Given the vast amounts of personal data being collected by private companies and state agencies, and their flow across national jurisdictions, the absence of a data protection legal framework in India has been a cause for deep concern. This is even more so because in many cases individuals whose data have been used and processed by agencies, both private firms and state entities, are oblivious to the purpose for which they are being harnessed. The need for legislation was also underlined last year with the landmark judgment in Justice K.S Puttaswamy v. Union of India that held the right to privacy to be a fundamental right. Against this backdrop, the draft legislation on data protection submitted by a committee of experts chaired by Justice B.N. Srikrishna to the Ministry of Electronics and Information Technology after year-long public consultations provides a sound foundation on which to speedily build India's legal framework. It seeks to codify the relationship between individuals and firms/state institutions as one between 'data principals' (whose information is collected) and 'data fiduciaries' (those processing the data) so that privacy is safeguarded by design. This is akin to a contractual relationship that places obligations on the entities entrusted with data and who are obligated to seek the consent of the 'principal' for the use of personal information. The draft legislation puts the onus on the 'data fiduciary' to seek clear, informed, specific and free consent, with the possibility of withdrawal of data of the 'principal' to allow for the use and processing of 'sensitive personal data'. In many ways, the draft legislation mirrors the General Data Protection Regulation, the framework on data protection implemented in the European Union this May, in providing for 'data principals' the rights to confirmation, correction of data, portability and 'to be forgotten', subject to procedure.