would not be technically feasible by the data fiduciary. The Authority will prescribe regulations to guide such decision making.

Right to not be subject to automated decision making

This right is not provided under the Bill.

Other rights

Right to compensation

Aggrieved data principals possess the right to seek compensation from data fiduciaries or processors.


The Act prescribes different penalties depending on the nature of the contravention or offence and the type of actor involved.

A data fiduciary's breach of its obligations relating to data breaches, registering with the Authority, undertaking DPIAs, appointing DPOs, or conducting data audits may attract penalties that cannot exceed the higher of INR 50 million(approx. €586,860) or 2% of its total worldwide turnover of the preceding financial year.

A data fiduciary's breach of its obligations relating to the processing of personal data, processing of children's data, implementation of security safeguards, and cross-border data transfers may attract penalties that cannot exceed the higher of INR 150 million(approx. €1.7 million) or 4% of its total worldwide turnover of the preceding financial year.

A data fiduciary's breach of its obligation to comply with data principal rights without explanation may attract maximum penalties of INR 1 million(approx. €11,735) in case of significant data fiduciaries and INR 500,000 (approx. €5,870) otherwise.

A data fiduciary's failure to furnish any reports, returns, or information to the Authority may attract maximum penalties of INR 2 million(approx. €23,470) in case of significant data fiduciaries and INR 500,000 (approx. €5,870) otherwise.

A data fiduciary's failure to comply with the directions of the Authority may reach a maximum penalty of INR 20 million (approx. €234,700) while a data processor's failure of a similar nature may attract maximum penalties of INR 5 million (approx. €58,660).

Where the Act prescribes no penalties specifically, the residuary penalty prescribed is INR 10 million(approx. €117,360)in case of significant data fiduciaries, and INR 2.5 million(approx. €29,340) otherwise.

Aggrieved data principals have the right to seek compensation from data fiduciaries or processors, as applicable.

Persons that re-identify any data that has been de-identified by a data fiduciary or processor and process such re-identified data without the permission of the data fiduciary or processor may face imprisonment of up to three years, a fine not exceeding INR 200,000 (approx. €2,350), or both.

Mathew Chacko Head of the Technology, Media & Telecommunications
Aadya Misra Senior Associate
Shambhavi Mishra Associate
Spice Route Legal, Bangalore

1. Available at:
2. See:

India: An overview of the Data Protection Act (2024)


What is the data protection Act in India? ›

The Information Technology Act, 2000 (IT Act) and Indian Contract Act, 1872 are currently the data protection legislation in India because there isn't any special legislation for this matter yet.

What is data protection bill India summary? ›

The Bill requires the central government to set up the Data Protection Board of India. It provides that the Board will function as an independent body. The composition, terms of appointment, and manner of removal of the members will be prescribed by the central government.

Is cookie consent mandatory in India? ›

As cookies are not specifically regulated under any law, there are no prescribed grounds specifying how they may be used. However, under the SPDI rules, the processing of SPDI is subject to higher standards of compliance.

What happened to the data protection bill in India? ›

On November 18, 2022, the Ministry of Electronics and Information Technology proposed a new law, namely the Digital Personal Data Protection Bill 2022. Once passed by Parliament, it would replace the 2011 rules and some portions of the existing law.

What is the main purpose of the Data Protection Act? ›

What is the purpose of the Data Protection Act? The Act seeks to empower individuals to take control of their personal data and to support organisations with their lawful processing of personal data.

Is India under GDPR? ›

SIMILARITIES AND DIFFERENCES BETWEEN IT ACT AND GDPR. The IT Act and GDPR both have an object to control and regulate the transferring of data for e-commerce. On the other hand, the GDPR is more concerned to safeguard the EU citizens and their rights, however the same is missing in the Indian IT Act.

Do I need a cookie policy in the USA? ›

No, there is no cookie law in the United States. However, some U.S. privacy laws such as CalOPPA consider the information collected via cookies to be protected personal information.

Can I refuse to accept cookies? ›

Do you have to accept cookies? – The short answer is, no, you do not have to accept cookies. Rules like the GDPR were designed to give you control over your data and browsing history.

Do I need a cookie consent banner in USA? ›

Do you use cookies that process personal data or track your website visitors? Then the answer is yes, you need one. Cookie banner requirements differ from law to law.

Is India ready for data privacy law? ›

India is now one of the last few countries in the world to not yet have a comprehensive, modern data protection law regime. Unlike other laws, data protection laws cannot work in isolation in a domestic setting and must play well with international counterparts.

Does the US have a data protection act? ›

The Privacy Act of 1974 governs how federal agencies can collect and use data about individuals in its system of records. The act prohibits agencies from disclosing personal information without written consent from the individual, subject to limited exceptions including to the Census Bureau for statistical purposes.

Who broke the Data Protection Act? ›

The Data Protection Commission (DPC) said Meta had infringed two articles of the EU's data protection laws after details of Facebook users from around the world were scraped from public profiles in 2018 and 2019.

How is India data protection bill different from GDPR? ›

While the GDPR and the Bill both recognise consent of individuals as one of the legal bases for processing personal data, the latter has introduced the novel concept of 'consent managers'. Consent managers are data fiduciaries who may, on behalf of the data principals, collect and manage consent provided by them.

Who is data protection authority in India? ›

Data Protection Framework | Ministry of Electronics and Information Technology, Government of India.

What is the overview of data protection? ›

Data Protection = Data Security and Data Privacy

Data security is focused on protecting the confidentiality and the integrity of data from any unauthorized access or improper data modification or destruction. Data security controls are implemented to protect personal data and ensure data privacy.

What are the 3 aspects of the Data Protection Act? ›

Lawfulness, fairness and transparency.

What are three benefits of the Data Protection Act? ›

Benefits of data protection

Build customer trust. Reduce risks of harm to customers. Prevent discrimination. Protect your resources, both time and money.

Can Indian data be stored outside India? ›

At Least one copy of personal data will need to be stored on servers located within India. Transfers outside the country will need to be subject to safeguards. Critical personal data will only be stored and processed in India.

Is there any data classification system in India? ›

Personal Data Protection Standard of India (PDPSI) is the standard being developed by Cyber Law College of Naavi to assist the compliance of Personal Data Protection regulations in India.

What does GDPR stand for in India? ›

GDPR stands for General Data Protection Regulation. It is a legal framework that sets guidelines for protection and processing of personal data and information.

Does New York Times use cookies? ›

Google uses cookies or unique device identifiers, in combination with their own data, to show you ads based on your visit to and other sites. You can opt out of the use of the Google cookie by visiting the related Google privacy policy.

Which countries have cookie laws? ›

What Are Cookie Laws? And Who Has Passed Them?
  • The California Privacy Rights Act (CPRA) ...
  • The Virginia Consumer Data Protection Act (VCDPA) ...
  • The Connecticut Data Privacy Act (CTDPA) ...
  • The U.K. Data Protection Act. ...
  • Brazil's LGPD. ...
  • South Korea's PIPA. ...
  • China's PIPL. ...
  • Japan's APPI.
Jul 6, 2022

Can I take cookies through airport security? ›

Can I Bring Cookies Through Airport Security? Some good news for those of you with a sweet tooth: Most cookies, bread, and other baked goods can easily be taken through airport security. In fact, you can even bring a whole cake, provided it is properly sealed in its packaging and does not contain any liquid.

Can cookies track you? ›

Cookies can track any kind of data about users, such as search and browser history, what websites they previously visited, what they googled earlier, their IP addresses, their on-site behavior such as scrolling speed, where they clicked and where their mouse hovered.

Should I delete cookies? ›

When you use a browser, like Chrome, it saves some information from websites in its cache and cookies. Clearing them fixes certain problems, like loading or formatting issues on sites.

What happens if I block all cookies? ›

If you block third-party cookies, all cookies and site data from other sites are blocked, even if the site is allowed on your exceptions list.

Which states require cookie consent? ›

Although there isn't a cookie law in place across the entire U.S., California regulates cookie usage through the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA).

Do I need a cookie policy if I don't use cookies? ›

No, you do not need a cookie policy on your website. However, some laws such as the ePrivacy Directive and the General Data Protection Regulation (GDPR) require websites to detail their use of cookies to users.

Do I need a cookie policy if I have a privacy policy? ›

Yes, if your website uses cookies.

If you use cookies to collect data from your site users, then you must have a cookie policy. However, if your site already has a privacy policy page, it is not mandatory for you to add another page called 'cookie policy.

Is Internet monitored in India? ›

Internet censorship in India is done by both central and state governments. DNS filtering and educating service users in suggested usages is an active strategy and government policy to regulate and block access to Internet content on a large scale.

Do Indian companies have to comply with GDPR? ›

Even companies outside the EU that handle the personal data of individuals within the EU must abide by the regulation. Hence, Indian firms that process the personal data of individuals within the EU must follow the GDPR.

What is Hipaa privacy rule in India? ›

HIPAA in India applies to businesses that work with companies that create, receive, transmit, store, or maintain protected health information (HIPAA business associates and covered entities).

Can US citizens use GDPR? ›

Due to its effectiveness and abilities, GDPR extends to manage data regardless of whether it's Europe, the US, or any part of the world. It is known as the 'extra-territorial effect'. The legislation is not restricted to European businesses and citizens, and it can be applied and used for businesses outside Europe.

How many US states have data protection laws? ›

Currently, there are nine states – California, Virginia, Connecticut, Colorado, Utah, Iowa, Indiana, Tennessee, and Montana – that have comprehensive data privacy laws in place.

Is the US under GDPR? ›

Frequently Asked Questions. What is the US equivalent of GDPR? The CCPA (California Consumer Privacy Act) is the US equivalent of GDPR.

What happens if you break the Data Protection Act? ›

As well as potential fines and the prospect of litigation against your business if someone decides to seek damages, you could damage your reputation if the incident attracts adverse publicity.

What is the largest data privacy fine? ›

Meta - €1.2 billion ($1.3 billion)

Meta's fine is now officially the biggest GDPR fine to date, replacing Amazon's in 2021.

Which country has imposed the biggest GDPR fine? ›

1. Meta – €405 million (Ireland) The highest GDPR fine of 2022 was levied against Meta-owned social networking platform Instagram by the Irish Data Protection Commission. The €405 million sum is also the second-highest fine under GDPR after Amazon's €746 million penalty in 2021.

What is data protection rules 2011 India? ›

The Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011 (Privacy Rules) require body corporates transferring sensitive personal data or information (SPDI) to ensure that third-party processors receiving the data provide an appropriate level of data ...

What are the privacy rights in India? ›

(a) Right to Privacy is a Fundamental Right

The Supreme Court confirmed that the right to privacy is a fundamental right that can be drawn from Articles 14, 19, and 21 of the Indian Constitution without having to be stated separately. It is a natural right that is linked with the rights to life and liberty.

What is GDPR vs PDPB India? ›

GDPR: GDPR is applicable to the data that relates to a naturally identified and/or identifiable person as well as special categories of such personal data. Processing of anonymized data is out of scope. PDPB: PDBP is applicable to personal data, sensitive personal data as well as critical personal data.

Is data protection a fundamental right in India? ›

The Constitution of India: The Constitution of India does not explicitly mention the right to privacy or data protection. However, the Supreme Court of India has recognized the right to privacy as a fundamental right under Article 21[1] of the Constitution, which guarantees the right to life and personal liberty.

Is there right to privacy in India and USA? ›

Article 21 of the Constitution of India states that “No person shall be subjected to arbitrary interference with his privacy, home, correspondence, or other rights.” In the United States, the Right to Privacy is enshrined in the Fourth Amendment to the United States Constitution.

What is violation of right to privacy in India? ›

If someone forcefully ask you about your personal incident and details or check your phone or computer secretly without your permission even if that person is your family member or friends then it is violation of your fundamental right which is under in Article 21 of Indian Constitution, 1950 and also punishable under ...

What are the 7 fundamental rights of India? ›

Seven fundamental rights were originally provided by the Constitution – the right to equality, right to freedom, right against exploitation, right to freedom of religion, cultural and educational rights, right to property and right to constitutional remedies.

What are the types of personal data in India? ›

India's Personal Data Protection Bill, 2019 (“2019 Bill”) recognized special categories of personal data as “sensitive personal data” and “critical personal data”, and provided additional safeguards concerning the processing of such data.

What is the US equivalent of the GDPR? ›

What is the US equivalent of GDPR? The CCPA (California Consumer Privacy Act) is the US equivalent of GDPR. This comprehensive data privacy act gives Californian residents greater transparency and control over how businesses collect and use their personal information.


Top Articles
Latest Posts
Article information

Author: Merrill Bechtelar CPA

Last Updated:

Views: 5899

Rating: 5 / 5 (50 voted)

Reviews: 81% of readers found this page helpful

Author information

Name: Merrill Bechtelar CPA

Birthday: 1996-05-19

Address: Apt. 114 873 White Lodge, Libbyfurt, CA 93006

Phone: +5983010455207

Job: Legacy Representative

Hobby: Blacksmithing, Urban exploration, Sudoku, Slacklining, Creative writing, Community, Letterboxing

Introduction: My name is Merrill Bechtelar CPA, I am a clean, agreeable, glorious, magnificent, witty, enchanting, comfortable person who loves writing and wants to share my knowledge and understanding with you.