New India Data Protection Laws

New India Data Protection Laws

India made the major announcement in April 2022 that it will be enacting changes to its rules surrounding data protection.

So What Is Changing?

Currently, parties affected by data breaches are obliged to inform the authorities within a reasonable period following the event happening or its knowledge of it being uncovered. The headline figure from the new announcement being promulgated by India is the new legal obligation being placed upon affected parties to notify the authorities of any concerning events involving cyber security within a time frame of 6 hours. The time starts to run from the time when the relevant person is either informed of such a breach taking place or being made aware by another party of it occurring.

Who Will Be Obliged To Notify?

The published guidance expressly applies to a broad range of parties such as:

  • Government bodies
  • corporations
  • centres handling personal information
  • those running services and
  • parties acting as middlemen.

Why Are The Proposed Changes Being Introduced?

The announcement entered the public domain by way of guidance issued by the Indian government and will apply to numerous aspects of data protection including (but not limited to):

  • data protection security measures and processes
  • reaction to a potential breach; and
  • notification of data breaches.

Does India Have An Information Commissioner?

In stark contrast to the England and Wales jurisdiction, India does not have an Information Commissioner. So, who then is responsible for enforcing Indian Data Protection laws? The answer to the question is the Computer Emergency Response Team (a.k.a. CERT-In).

Significant Development?

The need to report data incidents to a regulator is a universal requirement but with some jurisdictional variations. Those classified as responsible for controlling personal information will be obliged to communicate promptly, openly, and honestly that such an incident has occurred. The new 6-hour-time limit for notifying the authorities demonstrates a very progressive approach from India. Once enacted it will place India will arguably place the Indian ahead of other jurisdictions on data protection reporting obligations including the UK, the Member States of the European Union, and a proportion of U.S. States. By way of an illustration for comparative purposes section, 67 of the Data Protection Act 2018 and Article 33 of the General Data Protection Regulation 2016 both oblige personal data controllers to inform the Information Commissioner in the jurisdiction of England and Wales within 72 hours whereas in India affected parties will need to be over 90% more efficient by reporting such events to the authorities inside the relevant 6-hour timeframe as set out in the guidance.

When Are The Changes Likely To Entering Force?

The guidance made clear the ambition for India to bring the new obligations into force from around the 27th of June 2022 which is incidentally around 60 days from when the announcement was made.

What Should Lawyers Be Advising Their Clients?

When this new legislation enters force lawyers will need to be warning their clients with a presence on the Indian sub-continent of their legal obligations to:

  • notify the Team
  • comply with the 6-hour time frame; and
  • from the time they either:
  • became aware of the data incident or
  • being notified by a relevant third party.

Lawyers should be advising affected clients to consider the limited time they have available to report under the newly restricted notification time limits. Practically clients are likely to be pushed for time when deciding to report to the Computer Emergency Response Team.

The Legists Content Team



[1] Hunton Andres & Kurth – India to Require Cybersecurity Incidence Reporting within Six Hours – Hunton Privacy & Information Security Law Blog - 2nd May 2022 - India to Require Cybersecurity Incident Reporting Within Six Hours | Privacy & Information Security Law Blog (

[2] Government of India – No.2(3)/2022-CERT-In – 28 April 2022 CERT-In_Directions_70B_28.04.2022-2.pdf (

[3] Section 70B(6) Information Technology Act 2000

[4] Section 67 of the Data Protection Act 2018

[5] Article 33 of the General Data Protection Regulation 2016



Stay Tuned

Receive regular news, updates, upcoming events and more...