DATA PROTECTION POLICY AND LAW

Comparison between India and EU

Law & Information Technology Assignment

Submitted By:

Name: Sheenu John

Student ID: 20162459

BA. LL.B. IXth Semester (Self-Finance)

Faculty of Law, Jamia Millia Islamia

Submitted to Dr. Ghulam Yazdani, Associate Professor

(Faculty of Law, Jamia Millia Islamia, New Delhi)

(Date of Submission: November 4, 2020)

 ABSTRACT

As India moved towards the goal of a digital economy it needed an adequate law to protect
data and protection of rights of the citizens while keeping the personal data. On July 27,
2018, for the first time, India published a draft bill for a new, comprehensive data protection
law to be called the “Personal Data Protection Act, 2018," just a few weeks after the
European Union General Data Protection Regulation (GDPR) took effect on May 25,
2018. With the new law, the Indian government responded to a mandate from the Indian
Supreme Court, which had directed the government of India in August 2017 to enact
comprehensive data protection legislation. Before the Personal Data Protection Act became
effective in India, there was no omnibus data protection regulation, as in Europe. The new
Personal Data Protection Act of India was adopted and further developed many existing
principles of EU-style data processing regulation. It was also clear that companies cannot just
expand the coverage of their GDPR-focused compliance procedures to India without
addressing the subtle differences of the new Indian Personal Data Protection Act, and many
other differences compared to other jurisdictions' data processing regulations and data
privacy laws.

This paper analyses whether the digital developments in India are in consonance with the data
protection regime in India and in the world, where privacy is acknowledged as the
fundamental right, and also to look into whether India is successful in building the data
protection laws like GDPR (General Data Protection Regulation) of EU. It also briefly
discusses and reviews about the importance and political context of the draft bill, i.e. Personal
Data Protection Bill (PDPB) and its key provisions, and compares them to the EU General
Data Protection Regulation (GDPR).

KEYWORDS: Privacy, Data Protection, Constitution, General Data Protection Regulation,

Information Technology Act, Fundamental Right.

1|Page
 INTRODUCTION

The right to privacy is a fundamental right enshrined in many constitutions around the world,
as well as in international human rights law. The right to privacy is multifaceted, but a
fundamental aspect of it, increasingly relevant to people’s lives, is the protection of
individuals’ data.

Protecting the privacy of an individual in this digital age is essential to effective and good
democratic governance. However, despite increasing recognition and understanding of the
need of data protection and the right to privacy across the world, there is still a lack of legal
and institutional frameworks, processes, infrastructure and the knowledge and expertise to
support the protection of data and privacy rights. At the same time, the increasing amount and
use of personal data, together with the emergence of technologies enabling new ways of
processing and using it, mean that regulating an effective data protection framework is more
important than ever.

Data-Intensive Systems

Governments across the world are radically changing policies and infrastructure, in the hope
of enabling economic opportunity and attracting international investment, ensuring the
security of their societies, and strengthening institutions. Governments are continuously
creating new policies that demand more data from individuals: a vast change in the
relationship between the individual and the State through the accumulation of data. It is not
just about government, industry plays an essential role too: they promote the ideas, support
the sales of such systems, and provide the tools and services. They may also control the data.
All this results in what we call data-intensive systems. These are the systems which process
data about people, which generate additional data about people, and which rely on data to
make decisions about people.

With data-intensive systems, more often governments and industries see new opportunities:
for surveillance, income generation, and control. There are a few safeguards in place. The
urge for these changes is strongest in emerging economies where legal and technical
safeguards are weakest and there is little to no transparency of decision-making processes,
and limited rule of law, and the responsibilities of the private sector are blurred. What it
appears to us is that innovations in policy and technology are largely left unregulated and

2|Page
unchecked. This will have significant implications for privacy, and will transform the
exercise of power, creating new possibilities for oppression, strengthening existing
inequality, discrimination, and exclusion, and potentially leading to new forms.

Data Exploitation

Everything we do eventually generates data, whether we are in possession of a device or not.

Our devices, networks, and even homes generate vast amounts of data, so as our transport
systems, cars, payment systems, and cities, almost every single thing generates data through
us and about us. With all this data, we might be able to make the world a fairer, better,
cleaner, more sustainable, and safe place. The opposite may also be true.

Our devices, infrastructure and all are designed for data exploitation. Unfortunately, it is
beyond the ability of individuals themselves to control the ways in which data about their
lives is shared and processed. As a result, industry and government are amassing our data
with liberty. They aspire to a data-driven world which gives them the freedom to grab our
data, to look for patterns and similarities, to generate intelligence, and to make decisions
about us and the shape of our futures. We are not at all ready for the future which is already
being built for us. Our laws are not yet able to address these risks. Our technologies are
insecure and leak data. In turn, we ourselves are not secure.

Data can be generally classified into public data and personal data. Public data is that data
which is accessible to the public at large, such as, Court records, birth records, death records,
basic company details. Whereas, private data is data which is personal to an individual/
organization and cannot freely be disseminated by anybody without the prior permission of
the subject. It consists of financial details, family details, browsing details, preferences,
psychological characteristics, locations and travel history, behaviour, abilities, photographs,
aptitudes, and the like. It could also be a combination of these features or even inferences
drawn from the refined data.

3|Page
 1. WHAT IS DATA PROTECTION?

Data protection is generally defined as the law designed to protect your personal data. In
modern world, in order to empower us to control our data and to protect us from abuses, it is
essential that data protection laws restrict and shape the activities of companies and
governments. These institutions have shown repeatedly that unless rules restraining their
actions are in place, they will endeavour to collect it all, mine it all, keep it all, share it with
others, while telling us nothing at all, which is a dangerous thing to even imagine.

2. WHY IS DATA PROTECTION NEEDED?

Every single time you use a service, buy a product online, register for email, go to your
doctor, pay your taxes, or enter into any contract or service request, you voluntarily hand over
some of your personal data. Without you having any idea or understanding about the
particular situation, data and information about you is being generated and captured by
companies and agencies that you are likely to have never knowingly interacted with. The
only possible way in which citizens and consumers can have the confidence in both
government and business is by way of an effective and strong data protection practices, with
effective legislation to help reduce state and corporate surveillance and data exploitation.

Since the 1960s and after the extensive growth of information technology capabilities,
business and government have been storing this personal data in databases. Databases can be
effortlessly searched, edited, cross-referenced, and their data shared with other organisations
across the world. Once the collection and processing of data became worldwide, people
started asking questions about what was happening to their data once they provided it. Who
had the right to access those data? Was it kept accurately? Was it being collected and
transferred somewhere without their knowledge? Could it be used to discriminate or violate
people’s fundamental rights?

From all these questions, and amidst growing public concern, data protection principles were
devised through numerous national and international consultations. As of January 2018,

4|Page
around 100 countries had adopted data protection laws, with pending bills or initiatives to
enact a law in a further 40.

A strong data protection framework can encourage individuals, restrain harmful data
practices, and limit data exploitation. It is essential to provide the much-needed governance
frameworks, nationally and globally, to ensure individuals have strong rights over their data,
stringent obligations are imposed on those processing personal data and strong enforcement
powers can be used against those who breach these obligations and protections.

Privacy and data protection are intrinsically linked. We individuals, as citizens, customers,
and consumers, need to have the means and tools to exercise their right to privacy and protect
themselves and their data from abuse. It is necessary that the obligations of those processing
data are clear, so that they take measures to protect personal data, mitigate interference with
the right to privacy, and are held to be responsible when they fail to comply with obligations.
This is exactly the case when it comes to our personal data. Personal data is data (information
processed by automated means or kept in a structured filing system) which relates to an
individual. Data protection is mainly about safeguarding our fundamental right to privacy by
regulating the processing of personal data: providing the individual with rights over their
data, and setting up the systems of accountability and clear obligations especially for those
who control or undertake the processing of the data.

Indian citizens were subject to a few serious incidents of data breaches in the past year in
which their personally identifiable data including names, addresses and bank account
numbers were publicly accessible. Over 3.94 lakh cyber-security incidents were reported in
2019, according to information tracked by the Computer Emergency Response Team-
India (CERT-In). What is most alarming is the fact that the security breaches involved 48
websites of central and state governments. And these were not isolated incidents. Start-ups
like OYO, Vedantu and Nykaa among many others also fell victim to cyber hacking
exposing their users’ data. While the government had claimed to issue alerts and advisories
regarding the data breach incidents, there is still no law in place to take care of consumer’s
data and protect their privacy. After the Supreme Court expressed concerns over the breach
of citizens’ right to privacy, the government formed committee drafted a Personal Data
Protection Bill in 2018. In December, the revised version of the bill – The Personal Data
Protection Bill, 2019 – which will have an impact on how businesses collect data and the

5|Page
rights that users have over the data, was introduced in parliament by IT Minister Ravi
Shankar Prasad.

3. THE LAW

Overview of the privacy/data protection situation

Indian law has long acknowledged a constitutional right to privacy within its supreme
promise of a right to life and personal liberty and the right to freedom of speech and
expression. The nature and extent of this right has been historically the subject of
comprehensive judicial debate.

In August 2017, in Justice K. S. Puttaswamy and Anr. v. Union of India and Ors. 1, a
nine-judge bench of the Supreme Court of India undisputedly held that the right to privacy
was an intrinsic element of the promise of the right to life and personal liberty protected
under Article 21 of the Constitution of India and that it included, at its core, a negative
obligation to not violate the right to privacy and a positive right to take all actions required to
protect the right to privacy. Puttaswamy changed the contours of Indian privacy law, the
interpretation of the existing privacy rules, and raised the spectre of a robust common law tort
of violation of privacy, independent of statutory rules. The Supreme Court proceeded to
clarify that any law that encroached upon the right to privacy would be subject to
constitutional scrutiny, and would have to meet the three-fold requirement for:

 legality;
 necessity; and
 proportionality.

Moreover, the Supreme Court has crafted a positive obligation on the government to enact
legislation that adequately protects the right to privacy. Various High Courts are dealing with
data protection issues (export of data, transfer of data between group companies, and
adequacy of consent) from a post-Puttaswamy perspective. While a clear judicial trend
1
Writ Petition (Civil) No. 494 of 2012.

6|Page
cannot be identified, it is evident that data collection and processing efforts in India must
evaluate and anticipate the impact of Puttaswamy on Indian data law.

4. LAW RELATING TO DATA PROTECTION IN INDIA

India’s first legislation as a regulatory mechanism for data protection and privacy was the
Information Technology Act, 2000. Along with this, personal data is also protected under
Article 21 of the Constitution of India which guarantees to every citizen, the Right to
Privacy as a fundamental right. The Supreme Court has held in many of the cases that
information about a person and the right to access that information by that person is also
covered within the ambit of right to privacy. However, there were certain limitations which
the law came across making it less efficient as a legislation for data protection, such as
follows:

• The IT Act was not enacted with the primary obligation of providing data protection.

• The scope and applicability of the provisions of the IT Act on Data Protection is very
limited.

• The IT Act does not mention any particular governmental agency which would govern data
protection in India.

• The IT Act does not impose any penalties for data breach except Section 72 A.

• The IT Rules apply only to a restricted scope of sensitive personal data.

• The IT Rules are apply only to electronically generated and transmitted information.

• The IT Rules exempt the government/ state from liability. They are only applicable to body
corporates when a contractual agreement is not already in place, meaning thereby it can be
easily bypassed by entering into a contract.

Due to all these drawbacks of the Information Technology Act, it was then decided that a
committee under the leadership of Retd. Justice B N Srikrishna would be constituted to
propose a new draft statute on data protection. The Government of India has issued the
Personal Data Protection Bill 2019 based on the recommendations of the committee. This

7|Page
Bill, if successfully passed by both the houses, will be India’s first legislation on the
protection of personal data.

5. SIGNIFICANT CHANGES PROPOSED TO PERSONAL DATA

PROTECTION LAW IN INDIA

The Personal Data Protection Bill, 2019, was introduced last year in the parliament, which
would create the first cross-sectoral legal framework for data protection in India. However,
the bill does not correctly address privacy-related harms in the data economy in India.
Instead, the bill proposes a preventive framework that overruns government intervention and
strengthens the state, which would eventually result in a significant increase in compliance
costs for businesses across the economy and to a troubling abatement of privacy vis-à-vis the
state.

After the 2017 Supreme Court case of Justice K.S. Puttaswamy v. Union of India, where
while deciding the case, the court held that the Indian Constitution included a fundamental
right to privacy2.  Thus, the jurisprudence on privacy changed to being the right to privacy as
an end in itself.

Impact on foreign investors

It is believed that the 2019 Bill once enacted into law will bring India at par with several
global jurisdictions in terms of the checks and balances for data protection particularly, in
line with the European Union’s General Data Protection Regulation (GDPR). The 2019 Bill
was drafted based on the model of European Union on GDPR, but in some areas, it is
understood to have certain provisions far more stringent than GDPR.

6. CRITICISM ON THE REVISED BILL

2
In the summer of 2017, the Indian government set up a committee of experts on data protection to examine the
issues relating to data privacy, chaired by a retired Supreme Court judge, B. N. Srikrishna. The committee
submitted a report a year later, and a draft bill. The current bill in parliament is a modified version of that draft
bill.

8|Page
The Bill resulted in controversy for being different from what was proposed by the expert
group in its first draft in July 2018. The Indian government, through the proposed law,
wanted to allow law enforcement agencies and authorized third parties to have access to
citizen data, to investigate crimes faster. In other words, it will exempt any government
agency from legal obligations and liabilities while encroaching the citizen’s data without their
prior knowledge. This, of course, has led to a resistance, and delayed the passing of the bill.
Justice BN Srikrishna, the chief architect of the draft law, also criticized about the bill by
telling that the said law can turn India into an ‘Orwellian State’.
Several industry experts have opined that unaccounted access to personal data of customers
might lead to data -misuse, as in the case of Jaspreet Singh, cybersecurity leader at EY told
CISO MAG, who said, “The Bill provides an exempt to any agency of government from
the application of Act in the interest of sovereignty and integrity of India, the security of
the country, cordial relations with foreign nations, public order. The unlimited
government access is like a two-sided coin scenario. On one hand, the data protection
bill is a part of the government’s efforts to have more control of data and help it track
unlawful activities by using digital footprints. On the other hand, the user’s access may
give the government unchecked access to personal data of customers in the country
leading to data -misuse and unauthorized access.”

7. HOW DOES THE NEW BILL IN PARLIAMENT DIFFER FROM THE OLDER
DRAFT BILL?
The most important differences are the relaxations given to government agencies, the
relaxations or exemptions given to small entities (businesses that collect data manually), the
criminalization of some actions, and the treatment of non-personal data that is the information
that doesn’t contain any personal details. 

First, the new bill gives the Indian government much more freedom for exclusion from
liability. The old bill allowed an unrestricted access to use personal data in the interests of
national security, but only if this was authorized by parliament and deemed “necessary”. The
new bill allows the government to exclude its agencies from the law on much more broadly
defined grounds.

Second, both versions of the bill allow exemptions for small busineses that look after
customers’ personal information manually. Under the old bill, these businesses were required

9|Page
to meet three conditions, based on annual turnover; whether they shared personal data; and
how much personal data they processed. However, under the new bill, the new Data
Protection Authority determines which small businesses qualify for exemption.

Third, the old bill listed out several actions as criminal offenses such as causing harm by
obtaining, transferring, or selling personal data; and re-identifying and processing anonymous
personal data without consent. But the new bill considers only the latter as a criminal offense,
although other violations could also be penalized.

Fourth, the old bill did not cover non-personal data. The new bill gives authority to the
government to acquire and use non-personal data, in order to better deliver services or to
develop evidence-based policies.

The final big difference deals with where personal information is stored. The old bill only
mandated a copy of all personal data to be stored in India. But the new bill insists on storing
all sensitive personal data in India. It may be transferred abroad if required for health or other
emergency services, or if the government decides to permit it.

8. REGULATORY FRAMEWORK IN EU
 
A notable development in the data protection policy in the EU, has been the introduction of
the Regulation of the European Parliament and the Council (EU) 2016/679 of 27 April,
2016 on the protection of personal data of the individuals from processing and on the free
movement of such data and the repeal of Directive 95/46/EC (General Data Protection
Regulation or Regulation).
 
The provisions contained in the Regulation are applicable from 25th May 2018. It is worth
notable, that in accordance with Article 288 of the Treaty on the Functioning of the
European Union, the Regulation is binding in its entirety and is straight-away applicable in
all Member States of the EU. Therefore, this Regulation does not need an additional
implementation of acts of national law, as the provisions included in it are binding from the
date of its entry into force. A significant feature of the Regulation is also its direct effect,
which means, that both the Member States and the units can rely directly on the measures
contained in the Regulation. 

10 | P a g e
 9. WHAT ARE THE DIFFERENCES BETWEEN INDIA’S NEW BILL AND
THE EU’S DATA PROTECTION LAW, THE GDPR?

There are some major differences between the two. First, the bill grants India’s central
government the power to exclude any government agency from the bill’s requirements. This
relaxation can be given on grounds related to national security, national sovereignty, and
public order. While the GDPR offers EU member states similar escape clauses, they are
strictly regulated by other EU directives. Without these safeguards, India’s bill potentially
gives India’s central government an unrestricted authority to access individual data over and
above existing Indian laws such as the Information Technology Act of 2000, which dealt
with cyber-crime and e-commerce.

Second, India’s data protection bill allows the government to order firms to share any of the
non-personal data they collect with the government, which is not in the case of GDPR.
According to the central government, bill says this is to improve the delivery of government
services. But it does not clarify how this data will be used, whether it will be shared with
other private businesses, or whether any compensation will be paid for the use of this data.

Third, the GDPR does not mandate the businesses to keep EU data within the EU. They can
transfer it overseas, provided that they meet conditions such as standard contractual clauses
on data protection, codes of conduct, or certification systems that are approved before the
transfer. The Indian bill permits the transfer of some personal data, however sensitive
personal data can only be transferred outside India if it meets requirements that are similar to
those of the GDPR. Furthermore, this data can only be sent outside India to be processed; it
cannot be stored outside India. This will create technical issues in characterizing between
categories of data that have to meet this requirement, and add to businesses’ compliance
costs.

SIMILARITIES

1. Both the legislations have been allowed the data processing for prevention,
investigation, detection, or prosecution of criminal offenses. GDPR and PDP bill
discuss ‘public security’, ‘defence’, and ‘judicial proceedings’.
2. EU’s GDPR and India’s PDP bill, are based on the concept of consent which means
data processing should be allowed when the individual allows it.

11 | P a g e
 3. Both provide similar rights to the individual that includes: the right to correction, the
right to data portability, and the right to be forgotten.
4. Both regulations have some similar duties like – dispute resolution and codes of
conduct.

10. COMPARATIVE ANALYSIS OF PERSONAL DATA PROTECTION BILL

(PDPB) AND GENERAL DATA PROTECTION REGULATION (GDPR)

The 2019 Bill appears to be drafted in accordance with the principle around the GDPR. For
this reason, GDPR compliant organisations would have lesser challenges in implementing the
Indian framework, as may be applicable. However, the 2019 Bill has certain key deviations
from GDPR such as the fact that characterization of data under the 2019 Bill is more distinct
than GDPR; there is also likely to be a variation in the frame work around determining
whether or not data can leave the country. A GDPR based health check of the activities of the
Indian operations continues to be a useful tool, assuring compliance under European norms
and laying the framework for future rules and regulations in India.
Similar to the GDPR, and in accordance with the decision of Puttaswamy, the Bill also
provides for a consent-based approach while processing data. In case there is no consent, the
Bill also provides for the following grounds of processing:

 for the mandatory functioning of the State, the Parliament, or State Legislatures;
 to abide with orders or judgments of courts or tribunals;
 for purposes related to employment;
 for immediate action, such as in cases of medical emergencies, disasters, and
breakdowns of law and order; and
 for legitimate purposes, such as whistleblowing, mergers and acquisitions, credit
scoring, debt recovery, etc.

12 | P a g e
 11. RIGHTS OF DATA PRINCIPLES

The Bill provides a statutory scheme for the fundamental rights affirmed in Puttaswamy. Data
principals have the right to:

 confirm and access personal data collected;

 correct or update it;
 access their personal data in normally used forms , similar to the concept of data
portability under the GDPR; and
 erasure, if the objectives of processing are fulfilled.

Furthermore, the Bill provides a right to be forgotten, which directs the data principals to
prevent the disclosure of personal data if the disclosure is no longer required or has served the
objective for which it was made, if the consent that allowed such disclosure has been
withdrawn, or if the disclosure is made contrary to applicable laws. The Bill also tries to
provide a harmonizing act between this right and the constitutional guarantee of the freedom
of speech and expression and the right to information. However, the practical exercise
remains to be seen.

12. PENALITIES

Breach of different provisions of the Bill would result in different penalties. Similar to the
situation under the GDPR, violation by a data fiduciary of a category of obligations may
attract a penalty of up to INR 50 million or 2% of the data trustee's total global turnover of
the previous financial year, whichever is higher. A violation by a data fiduciary of obligations
in respect of processing of personal data or sensitive personal data, cross-border transfer of
personal data, and adherence to the security safeguards detailed in the Bill may attract a

13 | P a g e
penalty of up to INR 150 million or 4% of the data fiduciary's total worldwide turnover of the
preceding financial year, whichever is higher.

13. WHERE THE BILL STANDS TODAY?

The much-awaited Bill, which was expected to be turned into a law by the end of 2019, has
been put on hold for now due to severe concerns raised about the variations made in the
proposal. The PDP Bill lays down provisions for hampering the misuse of personal data in
the country. It authorizes data processing activities like data protection, storage, and
management. On the other side of the fence, the Bill, if passed, could bring major
repercussions for national security, foreign investment, and international trade.

The European Union (EU) continues to be ans extensive market for the IT/BPO industry in
India.3 Currently, India’s Data Protection Bill, 20194 is still not enacted into a law, there are
many challenges that India is still facing while entering into data processing agreements with
EU. EU has been one of the largest markets for the Indian outsourcing sector and India’s
comparatively weak data protection laws make us less efficient than other outsourcing
markets in this space. Moreover, Article 3 (Territorial scope) of the General Data
Protection Regulation (GDPR) makes sure that the regulation will be applicable irrespective
of whether or not the processing takes place in the EU, thereby meaning no business for
Indian companies that do not comply with the GDPR or increased compliance costs for those
who do and the risk of huge penalties on failing to do so.5

3
India gets ready for EU’s new data regime, Rahul Kumar, 25 April
2017, https://www.cioandleader.com/article/2017/05/02/india-gets-ready-eu%e2%80%99s-new-data-regime
4
Personal Data Protection Bill, 2019.
5
How can Indian organisations prepare for the GDPR regime?, Sivarama Krishnan.

14 | P a g e
 CONCLUSION

Privacy is the ability of an individual or group of individuals to handle its personal affairs and
information in a manner that only those information are revealed which they voluntary
provide or prefer to give any third person selectively. The amount at which private
information is exposed therefore depends upon how the general society will perceive this
information, which differs from places to places and also over time. Privacy partially
interrelates security, including for instance the concepts of proper use, as well as protection,
of information. Data protection is an issue which is currently given great importance as our
transnational exchange of private information grows due to the speedy advancement of
technology and its increasing usage in the digital era. Laws act as a check to wrongful
conduct or activity if they are applied with certainty and speed: both sadly deficient in the
Indian judicial system. Unless addressed, the systemic problems of enforcement in India, and
specifically, of unresolved cases due to court delays, will continue to render India’s data
protection laws inadequate. India must consider to take this matter seriously and expediently
adopt this system of specialized courts in order to render adequate protection to data and
maintain its growing presence in the global technology arena.The requirement at present is to
balance the key definitions such as personal data in the data protection legislation. This will
make sure that a right of action lies in both the regulations of GDPR and PDP. Even if a
foreign company or a corporate body cannot be brought to the national court, harmonisation
will at least make sure that a data subject has a right to seek damages in the international
court. The aspect discussed in this paper is regarding two jurisdictions. However, consider,
for instance, the challenges that could occur when more than two jurisdictions are involved.
For example, an Indian Company is having an office in Canada and that office is doing

15 | P a g e
business in data from the European Union. In such cases, the best way to provide data
protection rights is by balancing or harmonisation, and this can only be achieved with the
help of international cooperation with other nations. Thus, data protection in the age of
internet needs multilateral international settlements. The international reign of data protection
is complex in today’s world. There is no proper international agreement or contract which
governs the data protection legislation across the world, which has resulted in a difference in
the critical terms of data protection when GDPR and PDP are compared, which can be used
by corporates as a measure to get away with liability. So, the aim must be not to let anyone
contravene the data protection principles and guidelines by using this uncertainty and get
away with it. To deal with this and safeguard the privacy of data subject, international
cooperation in data protection is important.

BIBLIOGRAPHY

STATUTES:

 The Personal Data Protection Bill, 2018

 The Information Technology Act, 2000
 The General Data Protection Regulation, 2018
 The Constitution of India, 1950

LINKS REFERRED:
 https://www.analyticsinsight.net/indias-personal-data-protection-bill-resembles-eus-
gdpr-china/
 https://carnegieindia.org/2019/05/15/will-gdpr-style-data-protection-law-work-for-
india-pub-79113\
 https://www.lawteacher.net/free-law-essays/business-law/data-protection-laws-in-
india-business-law-essay.php
 https://www.legalbites.in/data-protection-regime-india/
 https://entrackr.com/2020/02/personal-data-protection-bill-2019-concern-both-
citizens-and-companies/
 

16 | P a g e