INDIA: Draft privacy law.

Srijoy DAS | INDIA | 15 February 2023

Srijoy DAS

View CV

The Indian Government recently released the latest in a series of draft privacy laws in November 2022. There are provisions within the draft law on restrictions on overseas transfers to countries other than those that will be notified by the Indian Government, which may prove to be a hurdle to foreign franchisors that may require access to the Personal Information of Indian Data Subjects.

India’s data privacy laws currently consist of subordinate legislation by way of the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (‘the SPDI Rules’), a series of sector specific regulations and legal precedent, including a ruling by the Indian Supreme Court recognizing the right to privacy as a fundamental right guaranteed by the Indian Constitution.

There has long been a need for India to have a specific law on the subject of data privacy, and multiple drafts have recently been presented by the Government, but withdrawn for a host of reasons, including the impact that they would have in terms of cost of implementation upon Indian businesses, and how difficult this would make doing business in India by a Government that prides itself on having jumped 79 places in the Doing Business Rankings over the last several years.

The newest avatar of the draft privacy law has come in for criticism, because of the large number of areas in which the Government may prescribe how the law will be put into effect, including listing of countries where Personal Information of Indian Data Subjects may be shared. The current Bill does however allay fears that it would be wide ranging and bring non personal data within its ambit. The new bill provides serious teeth to a Data Privacy Board that is intended to be appointed, to impose serious financial penalties of up to USD 61 million. Serious financial penalties currently do not exist in Indian law under the SPDI rules.

Some franchisors and manufacturers, including those based overseas, may well be classified as Significant Data Fiduciaries, a category of Data Controllers that will be identified and notified by the Indian Government based on the volume and sensitivity of the data they deal with. Significant Data Fiduciaries will be saddled with additional responsibilities, including being required to appointment a resident Data Protection Officer and undertaking a Data Protection Impact Assessment when prescribed.

Having said the above, the draft law is a significant distance from becoming binding law. The Digital Personal Data Protection Bill 2022 will still need to be tested on the floor of both houses of Parliament.

Given the potential repercussions, it would be very prudent for franchisors and other international businesses looking to make forays into the Indian market to closely monitor any developments in this space.


Srijoy Das, IDI Country Expert for agency & franchising in India

Dhruv Singh

Print this article