Challenges Faced By India’s Data Protection Bill

oneDPOs weekly blog on India’s Data Protection Bill gives a detailed analysis of the current developments of the bill. This week we analyze the significant challenges faced by India’s Data Protection Bill. The bill faces two challenges upfront, which needs to be resolved as it has the potential to threaten cybersecurity globally.

Challenge 1: Lack of Structural Framework 

Industry experts feel the Indian Data Protection bill 2019, which aims to help consumers exercise their privacy rights needs a proper structural framework else personal data of millions of users in the country will be at stake.

The main challenge lies in the classification of data as the bill categorizes data as Personal Data, Sensitive Personal Data, and Critical Personal data. The lack of clarity on to which data qualifies under which head causes dubiety to the industry. The problem can get aggravated when data collection and processing are done by different agencies, in which case, each fiduciary will have to take consent at every step of the operation. This process palpably increases the time and slows down all the services.

According to the bill, when national security is involved, the government can ask companies, including Facebook, Google, and others, for anonymized personal data and non-personal data. This act will result in giving the government unaccounted access to personal data of users in the country.


The experts can demand clarification in several areas of ambiguity, which needs to be better clarified for businesses to fully comprehend the extent of adjustments companies will have to do to comply with the bill.

Challenge 2: Criminalizing Illegitimate Re-identification

Do you know what data re-identification is?

Companies process customer data using unique algorithms to decouple sensitive information like location traces and medical records from identifying details like email addresses and passport numbers. This process is called de-identification. 

Organizations can recover the link between the user’s identities and their data when needed. Such controlled re-identification by companies happens routinely for analyzes purpose. On the other hand, if a malicious attacker re-identifies the data, the cybercriminals would gain a precious pool of data.

Under India’s Data Protection Bill, it intends to ban re-identification without consent and subject it to financial penalties. The outright ban on re-identification increases the risk of data breaches as explaining the companies’ secretive data protection techniques and purpose of data collection to the user is a cumbersome process.


The law should enable researchers to report vulnerabilities they detect. The common goal should be to fix security problems quickly and efficiently rather than obtaining hefty fines from the companies.