India’s proposed data protection law has been a long time in the making. In 2018, a committee of experts constituted by the Indian government issued a first draft of a proposed law on data protection. In late 2019, a revised version of the draft, titled the Personal Data Protection Bill, 2019 (the “PDPB”), was introduced in the Indian Parliament. The PDPB was dogged by controversies, especially on exemptions that were afforded to government agencies, the treatment of anonymised data, data localisation requirements, and regulated cross-border transfers. For a deeper examination of the proposed law, the draft was referred to a Joint Parliamentary Committee that comprised of members of both Houses of the Parliament (“Committee”).

On December 16, 2021, the Committee finally presented the “Report of the Joint Committee on the Personal Data Protection Bill, 2019” (referred to as the “Report”) to the Parliament. The Report substantially consists of the Committee’s overarching recommendations on the PDPB and a revised draft of the PDPB. Now referred to as the Data Protection Bill, 2021 (hereafter, the “Bill”), the updated draft law contains the spirit of its predecessor – that is, it seeks to protect the digital privacy of citizens and create a relationship of trust between individuals and entities processing their data – but also goes several steps further.

Part 7 of this series closely looks at “Transparency, Accountability and Security” aspects of the PDPB Bill.


    1. Privacy by Design:
      Principles of privacy by design have been incorporated in the law and data fiduciaries are required to prepare policies in this regard and have them certified by the Authority.

    2. Transparency:
      Data fiduciaries are required to ensure and maintain transparency in their processing activities and make available specific information, such as details of personal data collected and processed, data trust scores, details of cross-border transfers, the use of algorithms utilised for processing personal data and the fairness of such algorithms, etc. The Authority has the power to prescribe regulations to govern the manner of how this information should be made available.

    3. Security Safeguards:
      The Bill requires all data fiduciaries and data processors to implement security standards and practices, which include de-identification and encryption techniques and the ability to protect the integrity of personal data and prevent its misuse, unauthorised access, modification, disclosure, or destruction. These safeguards should be reviewed periodically.

    4. De-Identification:
      (a) De-identification is a process by which a data fiduciary or data processor removes or masks identifiers from personal data or replaces identifiers with other fictitious names or code that are unique to an individual but do not, on their own, directly identify a data principal.
      (b) De-identification is a mandatory security safeguard.
      (c) The Authority will specify codes of practice to promote good practices of data protection, which will include methods of de-identification.

    5. Notification of Breach:
      (a) Data fiduciaries are required to mandatorily report any breach of personal data processed by them to the Authority within 72 hours of becoming aware of the breach.
      (b) The Authority has the right to determine whether the occurrence of such breach should be notified to data principals by accounting for the personal data breach and the severity of the harm to the data principal. Additionally, the Authority may direct the concerned data fiduciary to take steps to remedy the breach or mitigate the harm caused to the data principal.
      (c) The Authority has the right to determine steps and processes in the event of a breach of non-personal data.

    6. Data Protection Officer:
      (a) A significant data fiduciary must appoint a data protection officer (“DPO”) who must be senior level officer in the state or key managerial personnel in a company, or an employee of equivalent capacity in other entities.
      (b) The DPO has the several functions such as advising the data fiduciary in matters of compliance, developing internal mechanisms, carrying out data protection impact assessments, monitoring the processing activities of the data fiduciary, providing assistance to and cooperating with the Authority, maintaining inventory of records to be maintained by data fiduciaries and acting as a point for contact for grievance redressal.
      (c) DPOs must be based in India.

    7. Data Protection Impact Assessments:
      All significant data fiduciaries are required to undertake data protection impact assessments if they intend to undertake any processing involving new technologies, large-scale profiling or use of sensitive personal data, or other processing that carries a significant risk of harm to data principals.

    8. Data Audits:
      All significant data fiduciaries are required to undertake data audits that are to be conducted by independent data auditors.

    9. Compliance Certification Mechanisms:

      Upon the completion of a data audit, data auditors assign a “data trust score” to a significant data fiduciary. The Authority has the right to determine the criteria for this score.

Key Divergence from the PDPB

Breach notification requirements will also apply to security incidents that involve non- personal data

Under the PDPB, data fiduciaries were required to report data breaches to the Authority if the breach(es) were likely to cause harm to any data principal. This harm-based evaluation has now been removed, and data fiduciaries are required to report all security incidents to the Authority. The Bill also proposes a timeline of 72 hours for making such report.

A DPO must be a “key managerial personnel” within an organisation (or be an employee of equivalent capacity in another entity).