top of page
  • Writer's picturePGCL Moot Court Society

Decoding Tech Laws in India

Updated: May 1, 2022

- Ritu Bavishi & Atharv Lama

What is technology law?

Technology law is currently one of the most popular areas of the legal profession. It is what protects you and your data. It also provides a fair and competitive marketplace for vendors and buyers, and it could answer some of modern society's most pressing concerns, such as robotics and artificial intelligence in the near future.

It's a law that regulates how technology is used in both the public and private spheres. It is in charge of overseeing all the ways in which modern devices and communication methods affect society. It encompasses all types of law relating to the practical application of scientific knowledge. It is a branch of law concerned with what the government can do with the information obtained through technological means. It also covers the rights and responsibilities of private corporations, individuals, and government agencies when it comes to technology.

The advancement of technology has serious implications for businesses, consumers, entrepreneurs, and everyone who wants to convey a message to the rest of the world. However, it raises a slew of new concerns and ethical conundrums. With so much of our data online, we become increasingly vulnerable to hackers, potential fraudsters, and commercial irresponsibility. Technology law, despite its ever-expanding breadth, is principally concerned with setting the framework for the collection, storage, dissemination, and use of information in the digital world.

Technology law includes intellectual property rights which is a complicated area of the legal system that deals with conflicts over who 'possesses' intangible 'property' such as creative works, copyrights, patents, and trade secrets. Technology law protects the creators who come up with innovative concepts and secures their rights to distribute their work.

Data Privacy

The misuse of technology leads to data privacy breaches, which is a major source of concern. A breach of data privacy can expose a person's personal information to the wrong hands without their agreement, allowing it to be exploited. Consequently, it is critical that laws be enacted to address this issue.

Currently, India has no explicit data privacy regulations. Data privacy is governed by the existing IT Act of 2000 and IT Rules of 2011. Parliamentarians, on the other hand, have produced the Protection of Data Privacy Bill, 2019. The bill's drafting is the country's first step toward attempting to legislate data protection on a national level.

The Protection of Data Privacy Bill is based on the initial draft prepared by a committee chaired by retired Justice BN Srikrishna. However, the current bill deviates from those recommendations.

The Supreme Court of India declared privacy to be a fundamental right guaranteed by the Indian Constitution. It also advised that the Indian Central Government establish a data protection policy that balances the needs of individuals with the legitimate concerns of the state, all while encouraging entrepreneurship and innovation. In the same year, the government formed an expert group led by former Supreme Court Justice B.N. Srikrishna to prepare a Personal Data Protection Bill that would "enable expansion of the digital economy while keeping people's personal data secure and secure." The expert committee's report was submitted along with a draught data protection law.

Key committee recommendations

Timelines for implementation (Clause 1): The bill for 2019 did not include a deadline for implementing its provisions. According to the updated bill, "an estimated term of 24 months may be allocated for implementation of any and all aspects of the Act so that data fiduciaries and data processors have ample time to make the required modifications to their policies, infrastructure, processes, and so on." It is suggested that the data protection authority begin its work within six months, that data fiduciaries be registered within nine months, and that the appeal tribunal begin its work within 12 months after notification.

Scope (Clause 2): The scope of the Personal Data Protection Bill has been broadened to include both personal and non-personal information. The measure has been renamed "Data Protection Bill (Bill)" from "Personal Data Protection Bill." because "it is impossible to discern between personal data and non-personal data when mass data is collected or conveyed," the same regulator is required to control both types of data.

Processing of personal data without consent (Clauses 13 and 14): Non-sensitive personal data processing for employment reasons now includes instances in which "such processing is essential or might reasonably be expected by the data principal." If "the processing is essential for reasonable reasons as may be prescribed by regulations," legitimate interest is now clearly spelt out as a justification for processing personal data, balancing the interests of both the data principal and data fiduciary.

Processing of personal data of children (Clause 16): Exclusively dealing with children's data, data fiduciaries must register with the DPA. The data fiduciary must notify the child three months before the child reaches the age of majority so that the child can choose whether or not to offer consent again, and the data fiduciary must continue to provide services to the child unless the child withdraws consent. The fact that children's personal data will henceforth be used to defend their rights is a good improvement.

User rights (Clauses 17, 19, and 23): The data principal will now be able to nominate a legal heir or representative to decide how their data will be treated in the event of a casualty or death. Data portability can no longer be denied on the basis of trade secrets, and data portability can only be denied on the basis of technological feasibility, which must be strictly assessed by the legislation. The data fiduciary must also verify that algorithms and techniques for processing personal data are transparent and fair.[1]

Views on implementation

Setting up the DPA and other accompanying infrastructure, as proposed in the study, is one of the important operations that must be completed in stages. Companies must embrace and implement a successful compliance plan by focusing on investments and aligning people, processes, and technology within a set time frame. To train the workforce and assure timely compliance, both the government and private firms must establish specialised training and awareness initiatives.


The Data Protection Bill is a long-awaited and urgently required piece of legislation that would replace India's current archaic, obsolete, and inadequate data protection policy. It would assist, preserve individual privacy rights, and promote fair and transparent data use for innovation and growth, unlocking the digital economy, as compared to present standards. It has the potential to generate jobs, raise user knowledge of their privacy, and hold data fiduciaries and processors accountable.

India has forged its own path towards data protection, inspired in part by the EU General Data Protection Regulation, with several unique provisions such as combining personal and non-personal data under one umbrella, data localization, hardware device coverage, social media platform management, and more. Although it has certain flaws, when fully implemented, it will bring India's data protection rules up to pace with those of other countries. Companies should begin preparing for compliance with the various provisions as soon as possible.

Ritu Bavishi and Atharv Lama are second year students at Pravin Gandhi College of Law, Mumbai.


183 views0 comments

Recent Posts

See All


bottom of page