Data Protection Bill 2019

Please Share with maximum friends to support the Initiative.

Context: The Personal Data Protection Bill has been referred to the joint select committee Parliament in the current Winter Session.

Prelims: Indian Polity and Governance – Constitution, Political System, Panchayati Raj, Public Policy, Rights Issues, etc.

  • GS II- Important aspects of governance, transparency, and accountability, e-governance- applications, models, successes, limitations, and potential; citizens charters, transparency & accountability and institutional and other measures.
  • GS III- Challenges to internal security through communication networks, the role of media and social networking sites in internal security challenges, basics of cybersecurity; money-laundering and its prevention.


Significance of Data:

  • Data is the large collection of information that is stored in a computer or on a network.
  • Data is collected and handled by entities called data fiduciaries.
    • While the fiduciary controls how and why data is processed, the processing itself maybe by a third party, the data processor.
  • This distinction is important to delineate responsibility as data moves from entity to entity. For example, in the US, Facebook (the data controller) fell into controversy for the actions of the data processor — Cambridge Analytica.
  • The processing of this data (based on one's online habits and preferences, but without prior knowledge of the data subject) has become an important source of profits for big corporations.
  • Targeted advertising:
    • Companies, governments, and political parties find it valuable because they can use it to find the most convincing ways to advertise online.
  • Apart from it, this has become a potential avenue for invasion of privacy, as it can reveal extremely personal aspects.
  • Also, it is now clear that much of the future’s economy and issues of national sovereignty will be predicated on the regulation of data.
  • The physical attributes of data — where data is stored, where it is sent, where it is turned into something useful — are called data flows.
  • Data localisation arguments are premised on the idea that data flows determine who has access to the data, who profits off it, who taxes and who “owns” it.

Personal Data:

  • According to the Justice B. N. Srikrishna committee of experts on a Data Protection Framework for India, “personal data includes data from which an individual may be identified or identifiable, either directly or indirectly”. 
  • The Committee sought to distinguish personal data protection from the protection of sensitive personal data since its processing could result in greater harm to the individual. 
  • Sensitive data is related to intimate matters where there is a higher expectation of privacy (e.g., caste, religion, and sexual orientation of the individual).  

Key Definitions

  • Data Principal:
    • The individual whose data is being stored and processed is called the data principal in the PDP Bill.
  • Data Fiduciary:
    • The 'data fiduciary' may be a service provider who collects, stores and uses data in the course of providing such goods and services.
  • Data Transfer:
    • Data is transported across country borders in underwater cables.
  • Data localisation:
    • It is the act of storing data on any device physically present within the borders of a country.

Justice B. N. Srikrishna committee:

  • The Committee was constituted by the union government in July 2017, to deliberate on a data protection framework.
  • The Supreme Court in its Puttaswamy judgment, 2017 declared privacy a fundamental right. This set the government in motion to take steps to bring a new data protection legislation for the country.
  • The report has emphasized those interests of the citizens and the responsibilities of the state have to be protected, but not at the cost of trade and industry.

The Draft Personal Data Protection Bill, 2019:

  • Regulation:
    • The Bill regulates the processing of personal data of individuals (data principals) by government and private entities (data fiduciaries) incorporated in India and abroad.
    • Processing is allowed if the individual gives consent, or in a medical emergency, or by the State for providing benefits.
  • Copy of personal data:
    • The Bill requires that a serving copy of personal data be stored within the territory of India.  Certain critical personal data must be stored solely within the country.
  • Data Protection Authority (DPA):
    • A national-level Data Protection Authority (DPA) is set up under the Bill to supervise and regulate data fiduciaries. The Authority is empowered to:
      • take steps to protect the interests of individuals,
      • prevent misuse of personal data,
      • ensure compliance with the Bill. 
  • Rights of the individual:
    • The Bill sets out certain rights of the individual. These include:
      • right to obtain confirmation from the fiduciary on whether its personal data has been processed,
      • right to seek correction of inaccurate, incomplete, or out-of-date personal data,
      • right to have personal data transferred to any other data fiduciary in certain circumstances.
  • Obligations of the data fiduciary:
    • The Bill sets out obligations of the entity who has access to the personal data (data fiduciary) such as:
      • implementation of policies with regard to processing of data,
      • maintaining transparency with regard to its practices on processing data,
      • implementing security safeguards (such, as encryption of data),
      • instituting grievance redressal mechanisms to address complaints of individuals.
  • Grounds for processing personal data:
    • The Bill allows processing of data by fiduciaries if consent is provided.  However, in certain circumstances, processing of data may be permitted without consent of the individual which includes:
      • if necessary for any function of Parliament or state legislature, or if required by the state for providing benefits to the individual,
      • if required under law or for th­­­­e compliance of any court judgment.
      • to respond to a medical emergency, threat to public health or breakdown of public order,
      • for reasonable purpos­­es specified by the Authority, related to activities such as fraud detection, debt recovery, and whistleblowing.
  • Exemptions:
    • The Bill provides exemptions to certain data processing activities. 
    • It states that processing of an individual’s personal data will not be subject to the obligations specified, and the data principal will not have the rights defined in the Bill if their personal data is processed for the purposes of
      • (i) national security (pursuant to a law),
      • (ii) prevention, detection, investigation, and prosecution of contraventions to a law,
      • (iii) legal proceedings,
      • (iv) personal or domestic purposes,
      • (v) journalistic purposes.

Other key provisions of the bill:

  • The Bill includes exemptions for processing data without an individual’s consent for “reasonable purposes”, including security of the state, detection of any unlawful activity or fraud, whistleblowing, medical emergencies, credit scoring, operation of search engines and processing of publicly available data.
  • The Bill calls for the creation of an independent regulator Data Protection Authority, which will oversee assessments and audits and definition making.
  • Each company will have a Data Protection Officer (DPO) who will liaison with the DPA for auditing, grievance redressal, recording maintenance and more.
  • The Bill proposes “Purpose limitation” and “Collection limitation” clause, which limits the collection of data to what is needed for “clear, specific, and lawful” purposes.
  • It also grants individuals the right to data portability and the ability to access and transfer one’s own data. It also grants individuals the right to data portability, and the ability to access and transfer one’s own data.
  • Finally, it legislates on the right to be forgotten. With historical roots in European Union law, General Data Protection Regulation (GDPR), this right allows an individual to remove consent for data collection and disclosure.
  • The Bill stated the penalties as Rs 5 crore or 2 percent of worldwide turnover for minor violations and Rs 15 crore or 4 percent of total worldwide turnover for more serious violations.
  • Also, the company’s executive-in-charge can also face jail terms of up to three years.


  • Data localisation can help law-enforcement agencies access data for investigations and enforcement.
  • As of now, much of cross-border data transfer is governed by individual bilateral “mutual legal assistance treaties”.
  • Accessing data through this route is a cumbersome process.
  • Instances of cyber-attacks and surveillance will be checked.
  • Recently, many WhatsApp accounts were hacked by an Israeli software called Pegasus.
  • Social media is being used to spread fake news, which has resulted in lynchings, national security threats, which can now be monitored, checked and prevented in time.
  • Data localisation will also increase the ability of the Indian government to tax Internet giants.
  • A strong data protection legislation will also help to enforce data sovereignty.


  • Many contend that the physical location of the data is not relevant in the cyber world. Even if the data is stored in the country, the encryption keys may still be out of reach of national agencies.
  • National security or reasonable purposes are open-ended terms, this may lead to intrusion of the state into the private lives of citizens.
  • Technology giants like Facebook and Google have criticised protectionist policy on data protection (data localisation).
    • They fear that the domino effect of protectionist policy will lead to other countries following suit.
  • Protectionist regime suppress the values of a globalised, competitive internet marketplace, where costs and speeds determine information flows rather than nationalistic borders.
  • Also, it may backfire on India’s own young startups that are attempting global growth, or on larger firms that process foreign data in India.
  • Civil society groups have criticised the open-ended exceptions given to the government in the Bill, allowing for surveillance.
  • The Supreme Court, in Puttaswamy vs UoI, allowed exceptions to the right to privacy of an individual under certain situations.
  • These include cases where a larger public purpose is satisfied by the infringement of privacy of an individual.
    • Such an exemption must be backed by law and must be necessary for and proportionate to achieving the purpose. However, it is unclear if exemptions for legal proceedings, or for research and journalistic purposes meet the requirements of necessity and proportionality. 
  • The data principal may raise a complaint only if a violation of the provisions of the Bill has caused, or may cause them harm.
    • It could be questioned why the mere violation of the rights of the principal is not enough to raise a complaint. 
    • The data principal additionally has to demonstrate and prove that harm has been caused to them by unlawful data processing, and this may place an undue burden on the data principal.

Way forward:

  • Bringing in a legislation on the data protection in the country would protect individual privacy, ensure autonomy, allow data flows for a growing data ecosystem.
  • It can create a free and fair digital economy where freedom is the enhancement of individual autonomy with regard to personal data and fairness is the regulatory framework where this individual right is respected.
  • The Personal Data Protection Bill is designed to fall between the laissez-faire approach of US law and the much stricter regimen of the General Data Protection Regulation (GDPR) in force in the European Union, striking a balance between the imperatives of privacy and security.

Please Share with maximum friends to support the Initiative.

Enquire now

Give us a call or fill in the form below and we will contact you. We endeavor to answer all inquiries within 24 hours on business days.