<img height="1" width="1" style="display:none;" alt="" src="https://px.ads.linkedin.com/collect/?pid=654132&amp;fmt=gif">

India's Joint Parliamentary Committee Announces Recommended Changes to Privacy Bill

Last month, the Indian Joint Parliamentary Committee submitted its report on the 2019 Personal Data Protection Bill after two years of consideration, research, and analysis. The bill, while not a certainty but likely to pass, would replace what some consider to be archaic data protection regulations. Although not finalized, the biggest obstacle if implemented as envisioned is strict data localization. India has been in the group of countries legislating data privacy for decades, culminating in the 2021 JPC report submission. Here’s a look at the history of data privacy legislation in India.


The History of Data Privacy Legislation in India

  • 2000 – Information Technology Act is passed by parliament and signed by President K.R. Narayanan addressing electronic documents, e-signatures, and record authentication.
  • 2017 – The Indian Supreme Court hears Justice KS Puttaswamy vs Union of Indiaand passes a historic judgment affirming the constitutional right to privacy.
  • 2019 – Introduction of the Personal Data Protection Bill and immediately sent to the JPC to be examined.
  • 2021 – JPC submits report on PDP to Indian Parliament revisions.


The long-awaited report submitted December 16, 2021 by the JPC has provided necessary clarification and modifications that seek to enhance the syntax and governance of the bill.


The recommended amendments are as follows:

  • Scope – The bill has a proposed name change to Data Protection Bill and will cover both personal and non-personal data which is unusual as distinction of data type can be difficult when managing mass amounts of data. Clauses also address the deceased and transfer of minor rights (see Clause 16 below).
  • Implementation Timeline – The report outlines a timeline with a 24-month implementation period for data processors to comply.
  • Definitions – The following terms have been defined or revised: consent manager, data auditor, data breach, data fiduciary, data processor, data protection officer, harm, and non-personal data.
  • Clauses 13 & 14 – These clauses apply to consent of personal data processing for employment and legitimate interest, marrying the interests of both the data principal and data fiduciary.
  • Clause 16 – Entities dealing with the data of children must register with the DPA and are required to communicate with the subject 3 months prior to adult age to regain consent and “must continue providing the services to the child unless the child withdraws consent.”


The implementation timeline for the Data Protection Bill is still unknown but will likely be a phased approach. Like California, there is discussion of an oversight committee called the Data Protection Authority of India that would supervise compliance with the proposed law. With the notable amendments to the bill, it’s unlikely we’ll see this come to fruition quickly. Not unlike most proposed privacy legislation, it has been met with dissent and opposition and will have to make its way through the courts of India before becoming law.


All Posts

7 Things to Remember When Responding to a Data Subject Access Request

The landscape of data compliance is one of the most rapidly changing and important areas of business right now.

Web 2.0 has changed the internet and how connected we are. Companies in Silicon Valley, social media, and all other industries have made it a regular business practice to gather data from their users and customers.

If you work in an industry that collects data, you need to be on the right side of the law and ethics. In this regard, you'll need to know what is required of you when a user makes a data subject access request.

These requests take place when a user asks the company about how their data was gathered and used.

Here are a few things you need to keep in mind when you have to respond to one of these requests.

1. You Have to Spell Out What Data Was Taken and Confirm That it is Being Processed

These data requests mean that you have to be completely transparent about the nature of the data that you gathered, and will need to confirm that you used data once a request is made.

The last thing you should do is be evasive or untruthful about this practice. Companies are required to let users know in a privacy policy that they are agreeing for their data to be used.

Data Subject Access Request


2. Outline Your Purpose For Taking the Data

In addition to letting people know that you used their data, you will also need to let them know why.

There is always a purpose for gathering data, and this typically revolves around marketing or some form of analytics to get to know your customer better. Your response to the report needs to outline specifically how you have used or intend to use the data.

3. Respond to the Request and Let Them Know That it is Being Addressed

Time is of the essence when you are responding to a data access request. It is not only a matter of good business, but you are also required to provide a show of good faith to let your users know that you are taking the matter seriously.

In this regard, be sure to properly document the time and date of the request, and respond to the user letting them know that more information is forthcoming. When you receive one of these requests, the law states that you have a month to respond to it.

4. Explain How Long the Information Has Been Taken

Timetable is everything when it comes to a data request. You need to let your requester know the date that you began collecting the information and how long it has been happening. You also need to let them know how long you intend to use it.

When you have a privacy compliance software package, you can quickly pinpoint these sorts of instances so you can respond accurately and completely.

5. Be Sure That You Comply Transparently and Let Users Make Requests Digitally

Not only should you reply on time, but you'll also need to be as transparent about the request as you can.

Quote the user's request back to them so that you're fully above board about your acknowledgment. By law, you must also allow your users to make requests digitally.

This speeds up the transparency and turnaround times of these requests and puts more options in the hands of your users.

6. Responding to These Requests Has to Come Free of Charge

You're also required to respond to these requests free of charge. This means that you will have to handle the research, resources, and documentation that is required and foot the bill.

If you're tempted to charge a fee, make sure you avoid this inclination so that you can stay on the right side of the law and ethics.

By not having to pay for these requests, it sends the message to users that you take their data seriously and won't put up any roadblocks to making that happen. When fees are involved, it might exclude requests from people who can't afford it or aren't willing to pay.

This keeps the entire process honest and is a good faith way of practicing. It allows you to show that you care about protecting users' data and are willing to openly address any concerns or questions that they have.

Make sure that you have the resources in place to handle every part of the requests so that you don't have to lose too much time or money gathering information. This is where having the help of a third-party compliance management company will be useful.

These companies will do the legwork of responding to these requests so you don't have to.

7. Verify Proof of ID Before Responding to a Request

The biggest way you can respect users' data is asking them to show ID and to verify their identity. This way you are acknowledging the identity of the recipient, and verifying that they are who they say they are before giving out information about their data.

Make sure that the ID verification process is straightforward and simple.

Respond Properly to a Data Subject Access Request

Respecting your users' privacy is more important than ever in this day and age. For that reason, you'll need to be diligent about responding to a data subject access request.

When you need help managing data subject requests, our company has the resources that you need.

Get in touch with our team today to learn more about how we can help you.

About Truyo
Powered by IntelⓇ, Truyo is the automated answer for enterprises seeking to deploy truly integrated SAR, consent, and other data privacy rights processing capabilities that scale with your needs, deliver conspicuous compliance, and adapt to new privacy regulations as they emerge.
Recent Posts

India's Joint Parliamentary Committee Announces Recommended Changes to Privacy Bill

Last month, the Indian Joint Parliamentary Committee submitted its report on the 2019 Personal Data Protection Bill after two years of consideration, ...

Log4J Vulnerability Update

At Truyo we take data privacy and security very seriously. Recently a security vulnerability was reported in the open-source Java library “Log4J” that...

Forrester Wave Announcement: Truyo Named Strong Performer

Report notes Truyo’s “management and fulfillment of individual privacy rights capabilities are some of the best in the market ” PHOENIX (Dec. 09, 2021...

Human Error: The Pitfalls of Manual SAR Response

In the age of information, organizations have increased the amount of consumer data housed in structured and unstructured environments. As consumers b...