Law: The regulation of personal data processing is currently limited to the Information Technology Act, 2000 ('the IT Act') and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 ('the SPDI Rules') issued thereunder.
Regulator: There is no general data protection authority.
Summary: Data protection has been of growing concern in India since the Supreme Court of India declared privacy a fundamental right in the Puttaswamy case in 2017. Following the Supreme Court's decision, the Personal Data Protection Bill, 2019 ('the Bill') was formulated by the Ministry of Electronics and Information Technology in 2018 and subsequently referred to the Joint Parliamentary Committee ('JPC') under the Lok Sabha, the lower House of Parliament, for examination and recommendations in 2019.
After much delay, the JPC's report on the Bill was adopted and tabled in December 2021, containing 93 recommendations and a revised version of the Bill to be renamed 'the Data Protection Act, 2021'.
As of 3 August 2022, the Bill was been withdrawn and is no longer being considered in Parliament. However, on 18 November 2022, the new Digital Personal Data Protection Bill, 2022 was published for public consultation.