India’s proposed data protection law has been a long time in the making. In 2018, a committee of experts constituted by the Indian government issued a first draft of a proposed law on data protection. In late 2019, a revised version of the draft, titled the Personal Data Protection Bill, 2019 (the “PDPB”), was introduced in the Indian Parliament. The PDPB was dogged by controversies, especially on exemptions that were afforded to government agencies, the treatment of anonymised data, data localisation requirements, and regulated cross-border transfers. For a deeper examination of the proposed law, the draft was referred to a Joint Parliamentary Committee that comprised of members of both Houses of the Parliament (“Committee”).

On December 16, 2021, the Committee finally presented the “Report of the Joint Committee on the Personal Data Protection Bill, 2019” (referred to as the “Report”) to the Parliament. The Report substantially consists of the Committee’s overarching recommendations on the PDPB and a revised draft of the PDPB. Now referred to as the Data Protection Bill, 2021 (hereafter, the “Bill”), the updated draft law contains the spirit of its predecessor – that is, it seeks to protect the digital privacy of citizens and create a relationship of trust between individuals and entities processing their data – but also goes several steps further.

Part 9 of this series discusses “Penalties” under the PDPB Bill.


The Bill prescribes varying penalties.

Nature of Offence Maximum Penalties
A data fiduciary’s failure to comply with its security and transparency obligations The government has the right to prescribe penalties, but such penalties cannot exceed the higher of INR 150,000,000 or 4% of a data fiduciary’s worldwide turnover in the preceding year (or the higher of INR 50,000,000 or 2% of a data fiduciary’s worldwide turnover in the preceding year, depending on the nature of the offence).
A failure to comply with data principals’ requests in respect of data principals’ rights Significant data fiduciaries: INR 1,000,000
Data fiduciaries: INR 500,000
Failure to furnish reports and information to the Authority Significant data fiduciaries: INR 2,000,000
Data fiduciaries: INR 500,000
Failure to comply with orders or directions of the Authority Data fiduciaries: INR 20,000,000
Data processors: INR 5,000,000
Reidentification and processing of de-identified personal data without the consent of a data fiduciary or data processor Both, imprisonment of up to 3 years and a fine which may extend to INR 200,000
Offences for which specific penalties have not been provided Significant data fiduciaries: INR 10,000,000 Data fiduciaries and data processors: INR 2,500,000