• Admin


Author: Zuba Bubere,

LL. M. Symbiosis Law School, Pune



The Personal Data Protection Bill was introduced in the Parliament in the year 2019 for the purpose of stressing upon people’s rights concerning their sensitive information. It aims to set rules and regulations to be observed by businesses as regards the processing and storage of such personal data. A Data Protection Authority (DPA) is proposed to be established in order to effectuate the provisions of the said Bill[1]. The said authority shall consist of such members as being experts in the field of data protection and information technology.

Usage and transfer of personal data was governed by the provisions of the Information Technology (IT) Act, 2000. However, the Information Technology Act, 2000 can be looked upon as a novel attempt towards the said cause. With an increase in technological advancements in the digital economy, the desire for robust rules and regulations were felt. The foundation of the Bill can be linked to the landmark judgment passed by the Hon’ble Supreme Court of India in Puttuswamy vs Union of India[2], wherein the apex judicial authority of the nation recognized “privacy” as being a part of the fundamental right of citizens. Post the passing of the said judgment, the Court directed that data protection rules be formulated by the Government. A Committee under the Chairmanship of Retd. Justice B.N. Srikrishna was set up who submitted a report and a draft Bill, which is now being considered in the Parliament for modifications[3]. The IT Act covered only companies and not the government whereas the Bill ensures to cover both, companies as well as the government.

The Bill aims to take under its purview almost all types of business entities such as E-Commerce, Social Media, Hospital, Real-estate companies, pharmaceuticals and such others. However, there are also certain exemptions to the same.


After the Bill comes into effect, what would be mandated on part of businesses is to seek clear and express consent of the consumers and only after that, collection and storage of data in a secure manner will be possible.Customers shall also be given the freedom and opportunity to modify or erase data if they wish to. For the same, companies have to set up such a system that shall permit the transfer of data from one company to another. Companies shall now be made more responsible and accountable towards ensuring security safeguards, conducting data audits, etc. If needed, the government may also call upon to furnish valuable non-personal data from business entities.


Small entities, for instance: small retailers are exempted from the provisions of the Bill. Also, those businesses operating in the telecommunications and financial sector, follow rules and requirements as are set out by their respective sectors. Besides, in the interest of the security of the state, public order, sovereignty and integrity of India, friendly relations with foreign states, certain agencies may be exempted from observing the rules set out as under the Bill. Exemptions may also be carved out for the purpose of prevention, investigation, prosecution, research and journalism. In cases of legal proceedings and medical emergency too, observance to the rules may be avoided.


In any case of violation or contravention of the rules, regulations or requirements as set out under the Bill, a penalty in the form of imprisonment not exceeding three years and/or fine extending up to Rupees Two lakhs and in the case of any harm caused to a data principal, imprisonment not exceeding five years and/or fine extending up to Rupees Three Lakhs shall be imposed by the Data Protection Authority.

Anyone aggrieved by any of the orders as passed by the Data Protection Authority (DPA) can file an appeal to the Appellate Body established under the Act and incase of any further grievance, an appeal may be preferred to the Supreme Court[4].



EU’s General Data Protection Bill is probably the world’s toughest privacy and security law. It came into effect on 25th of May 2018. It takes under its purview data targeted and/or collected anywhere in the world as long as it is concerned with people of the European Union. Therefore, it would be correct to say that it is Europe which has a firm hold on data privacy and security issues concerning its territory.

The basis of the Bill can be linked to the “right to privacy” as envisaged in the European Convention for Human Rights. Minimum data privacy and security standards were laid down in the year 1995 in the form of European Data Protection Directive since the usage and significance of internet started shooting up.

GDPR carefully defines certain important terms viz. data processing, data processor, data controller, data subject, personal data, etc. It stresses consideration on some of the important data principles such as lawfulness, transparency, accuracy, accountability, storage limitation, data minimization, confidentiality, integrity, etc[5]. It also recognizes the various rights of data subjects. Right to access, Right to erasure, Right to rectification, Right to be informed, Right to data portability, Right to object and so on.

Under the Personal Data Protection Bill, data processing is permitted only in certain circumstances such as to comply with a legal obligation, to save somebody’s life, to enter into a contract, to perform a task in public interest, in case of some legitimate interest and so on.


The rules clearly and specifically describes as to what constitutes consent and what does not. Certain particulars that must be kept in mind include:

Ø Requests for consent must be in a plain and clear language

Ø It must be free, specific, informed and unambiguous

Ø A documentary evidence of the consent obtained must be maintained

Ø Consent may be withdrawn by data subjects whenever they wish to.


Ø Technical measures include end-to-end encryption, two factor authentication, etc.

Ø Organizational measures may include addition of data privacy policy, staff trainings, limiting access to personal data, etc.


There are two tiers that look into the levy of penalties. In case of any violation of the privacy and security standards as set out under the bill will attract penalty that may reach up to tens of millions of Euros. Penalty may be charged up to 10 million Euros or 2% of the global revenue of the preceding fiscal year, whichever is higher. In addition to this, a compensation for damages can be demanded by data subjects.


·Personal Data Protection Bill 2018, https://www.meity.gov.in/writereaddata/files/Personal_Data_Protection_Bill,2018.pdf

· Anirudh Burman and Suyash Rai, What is India’s Sweeding Personal Data Protection Bill?, Carnegie India (March 09, 2020), https://carnegieindia.org/2020/03/09/what-is-in-india-s-sweeping-personal-data-protection-billpub80985#:~:text=What%20is%20the%20personal%20data,respect%20to%20their%20personal%20information.

· Anurag Vaishnav, The Personal Data Protection Bill 2019, PRS Legislative Research (December 23, 2019),https://www.prsindia.org/theprsblog/personal-data-protection-bill-2019-all-you-need-know

· What is GDPR, the EU’s new data protection law?, GDPR.EU, https://gdpr.eu/what-is-gdpr/

[1] Section 49 (Chapter x) of the Personal Data Protection Bill,2018: Establishment and incorporation of Authority [2] Justice K.S. Puttuswamy and Anr. vs Union of India and Ors. Writ Petition (Civil) No. 494 of 2012 [3] Press Trust of India, No foolproof anonymity: Justice B N Srikrishna on data protection bill, Business Standard (October 23, 2020), https://www.business-standard.com/article/economy-policy/no-foolproof-anonymity-justice-b-n-srikrishna-on-data-protection-120102201765_1.html [4] Sections 79, 84 and 87 of the Data Protection Bill, 2018 [5] What is GDPR, The EU’s new data protection law?, GDPR.EU, https://gdpr.eu/what-is-gdpr/

48 views0 comments