India: Cabinet Clears the Data Protection Bill

December 5, 2019
General Personal Data Protection Regulation (GDPR)

By Rupin Chopra and Reetika Wadhwa

Data Protection Bill and data classification

Indian Daily, The Economic Times has reported that the Union Cabinet[1] has cleared the Personal Data Protection Bill, 2018 (hereinafter referred to as ‘The Bill’). The Bill primarily focuses on providing a legal framework to protect the data shared by individuals on social media and other online platforms. The Bill comes in line with the European Union’s General Data Protection Regulation (GDPR), a regulation for the European Union countries to protect their data and privacy. The Bill when enacted will be a first of its kind as at present there is no law solely addressing the issue of protection of personal data and prevention of its misuse.

The Bill is prepared and modelled by an expert group headed by former Supreme Court Judge, Justice BN Srikrishna. With India being a huge internet market comprising of nearly 450 million internet users, introduction of this Bill would set a new benchmark for privacy laws in India. The Bill aims to keep a check on unregulated information shared on the internet and would help in identifying fake user accounts.

Data Classification

This Bill classifies the data into three broad categories – critical, sensitive and general.

  • Critical: The data classifies under the ‘critical’ category will be defined by the government from time to time. The ‘critical’ data has to be stored and processed only in India.
  • Sensitive: The data under the ‘sensitive’ category will include sectors like financial, health, sexual orientation, biometrics, transgender status, religious or political beliefs and affiliation. They can be stored only in India and explicit consent would have to be taken for processing such data outside India.
  • General: Any data not falling within ‘sensitive’ and ‘critical’ category would be classified as ‘general’ and can be stored and process without any restriction. The government through this way has tried to introduce the concept of consent in data sharing process.


The Bill proposes that unauthorized sharing of data would attract a fine of INR 150,000,000 or 4% of the company’s global turnover. Data breach or inaction would also attract a fine of INR 50,000,000 or 2% of the company’s global turnover.

Verification process

The Bill further proposes that social media platforms should introduce verification process for all the users to authenticate their identification. Those who do not opt for the same will be flagged to differentiate them from verified users. Though the Bill does not clarify upon any method to be followed for such verification and the companies shall have the liberty to devise a method on their own to comply with the process.

The present development indicates that the much awaited Data Protection Law may soon see light of the day. With technological advancement and data integration, the protection of confidential and valuable data is a primary and critical concern for any entity in this cyberage. However, the procedural compliances as enumerated in the Bill by the companies might be time consuming and would involve higher costs.


For more information please contact us at :