• Admin


Author: Rushika Rabha,

Campus Law Centre, Delhi University

India is a digitised economy where internet services are indispensable to the daily functioning of various sectors and where data is being processed every minute. There is a need for legislation that appropriately regulates the massive amount of data circulating on the web. Indian businesses along with foreign players have been flourishing in the country as the internet continues to reach even the most remote of places in India. The central government’s answer to comprehensive legislation for data protection and the protection of Right to Privacy guaranteed under article 21 of the Indian Constitution was The Personal Data Protection Bill, 2019. This article gives a brief insight into the important provisions of the bill and then proceeds to address some of the criticisms that have been put forth by the various person who is from a technological background and are well versed with the workings of data protection and regulation.


The Personal Data Protection Bill, 2019 was introduced by Minister of Electronics and Information Technology, Mr. Ravi Prasad Shankar and is currently being analysed by the Joint Parliamentary Committee. Many features of this bill are like the European Union’s General Data Protection Regulation (GDPR). Following the K.S. Puttaswamy judgement, India needed legislation that protected their privacy and data in a digital world where every second data is being transferred from one part of the world to another. The Bill was introduced to protect the data of individuals during its flow and usage, holding the entities responsible for processing data accountable and to create “framework for organisational and technical measures in the processing of data.” The bill recognises that the right to privacy is a fundamental right that should be protected. Furthermore, the bourgeoning of a digital economy requires a framework which can effectively regulate the use and exchange of data. It is not merely the national exchange of data that requires an effective framework, but the international exchange of data must also be regulated.

An insight into the Personal Data Protection Bill, 2019

After the Puttaswamy judgement[1] in 2017, which conferred a fundamental status to the right to privacy, a committee was set up, headed by Justice B.N Srikrishna, which was given the task of examining issues related to data protection in India. The report was submitted in 2018, and the 2019 bill is based on the recommendations made by the committee. Justice B.N Srikrishna’s criticism of the 2019 bill is worrisome as having presided over the 2018 draft; the 2019 bill changes some crucial recommendations.

Currently, data regulations in India are guided by the Information Technology Act of 2000 and the Information Technology Rules, 2011 which have become inadequate due to tremendous change in the technological framework in the past few years.

Some of the salient features of this bill are as follows:

  1. It will apply to the government, any corporate body, or individuals inside the territory of India while dealing with personal data. Additionally, it will be also applicable to foreign companies that use data of Indians.

  2. The bill provides the data principal, which refers to the natural person to whom the personal data relates to, with certain rights regarding the use of their data. Some of these are the confirmation on whether their personal data has been processed, seeking transfer of data, or stopping the disclosure of data if the data principal withdraws their consent.

  3. The data fiduciaries, which is a business or person who deals with the personal data of individuals. It can process data for “specific, clear and lawful purposes”. They must undertake measures to make their usage of data more transparent and accountable like implementing security safeguards and setting up a grievance redressal mechanism.

  4. In certain circumstances, fiduciaries can process data without obtaining consent if it is required by the state to provide benefits, legal proceedings, or a medical emergency.[2]

  5. There will be a grievance redressal mechanism to cater to the problems faced by the data principals or address their complaints. A Data Protection Authority will be set up, if an individual is not satisfied with the addressal of their complaint(s) by the data fiduciary, they can move to the data protection authority.

  6. The central government has the power to exclude any of its agencies from the purview of this act if this was done in the interest of protecting the sovereignty and integrity of the country and maintaining friendly relations with other states.

  7. Penalties are also prescribed for not complying with the directives that have been instructed through this bill. Data fiduciaries can be punished for not fulfilling their obligations for protecting data or noncompliance with any provision of this bill.

  8. Users have the “right to be forgotten” which means that users are given the power to discontinue the disclosure of data to the data fiduciary that has access to the data. However, users can exercise this right after applying before the appropriate authority. [3]

Critical Evaluation of the Bill

  1. The Bill’s framework takes a user’s consent-based approach to allow the data fiduciaries to handle personal data of individuals. This approach has been criticised for being inadequate and ineffectual. This is because the users do not usually read the privacy policy of the business before accepting and many individuals might not understand the terms and the implications of the consent they are giving. Amidst numerous businesses asking for users' consent, it may result in the users becoming desensitised.[4] The shortcomings in the consent-based model have also been recognised by the Srikrishna committee, “A preponderance of evidence points to the fact that the operation of notice and consent on the internet today is broken. Consent forms are complex and often boilerplate. Any enumeration of a consent framework must be based on this salient realisation: on the internet today, consent does not work.”[5]

  2. The most commonly propounded criticism against the Bill is the provision that allows the government and its agencies to access anonymised personal or non-personal data (which includes data like e-commerce shopping data, food delivery data etc.) of individuals from businesses. The bill is silent on the way the government will use this data or to whom this data taken by the government will be available too. This has caused apprehensions to rise as in pursuit of causes like protecting the security and integrity of the state, there is a threat to an individual’s right to privacy.[6] There is immense power in the hands of the government which may cause mass surveillance, especially with the lack of proper safeguards. Justice B. N Srikrishna who headed the committee that drafted this bill was quoted saying that this bill is “dangerous” and can lead to an “Orwellian State”. The Srikrishna committee recommended that surveillance should be “authorised pursuant to a law” and “in accordance with the procedure established by such law” if “necessary for, and proportionate to, such interests being achieved”, this followed the judgement in the K.S Puttaswamy case. However, the bill enlarges the hold of government on surveillance whilst doing away with judicial oversight.[7] A bill that was drafted to secure the privacy of individuals has ironically left a big lacuna in the spere of privacy protection. This bill can potentially undermine Article 21 of the Indian constitution