Data PrivacyGlobal Impact of India’s Reversal of the Data Protection Bill

February 8, 20230


India sought to develop a complicated new legislative framework for data protection in a significantly shorter time than Europe did with the General Data Protection Regulation (hereinafter referred to as “GDPR”).

This meant that flaws were unavoidable, and implementation difficulties were to be expected.  The Draft Data Protection Bill, 2019 (hereinafter referred to as “Draft Bill”) had three fundamental flaws: Data Localisation, Law Enforcement’s access to Data, and Inadequate Supervision.

These flaws, criticism from the opposition and push-back from big technological companies led to the government withdrawing the Draft Bill. This reversal has had quite a profound impact on both the domestic and global scales.


The following were some of the major drawbacks of the Draft Bill:

1. The Data Localization provision of the Draft Bill was believed to be the most contentious aspect of the legislation. This measure compelled data fiduciaries to keep “at least one serving copy” of personal data on an Indian server or data centre.

However, the Government had the power to exclude some kinds of personal data from this obligation. It could even deem some types of data “critical,” requiring them to be stored solely in India.

To put it another way, global internet intermediaries and services like Facebook, Uber, Google, Twitter, AirBnB, Telegram, WhatsApp, and Signal would have been obliged to physically host user data in India. The Draft Bill permitted the processing of Personal Data in the interests of state security if approved and in accordance with legal procedures.

2. Furthermore, the Draft Bill authorised the use of Personal Data for the prevention, detection, investigation, and prosecution of any crime or other violation of the law. Given India’s lax safeguards against state monitoring, the State’s access to all Personal Data constituted a huge danger to the right to privacy.

3. Another fear was that the Government, which has the most Personal Data on its citizens, including biometrics, would have used the data for surveillance or to violate privacy.

Because of inadvertent data leaks and unauthorised access by the Government Personnel, Aadhaar health data is vulnerable to cyber-attacks. Yet Chapter VIII Clause 35 of the Draft Bill absolved the Government from compliance with all rules to defend the ‘sovereignty and integrity of India, national security, cordial relations with other governments and public order’.

Due to these reasons, the Government was forced to reverse the Draft Bill. However, the impact of this reversal might be detrimental. With the Draft Bill being withdrawn, Ministry of Electronics and Information Technology (hereinafter referred to as “MeitY”) is speculating that Non-personal Data will be exempted from the Personal Data Protection Law.

A prospective replacement is still months away. Meanwhile, it’s unclear how consumers may register complaints or hold data processors liable for re-identification.


Discarding the Draft Bill has resulted into various opinions. Indian individuals, for example, would lose the Draft Bill’s measures against corporate spying while avoiding carve-outs for State surveillance, which only signals more instability in Indian privacy tech policy in the future years.

While one of the safeguards for Data Privacy currently is Data Anonymization; it might not be entirely effective. Personal data anonymization does not ensure individual privacy since information-protection procedures can be easily reversed.

This might result in the re-identification or de-anonymization of a dataset, disclosing the identity of an individual or group of individuals while breaching their privacy and subjecting them to a variety of consequences.

For well-trained hostile actors, de-anonymization is a rather simple process. In the event that this occurs, the citizens of India have no recourse to defend themselves due to the lack of a Data Protection Law.

Anonymised datasets may also be of interest to Regulators throughout the world since they fall outside of the typically severe rules of Personal Data Protection Law. The  Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information), 2011 (hereinafter referred to as “2011 Rules”) prohibits firms from doing anything with sensitive personal data that the individual has not consented to.

As the Government delays enacting a Data Protection Act, businesses are confused of what information should be anonymized and how, which has led in a patchwork approach to privacy protection. This is indicative of a bigger categorization issue in India, where definitions of personal and non-personal data, as well as what defines privacy, are in flux.

The Government viewed the Draft Bill as a weapon for putting pressure on foreign internet companies that did not comply with state requests. The Government wished to oppose so-called digital colonialism, in which Silicon Valley and other Western Tech Corporations enter India, spy residents, and take their information as well as the majority of the economic value back to their home nations.

In other respects, this gives power to nations with clear data protection agendas; Governments in Japan and Beijing, Regulators in Brussels, and others are adopting new policies and may have more leadership potential if countries feel the Indian Parliament is distant from passing a Data Protection Law. However, any firm or Government that wants to work with India on data concerns must keep an eye on what occurs next.

Meanwhile, the Government has been putting restrictions on social media companies, internet news services, and other businesses, including new legislation requiring  Virtual Private Network (hereinafter referred to as “VPNs”) to record user data and IP addresses for five years, in order to enhance its control and surveillance of the online environment.

The Government claims to present the Digital India Act this year, focusing on issues ranging from children’s and women’s safety to digital crime and content distribution via over-the-top media platforms such as Amazon Prime and Netflix.

The United States was also not a bystander in the privacy debate. American businesses, notably Amazon, Facebook, and Google had fought hard against the data localization requirements of the Draft Bill.

The United States Government had declared at the 2019, G20 conference in Osaka that it opposed data localization and policies that have been used to obstruct digital trade flows and violate privacy and intellectual property protections.

Big Tech companies despise such constraints on their data storage policies. The Asia Internet Coalition, a lobbying organisation comprised of Facebook, Google, Amazon, LinkedIn, Yahoo!, and other IT titans, dedicated a portion of its website to their opposition to cross-border data flow restrictions.

The Coalition argues that businesses require open cross-border data flows in order to take advantage of offshore Software as a Service (hereinafter referred to as “SaaS”) and cloud services and that dictating enterprises to determine which data must remain onshore and which data may be moved to the cloud is inefficient.

The reversal of the Draft Bill has provided respite to these companies since according to the MeitY, the Internet owing to its global nature and its foundational element being data, a robust internet innovation ecosystem must allow for unrestricted flow of data.

The Indian Government will allow for data to go offshore as long as the officials have access to it and security standards are maintained.


The reversal of the Draft Bill has left a lacuna in the laws governing Data Privacy. With no overarching governing law and confusion, the transaction costs imposed upon organisations that have elements of Data Anonymization have significantly increased. This reversal has however alleviated the concern of legalised misused of data by the Government Organisations. It has also benefitted big tech companies that were previously impacted by the restrictions on the cross-border flow of data.

– Team AMLEGALS assisted by Mr. Arth Doshi (Intern)

For any queries or feedback, please feel free to get in touch with or

© 2020-21 AMLEGALS Law Firm in Ahmedabad, Mumbai, Kolkata, New Delhi, Bengaluru for IBC, GST, Arbitration, Contract, Due Diligence, Corporate Laws, IPR, White Collar Crime, Litigation & Startup Advisory, Legal Advisory.


Disclaimer & Confirmation As per the rules of the Bar Council of India, law firms are not permitted to solicit work and advertise. By clicking on the “I AGREE” button below, user acknowledges the following:
    • there has been no advertisements, personal communication, solicitation, invitation or inducement of any sort whatsoever from us or any of our members to solicit any work through this website;
    • user wishes to gain more information about AMLEGALS and its attorneys for his/her own information and use;
  • the information about us is provided to the user on his/her specific request and any information obtained or materials downloaded from this website is completely at their own volition and any transmission, receipt or use of this site does not create any lawyer-client relationship; and that
  • We are not responsible for any reliance that a user places on such information and shall not be liable for any loss or damage caused due to any inaccuracy in or exclusion of any information, or its interpretation thereof.
However, the user is advised to confirm the veracity of the same from independent and expert sources.