India is one of the most populous countries in the world, with a fast-growing base of internet users and a national identity number based on biometric data, but it does not have a comprehensive privacy law. This was the backdrop to the Supreme Court of India’s decision in Puttaswamy to recognise privacy as a fundamental right and to task the Government with framing a law on the issue.

Proposals for a new privacy law

The Government responded by constituting a committee headed by Justice B N Srikrishna. The Personal Data Protection Bill, 2018 is the product of a year’s work by that committee, based on discussions and consultations with stakeholders, including the public. It provides a blueprint which can be built upon and refined, bearing in mind the lessons learnt from other countries and the unique features and challenges of a country like India.

The Government hopes to present the Bill for parliamentary approval in the winter session of the Parliament this year. However, in September 2018, the Supreme Court of India pronounced its judgment on the constitutional validity of Aadhar, the Indian national identity number based on biometric data (MANU/SC/1054/2018). While the Supreme Court held Aadhar to be constitutionally valid, it struck down provisions of the law allowing private sector entities to use Aadhar. The Bill will have to be revisited in the context of this judgment.

The Bill and the GDPR

The Bill borrows heavily from the EU General Data Protection Regulation. While businesses should be able to replicate many processes that have already been implemented to comply with the GDPR, the Bill is not identical and contains a number of innovations.