Scroll Top



When a country or any organizational authority collects data from the public there arises a question, how far those data are safe? Even the digital India Scheme introduced in India also questions the protection of data of the citizens. In order to safeguard the data, there are legislations that govern the privacy and protection of data.

The European Union Citizen’s data are protected by the General Data Protection Regulation (GDPR), and the data that has been used by the companies present in Europe as well as the companies present in other countries that uses their data are also protected. In India, there are statutes that govern the transfer of data and the consequences of the data breach in the Information Technology Act, 2000[1]. Similarly, different laws have been followed by different countries related to data privacy and protection.


The objective of both laws deal with is the transfer of data for electronic commerce. Both specify that the collection of data must be for lawful purposes and the usage of those data must be only for the purpose for which those data have been collected. With regard to consent, the consent of the data provider is a pre-requisite for data collection and processing of data. There is also an option of withdrawal of consent which is provided.

The rectification right, informing right and consent withdrawal right are some of the similar rights quoted. Both contain internal policy adoption. Both have provisions that award compensation from damages in case of infringement. In case of a breach, both provide a fine as a punishment for the disclosure of information. Both provide a provision related to the redress mechanism. Both provide the obligation that the data transfers are permitted only when the party that receives offers an equal level of protection of the data[2].


The GDPR especially protects natural persons, their rights, and freedom related to data processing.[3] The principles mentioned in GDPR are applied with regard to the processing of the data. In the case of the IT Act, the principles in this Act are applied to the information that has been collected and used. The GDPR has specific provisions related to the lawfulness of processing the data but IT Act doesn’t have a specific provision. The GDPR defines consent, and has a special condition with regard to the consent of the child and also the act of the data controller in demonstrating those consent[4] but IT Act does not contain these. The GDPR uses the word “right” with regard to the significant rights provided but the IT Act has only some of the rights that have been described in GDPR. It contains the security for the processing which includes the appointment of a data security officer, conduction of impact assessment on privacy, and maintenance of processing records.  In GDPR the compensation is considered a right[5] and not in IT Act. When there is a breach of data the punishment for disclosing the information in GDPR imposes only civil liability but in the case of the IT Act, there is a liability of both civil as well as criminal. The redressal mechanism is a right in the GDPR[6] and not in the IT Act. Data transfers in GDPR cover international organizations but IT Act does not specify international organizations.

Thus, in comparison, the GDPR has wider applicability and will strengthen the data protection measures which build trust among the public. In the case of the IT Act, it doesn’t have wider applicability, doesn’t provide rights related to data processing and the main objective of this Act is to protect India’s intellectual property, which consists of a part for data security and not exclusively for data protection and privacy so there arises a need for separate legislation for the protection and privacy of data in the Indian context.


 It all started in Puttaswamy vs the Union of India [7]where it had sowed the seed for the need for legislation related to data privacy and protection in India. In 2012 Retired Justice K.S Puttaswamy filed a petition, challenging the constitutionality of Aadhaar on the ground, it violates the right to privacy, in the Supreme court. In this landmark judgment, announced on 24th August 2017, the “Right to Privacy” is also a fundamental right that was put forth according to Article 21 of the Indian Constitution pointing out that the right to privacy is not present explicitly in Article 21 but it is present impliedly. It was also stated in this judgment that the right to privacy is not a right that is absolute, but it should have a legal requirement and an aim that is legitimate and proportional.

In conclusion, this case put weight on the Indian Constitution to construct legislation for protecting the data of individuals.


 A year after this judgment, Personal Data Protection Bill, 2018 draft was released. The structure of this was based on combining both the EU’s GDPR and IT Act,2000.[8]. The paramount objective of this bill is to provide protection for the privacy of individuals’ personal data. The objective also includes the establishment of the Data Protection Authority, this bill also conducts the personal data processing by the government companies that are incorporated in India and foreign companies that deal with the individual’s personal data in India, comparing this it seems to be similar like the objective of EU’S GDPR. This bill also defined certain terms like personal data, and data fiduciary, and explains about redress mechanism, verification of age and consent of the parent when processing the child’s sensitive personal data, and the individual’s right, legal proceedings, and a significant thing that needs to be noted is the punishment and other liability, not only civil but also includes criminal liability were also mentioned in the bill which makes this as a notable feature.


In August 2022, the Indian Government had withdrawn the Personal Data Protection Bill,2019 even after proposing 81 amendments by Joint Parliamentary Committee (JPC). It was withdrawn by Union Minister for Electronics and IT, Ashwini Vaishnaw on the note that the Central Government will present a “comprehensive legal frame” by replacing the bill that has been withdrawn by keeping in mind the amendments that were proposed in the same[9]. The bill has criticism from many industry stakeholders, and also considering the reason that the bill provides major exemptions with regard to government departments, prioritizing the big corporation which in turn doesn’t respect the fundamental rights of privacy. Even though the first step in implementing laws for data protection has been taken by the Indian government there were problems that it had many amendments, and the start-ups held that the compliance was too intensive, with no clear explanation about data localization. Instead of completely relying on the GDPR, India must have a structured framework that is applicable in the Indian context for the growth of the Indian economy as well as protecting the personal data of the individual.


Thus, the EU’s GDPR is far more structured, has wider applicability, and was enacted with the objective of protecting the data and privacy of EU citizens. Even though the IT Act, 2000 has provisions related to data processing and liability related to the data breach it lacks the structural framework related to data privacy and protection, the definition of the terms, and a stringent liability for the breach of data. So, this paved way for the introduction of the Personal Data Protection Bill, 2019 after a landmark judgment by the Supreme Court of India that quoted the significance of the ‘Right to Privacy”.

So, the withdrawal of this bill led to the construction of a new bill which has to be as beneficial, reasonable, stringent, and trustworthy promising the privacy and protection of the data of Indian citizens. This new law would decide the future of India’s data privacy in present and the forthcoming digital era.

Author(s) Name: Shahana.P (Government Law College, Coimbatore)


[1] Information Technology Act, 2000, §72,No. 45, Acts of Parliament, 2000 (India).

[2] Aditi Chaturvedi, GDPR and India, CENTRE FOR INTERNET AND SOCIETY,

[3] European General Data Protection Regulation, 2018, art 1, Acts of Parliament, 2018 (Europe).

[4] ADITI,supra note 1.

[5] Ibid.

[6] Ibid.

[7] Justice K.S. Puttaswamy (Rtd) vs. Union of India, (2017) 10 SSC 1

[8] The Personal Data Protection Bill, 2019,

[9]Pankaj Maru, Why Personal Data Protection Bill 2019 withdrawn in India?, TECHHERALD (Nov. 15, 2022, 9:21 PM),,it%20in%20Parliament%20in%202019.