[Know your Law] Data Protection Bill, 2019 & its Constitutional Validity by Anubha Mathur [Intern Post]

Globalization and advancement of technology have posed greater threat to the privacy of individuals. We have made tremendous progress in digitalization with Government initiatives of Digital India and E-locker, the data in government departments in stored in e-format and available online. Moreover, the sensitive data available in form of AADHAR details is a matter of great concern for all stakeholders. It is estimated that India has approximately 550 million users, considering the quantum of data at stake; time and again the absentia of law on the subject is felt as a major factor contributing to data piracy. Data protection is a necessity, it becomes more obvious when the amount of data created and stored continues to grow at an unprecedented rate, coupled with exploitation and mishandling of such data by companies without the consent of the individual. The companies and other repositories of data generally tends to make regulations and legislation which serve their purpose and are inclined towards their benefit, empowering them to use data at their disposal with minimum provider’s control. With a view to safeguard the data available with various agencies, and to curb the trade in data without the user’s consent, the Personal Data Protection (PDP) Bill was drafted.

This Bill was introduced in the Lok Sabah by Mr. Ravi Shankar Prasad, Minister of Electronics and Information Technology (MEIT) on December 11, 2019, later, it was referred to a Joint Parliamentary Committee for scrutiny. This Bill was introduced with an aim to protect the personal data of the individual, to lays down the guidelines and rules for the utilization of data and to the established data protection authority.

The litigation history of data protection regime in India started, can be formally traced back to the petition filed before the Hon’ble Supreme Court by Retired Justice K.S. Puttaswamy. The court has in its a landmark judgment held that the right to privacy is protected as “an intrinsic part of the right to life and personal liberty under Article 21 and as a part of the freedoms guaranteed by Part III of the Constitution”.[1] In K.S. Puttaswamy v Union of India[2], the Court read the right to privacy to be a fundamental right but with subject to reasonable restrictions, the restrictions have to meet a three-fold requirement, namely (i) existence of a law; (ii) legitimate state aim; (iii) proportionality.[3] According to the judgment, the Supreme Court also direct the government to form a data protection law to address the concerns related to privacy in the digital age. A committee of experts headed by the Justice B.N. Srikrishna, was set up  to assess the current scenario of data protection in India, recommend ways to tackle the problems surrounding it and draft a data protection bill, 2018 but after various criticism bill was later presented in 2019 again.

This time Bill includes several modifications and changes in scope and intent for creating framework for “organizational and technical measures” of data processing, introduce “accountability of entities processing personal data”, and lay down norms for social media intermediaries and cross border transfer[4]. In a nut shell, the Bill continues to require that Personal Data[5] be processed fairly and reasonably while guaranteeing the protection of the privacy of the Data Principal[6], for purposes that are associated and consented to by the Data Principal, or purposes incidental or connected thereto[7]. These are the summary of the key changes relevant to private Data Fiduciaries[8]. The Bill has also made certain changes to the provisions relating to the processing[9] of Personal Data by Central and State Governments.

Data protection is the process of protecting the personal and sensitive information of citizens and preventing it from misuse. The quote is newly popularized which states ‘Data is the new oil’ and highlights the power that data holds. The Union Minister Ravi Shankar Prasad highlighted this by emphasizing the importance of utilizing ‘anonymised data’[10] for policy innovation during the presentation of the PDP Bill in the Parliament.[11]The Bill aims to protect "Personal Data"[12] relating to the identity, characteristics trait, attribute of a natural person and "Sensitive Personal Data”[13] such as financial data, health data, official identifier, sex life, sexual orientation, biometric data, genetic data, transgender status, intersex status, caste or tribe, religious or political beliefs.

Section 2 [14]of the PDP Bill proposes its applicability for processing of personal data that has been collected, disclosed, shared or otherwise processed within the territory of India;

(a) By the government, any Indian Company, any citizen of India or any person or body of persons incorporated in India, and

(b) Foreign companies dealing with personal data of individuals in India.

The PDPB shall not apply to the processing of anonymised data, other than the anonymised data or other non-personal data to enable better targeting of delivery of services or formulation of evidence-based policies by the Central Government.[15]

Strength and Positive Aspects of the Bill

Every legislation has certain affirmative as well as debatably controversial aspects which are meant to be scrutinized. This said Bill also contains various clauses which intend to strengthen the protection and prevent misuse of data. Chapter V of the PDP Bill gives Indian citizens several rights like the Right to Confirmation and Access[16], Right to Correction and Erasure[17], Right to Data Portability[18] , and Right to be forgotten[19].These rights permits citizens to seek information from the data fiduciary and processing companies of processing that their data which has been or is being subjected to, seek correction for inaccurate or outdated data, to ask for transfer of data to other data fiduciaries, and limit the continuing divulgence of their data by the fiduciary.

The special provisions contained the Chapter IV of the Bill provide for the processing of personal data and sensitive data of children. According to this section, data fiduciaries handling data of children shall process it only after verifying the age of the child and after obtaining consent from the child’s parent or guardian. Business and commercial sites or online services focused on kids or who process huge volumes of personal information which belongs to children have been characterized under the Bill as Guardian Data Fiduciaries. Such fiduciaries are banned from monitoring or targeting advertisements at children unless they are providing counselling or child protection in which case they shall be exempt from seeking verification. [20]

Another feature of the Bill is the appointment of the Data Protection Officer as a state of contact for complaints and grievances of information and data principals. This makes it simpler for data principals to get their interests with a data fiduciary addressed.[21]

Chapter X of the Bill also lays out the penalties and compensation for potential offenders under the Bill. Offenders who process or transfer personal data without consent and falls in a manner that violates the Bill will be fined with either INR 15 crore or 4% of the annual turnover of the company, whichever is higher and Offences regarding the failure to conduct data audits are punishable with a fine of INR 5 crore or 2% of the data fiduciary’s annual turnover, whichever is higher.[22]


The major controversy surrounding the Data Protection Bill was started when the Bill was sent to Joint Parliamentary Committee rather than standing committee which is headed by opposition party leader. Various provisions of Bill have been in controversies since the very beginning as it gives more power to central Government rather than the data protection authority. While the draft Bill prepared by the Justice Srikrishna Committee (the 2018 draft) allowed the government to have access to personal data for security purposes only, on other hand the 2019 Bill gives the government access to non-personal data as well. This has drawn criticism from Justice B N Srikrishna himself. According to him, non-personal data should have been addressed in a different Bill and not be included with personal data because it gives the government the right to seek any non-personal data from companies. This clause allows the government to access business data, including data on intellectual property, business strategy, and mergers and acquisitions, that may not be personal data but necessary from a business point of view [23]. The exemption given to government agencies under Section 35[24] is likely to send a negative message to the global investor network [25]

Another concern is regarding the selection and composition of the Data Protection Authority. The selection of the DPA is dependent on the Central Government only. The original 2018 Bill included a judicial member in the form of the Chief Justice of India or another Supreme Court judge in the selection committee which the 2019 Bill does not include. The participation of judicial members in the process will increase the independence and accountability of the Authority as well as lead to better scrutiny of government agencies with access to personal data. This issue can be addressed by simply making qualifications related to data protection and information technology. Compulsory for appointment and composition of the Data Protection Authority.

The 2019 Bill also does not include the principles of necessity and proportionality that the 2018 draft included. Section 36 of the Bill provide provision for “Exemption of certain provisions for certain processing of personal data” which lay down criteria which proves the situations necessity  to provide access to government agencies of  personal data of individuals. In this situation the principle of proportionality requires by the authorities to strike a balance between the means used and the intended aims. Such an exception raises concerns with respect to government surveillance of personal data.


The Personal Data Protection Bill is an attempt to balance the conflicting interests of the Government and other stakeholders on one hand and the rights of individuals on the other.  It is said to bridge the gap caused by absentia of a legislation extending statutory protection to data and for the prevention of internet misuse. Earlier, under the Information Technology Act, 2000[26] to the provisions for punishment for the offenders of data leaking and monitoring illegally, were contained. This Bill intend to provide a framework that is essential to address digital privacy on the internet through checks and balances to preserve the trust between said individuals and the entities that have access to their personal data. The clause of essential rights in Bill which provide power to individuals in order to restrict the use and disclosure of their personal data by a data fiduciary has the potential to empower individuals against its misuse. However, in its current state, concerns are raised because of lack of accountability attached to the access given to the Central Government and its agencies in the Bill. Justice BN Shrikrishna said “they have removed the safeguards. This is dangerous. The government can at any time access private data or government agency data on the grounds of sovereignty or public order. This has dangerous implications.”[27] He also mentioned this Bill will turn India into an Orwellian State. Orwellian sate means a political system which tries to control every part of people’s lives.[28] Observing these statements and various Exclusion of the principles like necessity and proportionality from the Bill also perpetuates the unconstitutional practice of allowing the government access to personal data without appropriate safeguards in place and can violates fundamental right to privacy.


The author of the post, Ms. Anubha Mathur is a Law Student from Amity Law School, Noida & was an intern at MyLawman. She can be reached at anubha602[at]gmail[dot]com.

This article has been reviewed and edited by Samreen Ahmed, Research Assistant, Research & Innovation Department (ARIL), MyLawman. 

[1] Jyoti Panday, “India's Supreme Court Upholds Right to Privacy as a Fundamental Right—and It's About Time”, Deeplink Blog, August 28,2017; available at https://www.e.org/deeplinks/2017/08/indias-supreme-court-upholds-rightprivacy-fundamental-right-and-its-about-time. Last visited on June 2, 2020.

[2] (2017) 10 SCC 641 (“Puttaswamy I”).

[3] Amber Sinha “comments to the personal data protection Bill 2019”, The Centre for internet & society (CIS) available at https://cis-india.org/internet-governance/blog/comments-to-the-personal-data-protection-Bill-2019. Last visited on June 2, 2020.

[4] The Personal Data Protection Bill,2019, s. 26 & 33.

[5] The Personal Data Protection Bill, 2019, ss.28, s.3.

[6] The Personal Data Protection Bill, 2019, ss. a, s.5

[7] The Personal Data Protection Bill, 2019, ss. b, s.5.

[8] The Personal Data Protection Bill, 2019, ss. 13, s.3.

[9]The Personal Data Protection Bill, 2019, ss. 31, s.3.

[10] The Personal Data Protection Bill,2019, ss. 3, s.3.

[11]“ Lok Sabha refers Personal Data Protection Bill to joint panel; Prasad says 'anonymized data' should be available for policy making”, Business Standard, December 12, 2019. Available at https://www.business-standard.com/article/news-ani/lok-sabha-referspersonal-data-protection-bill-to-joint-panel-prasad-says-anonymized-datashould-be-available-for-policy-making-119121200044_1.html. Last visited on June 3,2020.

[12] Supra 6

[13] The Personal Data Protection Bill, 2019, ss. 36., s.3.

[14] The Personal Data Protection Bill, 2019, s.2.

[15] The Personal Data Protection Bill, 2019, s.91.

[16] The Personal Data Protection Bill, 2019, s.17.

[17] The Personal Data Protection Bill, 2019, s.18.

[18] The Personal Data Protection Bill, 2019, s.19.

[19] The Personal Data Protection Bill, 2019, s.20.

[20] The Personal Data Protection Bill, 2019, s.16.

[21] The Personal Data Protection Bill, 2019, s.30.

[22] The Personal Data Protection Bill, 2019, s.66.

[23] “Key Changes in the Personal Data Protection Bill, 2019 from the Srikrishna Committee Draft”, defender of your digital freedom, sflc.in( December 11,2019). available at https://sflc.in/key-changes-personal-data-protection-bill-2019-srikrishna-committee-draft last visited on June 3,2020.

[24] The Personal Data Protection Bill, 2019, s.35.

[25] Supra 11 at pg.2

[26] Information Technology Act,2000, s.43.

[27] Mandavia, M.(2019). “Personal data protection Bill can turn india into ‘Orwellian State”: Justice BN Srikrishna”, The Economics Times, available at https://economicstimes.indiatimes.com/news/economy/policy/ Personal-data-protection-bill-can-turn-india-into-‘Orwellian-State”:-Justice-BN-Srikrishna/articleshow/72483355.cms?from=mdr. Last visited on June 3, 2020

[28] Dicitionary.cambridge.org.(2020). Orwellian|meaning in the Cambridge English dictionary. online

Post a Comment