Article by Tsaaro

7 min read



We currently live in a technological world. Without technology, neither our personal nor professional lives could run well. Even if you are using technology to read this article. The 21st century is mostly being ushered in by technology. New growth brings with it new issues and crimes. We may very seldom be aware of it, yet our daily interactions with technology result in the collection of our personal information, or data in the language of the market. The information gathered may include details about your location, past travel patterns, etc. Companies utilize this obtained data for a variety of uses. The data is frequently even utilized improperly.

General Data Protection Regulation:

The government of the European Union took action to tighten the regulations governing data protection and data privacy in the EU and the European and Economic Area (EEA). The General Data Protection Regulation was thus created and replaced by the Data Protection Directive on May 27, 2016. The General Data Protection Regulation finally established data protection and privacy as a matter of right on May 25, 2018. The purpose of enacting GDPR was to provide EU citizens the ability to prevent others from abusing their personal data and violating their privacy.

It is applicable to all 28 of the European Union’s member countries. It has taken the place of the 1995 Council and European Parliament Directive. The regulation was enacted in order to safeguard people from the processing of their personal data and from restrictions on how freely they may transfer that data. The GDPR has the same goal as the directives, however, the flaws in the directive were fixed by the new rule. The directive failed to eliminate enough risks and prevent legal ambiguity with regard to the security of individual users’ personal data.

Protecting natural people while their data is being processed is one of the major goals outlined in Article 1 of the General Data Protection Regulation:

  1. Protecting the freedom and basic rights of natural beings with relation to data protection.
  2. Safeguarding the personal information of living individuals.
  3. Enabling the free flow of personal data within the Union in order to safeguard individuals with regard to the processing of their data.


Evolution of GDPR:

The Fundamental Rights Charter and the Lisbon Treaty (Art 7 & 8)

The Data Protection Directive, the E-Privacy Directive, and the Data Retention Directive were all enacted.

The 2016 passage of the General Data Protection Regulation (REGULATION (EU)

Personal Data Protection Bill, 2019:

The General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA) have a significant impact on the personal data protection law in India, which deals with the basic right to privacy, and was introduced to the Lok Sabha on December 11, 2019. 

Due to the fact that the privacy of individuals was in danger as a result of the crucial use of data for the expansion of the digital economy, there was a need for such a law to protect the personal data of Indian data subjects. 

Following the decision in the case of Justice K.S. Puttaswamy v. Union of India & Ors India realized that there is an urgent need for data protection legislation. A group made up of 10 specialists and chaired by Justice B.N. Sri Krishna, a former Supreme Court justice, was established by the Ministry of Electronics and Information Technology in July 2017 to address this issue. The government changed the data protection law, and a ten-person committee produced a report on it on July 27, 2018. The Personal Data Protection Bill, 2019 (also known as the “PDP Bill”) was subsequently introduced before the Indian Parliament on December 11th, 2019. As stated in the Preamble, the goal of this Act is to address the growing privacy and data protection concerns by fostering an environment that promotes the development of a free and fair digital economy without violating people’s privacy.

However, the much-needed Personal Data Protection (PDP) Draft, 2019, was withdrawn by the Centre and it was announced that it will be replaced with a new bill with a complete framework and modern digital privacy legislation. Limitations on the use of personal data without the people’s express consent were included in the abandoned Bill. Additionally, it had tried to provide the government the authority to exclude its investigative agencies from the Act’s requirements, a proposal that was vehemently opposed by the opposition MPs who had submitted their dissent notes.

Why were there so many alterations and modifications?

Despite the constructive debate the 2019 Bill generated during its existence, there is little disagreement that India’s privacy laws require an update. Users are continuously producing enormous volumes of personal data as a result of their continuous interactions with digital gadgets (data principals). This data can be handled in ways that increasingly undermine the autonomy, freedom of choice, self-determination, and privacy of the data principal when combined with the computing capability now accessible to businesses (data fiduciaries).

The Indian data privacy law is primarily concerned with acquiring “prior consent” from the data subject and making sure data security safeguards are in place. There is no independent data protection authority, no history of court enforcement of data privacy rights, and limited rights for data subjects. However, considering that India did not have a constitutional right to data privacy when the PDP Bill was drafted in 2011.

Digital Personal Data Protection Bill, 2022:

An innovative piece of law, the recently published Digital Personal Data Protection Bill incorporates several comments and recommendations made on the Personal Data Protection Bill. Compared to earlier incarnations, the Bill is more industry-friendly when it comes to measures to control digital data. The new legislation, which differs from the PDP Bill in that it takes a narrower approach, aims to simply govern the data protection practices of digital data that meets the criteria for being personal data. This is consistent with the justifications offered by the administration for withdrawing the PDP Bill. The PDP Bill attempted to govern a wider area, including elements that would not necessarily fall under the purview of personal data protection.

All digitally processed personal data is subject to the DPDP Bill, 2022. In practice, this offers a little lower level of protection because it is entirely not applicable to any data which is processed manually, as opposed to prior draughts that only specified excluded data handled manually by small companies.

How successfully are data principles protected by the DPDP Bill, 2022?

The cornerstone of the majority of data protection laws is giving the data principles the most control possible over their personal information. This is accomplished by requiring that the data principal get a thorough notice of all elements of data processing, upon which the data principal may expressly agree to such processing. Although there are a few instances when the processing of personal data is not based on consent, the data subject still has the right to view, modify, or delete their data as they see fit.


According to a comparison of the EU General Data Protection Regulation, the Personal Data Protection Bill, and the Digital Personal Data Protection Bill, there are significant similarities between the GDPR and both legislation. Personal data of persons are becoming a traded commodity for brokers and dealers in the e-economy as a result of the digital economy seeing an uptick and personal data of individuals being often used for commercial operations like e-commerce. As a result, there is a need to control the flow of data and the level of trust between people whose data is in question and those who make decisions about what to do with it.

Therefore, a strong legal framework is required now more than ever to, among other things, control the cross-border movement of residents of India’s personal information and to give them access to rights and legal recourse for the defense of their rights.

Thus, the Digital Personal Data Protection Bill, of 2022, which has been heavily influenced by the GDPR, was created by the legislature to establish full-fledged legislation for data protection in India. Take the first step towards a secure your organization’s data by scheduling a call with our privacy expert team at Tsaaro Solutions today.

Shubham Bansal

INTRODUCTION:  The enactment of the Digital Personal Data Protection Act, 2023, marks a significant milestone in the realm of data …

Shubham Bansal

Introduction  The introduction of the DPDPA, 2023 has brought in the opportunity for various sectors including the pharma companies to …

Shubham Bansal

INTRODUCTION:  The enactment of data protection legislation across various jurisdictions have necessitated strict mandates to protect people’s personal information. India …

Shubham Bansal

Introduction  In today’s digital age, data protection and privacy are crucial for businesses, especially those operating online. As companies increasingly …

Shubham Bansal

INTRODUCTION Last year, India achieved a significant mark when the long-awaited data protection legislation known as the Digital Personal Data …


Would you like to read regular updates from Tsaaro.
Subscribe to our newsletter

Our Latest Blogs

Read what the latest hapennings in the cyber world are and learn what the
experts have to say about them