<img height="1" width="1" style="display:none;" alt="" src="https://px.ads.linkedin.com/collect/?pid=654132&amp;fmt=gif">

India's Joint Parliamentary Committee Announces Recommended Changes to Privacy Bill

Last month, the Indian Joint Parliamentary Committee submitted its report on the 2019 Personal Data Protection Bill after two years of consideration, research, and analysis. The bill, while not a certainty but likely to pass, would replace what some consider to be archaic data protection regulations. Although not finalized, the biggest obstacle if implemented as envisioned is strict data localization. India has been in the group of countries legislating data privacy for decades, culminating in the 2021 JPC report submission. Here’s a look at the history of data privacy legislation in India.


The History of Data Privacy Legislation in India

  • 2000 – Information Technology Act is passed by parliament and signed by President K.R. Narayanan addressing electronic documents, e-signatures, and record authentication.
  • 2017 – The Indian Supreme Court hears Justice KS Puttaswamy vs Union of Indiaand passes a historic judgment affirming the constitutional right to privacy.
  • 2019 – Introduction of the Personal Data Protection Bill and immediately sent to the JPC to be examined.
  • 2021 – JPC submits report on PDP to Indian Parliament revisions.


The long-awaited report submitted December 16, 2021 by the JPC has provided necessary clarification and modifications that seek to enhance the syntax and governance of the bill.


The recommended amendments are as follows:

  • Scope – The bill has a proposed name change to Data Protection Bill and will cover both personal and non-personal data which is unusual as distinction of data type can be difficult when managing mass amounts of data. Clauses also address the deceased and transfer of minor rights (see Clause 16 below).
  • Implementation Timeline – The report outlines a timeline with a 24-month implementation period for data processors to comply.
  • Definitions – The following terms have been defined or revised: consent manager, data auditor, data breach, data fiduciary, data processor, data protection officer, harm, and non-personal data.
  • Clauses 13 & 14 – These clauses apply to consent of personal data processing for employment and legitimate interest, marrying the interests of both the data principal and data fiduciary.
  • Clause 16 – Entities dealing with the data of children must register with the DPA and are required to communicate with the subject 3 months prior to adult age to regain consent and “must continue providing the services to the child unless the child withdraws consent.”


The implementation timeline for the Data Protection Bill is still unknown but will likely be a phased approach. Like California, there is discussion of an oversight committee called the Data Protection Authority of India that would supervise compliance with the proposed law. With the notable amendments to the bill, it’s unlikely we’ll see this come to fruition quickly. Not unlike most proposed privacy legislation, it has been met with dissent and opposition and will have to make its way through the courts of India before becoming law.


All Posts

What is a Subject Access Request?: Everything You Need to Know

The General Data Protection Regulation (GDPR for short) is made up of eight different principles that outline the guidelines relating to how personal data and information is collected and processed. 

The GDPR was first enacted in May of 2018, in conjunction with the Data Protection Act (DPA.) As most data privacy savvy individuals know, with GDPR, it gives users the ability to request their data. Similarly to GDPR, the California Consumer Privacy Act (CCPA) also allows users to submit subject access requests.  

So, what is a SAR? 

A Subject Access Request (SAR) is an important facet of the GDPR, CCPA and likely future privacy laws, as it is what allows employees and individuals to both request and receive a copy of all the personal data that a company or organization has collected about them. 

What else do you need to know about the SAR definition, and what information are you expected to provide? How can these access requests impact your company, and how can you properly manage these requests? 

Keep on reading this post to find out.

Your Responsibilities When Receiving a Subject Access Request

If someone has sent your company a SAR, you need to ensure that you follow all the regulations to the letter to avoid potential fines, investigations, and other serious problems.

First, be aware that "personal data" refers to both digital and paper records. (Click here for a more complete definition of the term "personal data.")

When it comes to GDPR, you only have 30 days to reply to the Subject Access Request, and that 30-day window begins on the day that you receive the SAR. However, if the requests are especially complex, or if an individual has made many requests, you may be able to extend that deadline by a maximum of two months. 

If your company plans to file such an extension, you must clearly outline and explain why you need the extension and inform the recipient that you are seeking an extension within a month of the initial SAR. 

You are not allowed to charge any fees when providing an employee or individual with a copy of their SAR data. In rare cases, you may be able to charge a "reasonable fee" if the request is especially excessive or repetitive, such as if an individual requests multiple copies of their personal data. 

You are also responsible for making sure that the individual receives a copy of their data in a standard format, or in a format that is agreed upon by the individual requesting to access data. 

What Information Should a SAR Contain?

Now that you're more familiar with your basic SAR requirements as a company or organization, let's talk about what information you need to provide when someone requests to access info about the data you've collected on them.

You need to tell the individual making the request why the data was collected, how you processed their data, and who their personal data has been shared with. 

You will also need to tell them how long you have had the data, and how much longer you plan to keep it. You are also obligated to inform an individual if their data was used to make an automated decision about them, and if their personal data has been used to make some sort of a profile about them. 

Remember that, as of this writing, there aren't any existing guidelines/rules about how someone must make a Subject Access Request. So, an individual or employee may even be able to send your company an email saying something like, "I would like to know the personal data you've collected on me" -- and that counts as an SAR. 

When You Do Not Have to Share Personal Data

In rare cases, your organization may not be required to provide an individual with a copy of the personal data you've collected about them. 

If the information being requested could compromise someone else's identity, your company isn't required to share it with the person making a request. After all, it would be a violation of another person's privacy, as you'd essentially be sharing their personal data with another person without their knowledge. 

Additionally, if the person who is making the request is currently the subject of a criminal investigation or the subject of an investigation regarding tax payments, you may not have to provide them with a copy of their data. 

The same goes for any matters potentially involving national security, settlement negotiations, and management forecasting. 

This is because having that kind of information could compromise the entire investigation. Be aware that, as of this writing, there isn't a set list of specific exemptions regarding when companies aren't required to provide an individual with a copy of their personal data. 

As you can see, the regulations surrounding a SAR can get complicated incredibly quickly. 

For this reason, many companies invest in privacy rights management software to help them to keep track of the requests and their responses to them. 

Need Help Responding to a Subject Access Request? 

We hope that this post has helped you to better understand what a Subject Access Request is, as well as grasp the responsibilities and potential exemptions that you are required to follow and provide as a company and employer. 

Are you interested in automating and scaling the way your company approaches privacy rights management? Need to future-proof the way you approach data collection, privacy, responses to Subject Access Requests, and more? 

The Truyo platform is able to help with all that and more. 

Reach out to us today to request your free demo.

We look forward to showing you how our software can eliminate operational overload, protect your customers, and help you to sleep better at night knowing your company's privacy rights management is in good hands. 

Truyo Product Preview

About Truyo
Powered by IntelⓇ, Truyo is the automated answer for enterprises seeking to deploy truly integrated SAR, consent, and other data privacy rights processing capabilities that scale with your needs, deliver conspicuous compliance, and adapt to new privacy regulations as they emerge.
Recent Posts

India's Joint Parliamentary Committee Announces Recommended Changes to Privacy Bill

Last month, the Indian Joint Parliamentary Committee submitted its report on the 2019 Personal Data Protection Bill after two years of consideration, ...

Log4J Vulnerability Update

At Truyo we take data privacy and security very seriously. Recently a security vulnerability was reported in the open-source Java library “Log4J” that...

Forrester Wave Announcement: Truyo Named Strong Performer

Report notes Truyo’s “management and fulfillment of individual privacy rights capabilities are some of the best in the market ” PHOENIX (Dec. 09, 2021...

Human Error: The Pitfalls of Manual SAR Response

In the age of information, organizations have increased the amount of consumer data housed in structured and unstructured environments. As consumers b...