Author: Rushika Rabha,

Campus Law Centre, Delhi University

India is a digitised economy where internet services are indispensable to the daily functioning of various sectors and where data is being processed every minute. There is a need for legislation that appropriately regulates the massive amount of data circulating on the web. Indian businesses along with foreign players have been flourishing in the country as the internet continues to reach even the most remote of places in India. The central government’s answer to comprehensive legislation for data protection and the protection of Right to Privacy guaranteed under article 21 of the Indian Constitution was The Personal Data Protection Bill, 2019. This article gives a brief insight into the important provisions of the bill and then proceeds to address some of the criticisms that have been put forth by the various person who is from a technological background and are well versed with the workings of data protection and regulation.


The Personal Data Protection Bill, 2019 was introduced by Minister of Electronics and Information Technology, Mr. Ravi Prasad Shankar and is currently being analysed by the Joint Parliamentary Committee. Many features of this bill are like the European Union’s General Data Protection Regulation (GDPR). Following the K.S. Puttaswamy judgement, India needed legislation that protected their privacy and data in a digital world where every second data is being transferred from one part of the world to another. The Bill was introduced to protect the data of individuals during its flow and usage, holding the entities responsible for processing data accountable and to create “framework for organisational and technical measures in the processing of data.” The bill recognises that the right to privacy is a fundamental right that should be protected. Furthermore, the bourgeoning of a digital economy requires a framework which can effectively regulate the use and exchange of data. It is not merely the national exchange of data that requires an effective framework, but the international exchange of data must also be regulated.

An insight into the Personal Data Protection Bill, 2019

After the Puttaswamy judgement[1] in 2017, which conferred a fundamental status to the right to privacy, a committee was set up, headed by Justice B.N Srikrishna, which was given the task of examining issues related to data protection in India. The report was submitted in 2018, and the 2019 bill is based on the recommendations made by the committee. Justice B.N Srikrishna’s criticism of the 2019 bill is worrisome as having presided over the 2018 draft; the 2019 bill changes some crucial recommendations.

Currently, data regulations in India are guided by the Information Technology Act of 2000 and the Information Technology Rules, 2011 which have become inadequate due to tremendous change in the technological framework in the past few years.

Some of the salient features of this bill are as follows:

  1. It will apply to the government, any corporate body, or individuals inside the territory of India while dealing with personal data. Additionally, it will be also applicable to foreign companies that use data of Indians.

  2. The bill provides the data principal, which refers to the natural person to whom the personal data relates to, with certain rights regarding the use of their data. Some of these are the confirmation on whether their personal data has been processed, seeking transfer of data, or stopping the disclosure of data if the data principal withdraws their consent.

  3. The data fiduciaries, which is a business or person who deals with the personal data of individuals. It can process data for “specific, clear and lawful purposes”. They must undertake measures to make their usage of data more transparent and accountable like implementing security safeguards and setting up a grievance redressal mechanism.

  4. In certain circumstances, fiduciaries can process data without obtaining consent if it is required by the state to provide benefits, legal proceedings, or a medical emergency.[2]

  5. There will be a grievance redressal mechanism to cater to the problems faced by the data principals or address their complaints. A Data Protection Authority will be set up, if an individual is not satisfied with the addressal of their complaint(s) by the data fiduciary, they can move to the data protection authority.

  6. The central government has the power to exclude any of its agencies from the purview of this act if this was done in the interest of protecting the sovereignty and integrity of the country and maintaining friendly relations with other states.

  7. Penalties are also prescribed for not complying with the directives that have been instructed through this bill. Data fiduciaries can be punished for not fulfilling their obligations for protecting data or noncompliance with any provision of this bill.

  8. Users have the “right to be forgotten” which means that users are given the power to discontinue the disclosure of data to the data fiduciary that has access to the data. However, users can exercise this right after applying before the appropriate authority. [3]

Critical Evaluation of the Bill

  1. The Bill’s framework takes a user’s consent-based approach to allow the data fiduciaries to handle personal data of individuals. This approach has been criticised for being inadequate and ineffectual. This is because the users do not usually read the privacy policy of the business before accepting and many individuals might not understand the terms and the implications of the consent they are giving. Amidst numerous businesses asking for users' consent, it may result in the users becoming desensitised.[4] The shortcomings in the consent-based model have also been recognised by the Srikrishna committee, “A preponderance of evidence points to the fact that the operation of notice and consent on the internet today is broken. Consent forms are complex and often boilerplate. Any enumeration of a consent framework must be based on this salient realisation: on the internet today, consent does not work.”[5]

  2. The most commonly propounded criticism against the Bill is the provision that allows the government and its agencies to access anonymised personal or non-personal data (which includes data like e-commerce shopping data, food delivery data etc.) of individuals from businesses. The bill is silent on the way the government will use this data or to whom this data taken by the government will be available too. This has caused apprehensions to rise as in pursuit of causes like protecting the security and integrity of the state, there is a threat to an individual’s right to privacy.[6] There is immense power in the hands of the government which may cause mass surveillance, especially with the lack of proper safeguards. Justice B. N Srikrishna who headed the committee that drafted this bill was quoted saying that this bill is “dangerous” and can lead to an “Orwellian State”. The Srikrishna committee recommended that surveillance should be “authorised pursuant to a law” and “in accordance with the procedure established by such law” if “necessary for, and proportionate to, such interests being achieved”, this followed the judgement in the K.S Puttaswamy case. However, the bill enlarges the hold of government on surveillance whilst doing away with judicial oversight.[7] A bill that was drafted to secure the privacy of individuals has ironically left a big lacuna in the spere of privacy protection. This bill can potentially undermine Article 21 of the Indian constitution under which the right to privacy has been recognised.

  3. The bill is also likely to have an impact on companies as well. Legal compliance mechanisms must be put in place when this bill becomes an act. The bill does not provide a provision giving the companies sufficient time to implement these mechanisms.[8] Companies would have to obtain permission from the Data Protection Authority for cross border transfer of data which might cause hindrance in the ease of doing business.

  4. A requirement of the bill is for the data fiduciaries to ensure the storage of “at least one serving a copy of personal data” on a “server, or data Centre’s located in India”. This will require companies to spend on setting up data centers in India and companies that are operating in India but have their data centres in any other location will be impacted more.[9] This provision might be easier for well-established and bigger companies to comply with than for smaller companies due to the cost it bears. Criminal liability is attached if there are re-identification and processing of personal data without consent, Mishi Choudhary, legal director at pro bono legal services firm Software Freedom Law Center[10] criticised this because it will lead to complications as businesses have to be now involved in criminal matters.

  5. As per the 2018 draft, the salaries, and allowances of the members of the Data Protection Authority should not be varied to their disadvantage, however, the 2019 bill does not provide any such provision. This is crucial because this provision of financial independence would allow the Data Protection Authority to act autonomously without the fear of government action. The purpose of this act was to create an autonomous authority that would democratically function to protect the citizens from unfair and illegal use of their data if the financial autonomy of an institution is subject to the discretion of the government, it might open the institution to government influence which is not conducive independent functioning.

  6. Regarding the selection of the members in the Data Protection Authority, the central government officials will be a part of the authority. The composition will be based on the recommendation of a committee comprised of cabinet secretary, law secretary and IT secretary. The previous 2018 draft recommended that one member of the judiciary and one independent expert with technical knowledge.

  7. Under section 86 of the Bill, the government will issue periodic data protection direction which will be “in the interest of sovereignty and integrity of India”, among other reasons and the data protection authority will be bound to follow these directives. This further undermines the autonomy of the Data Protection Authority because even though this section allows the Authority to express their views, in the end, the word of the government is final.

  8. This bill prescribes that no court shall take cognizance of any offense under this act unless a complaint has been filed by the Data Protection Authority. This means that an individual’s accessibility to the courts for justice is limited because they are now the data protection authority’s complaint to initiate any proceeding in a court.[11]

Concluding Remarks

To regulate the ever-increasing intricacies in the functioning of the world wide web, many countries have drafted legislation for the same. The Puttaswamy judgement acknowledged and enlarged the scope and application of the right to privacy. It also prescribed certain guidelines to be followed when the need arises in situations where someone’s privacy is being invaded. This is because the Right to privacy is a sacrosanct fundamental right that must be protected. The rationale behind setting up a committee, which was headed by B.N Srikrishna was to closely examine data protection issues in the country and provide a suitable framework that can effectively protect data of individuals. Nonetheless, the 2019 Bill has substantive differences from the one drafted under the guidance of Justice B.N. Srikrishna. These changes have been criticised by him for being “disastrous” and counterproductive.

While his committee suggested the Data Protection Authority to have an independent member in its composition, the new bill has completely put the control of the selection and composition of the board under the control of the central government. If the central authority of data protection is not given enough space to function independently then government influence can overpower its decision-making power.

The most troubling feature of this bill is the significant power given to the government to bypass the provisions of this bill and collect data of individuals without their consent. This power is in contention with the Puttaswamy judgement’s test of proportionality, i.e. the means used to achieve something must be proportional to the object of achieving that thing. While protecting the sovereignty and integrity of the nation is a non-negotiable duty of any government, without proper safeguards, invasion of privacy can lead to a surveillance state. Unrestrained access to anyone's personal data can have disastrous consequences for individuals as well as the nation. Many scholars have put forth the suggestion that the government must draft clear guidelines so that accessing the private data of individuals is not an arbitrary activity. Furthermore, a provision that provides for judicial oversight must be included to keep the powers of the government to exempt itself from the purview of the bill in check.

Therefore, considering the criticisms that have been directed against this bill, the Joint Parliamentary committee's recommendations are yet to be seen. The final decision of the government should be taken after addressing the criticisms because this will ensure that the lacunae in the bill are removed or at least minimised.

[1] K.S Puttaswamy and another v. Union of India and others (Writ Petition (Civil) No 494 of 2012) [2] https://www.prsindia.org/billtrack/personal-data-protection-bill-2019 [3] https://www.thehindubusinessline.com/info-tech/data-protection-bill-users-have-the-right-to-erase-online-data-but-only-under-specific-conditions/article30266381.ece [4] https://www.hindustantimes.com/analysis/the-draft-personal-data-protection-bill-is-flawed-opinion/story-NoUUk81zW7d8Xniarn9tML.html [5] https://meity.gov.in/writereaddata/files/Data_Protection_Committee_Report-comp.pdf [6] https://www.cfr.org/blog/three-problems-indias-draft-data-protection-bill [7] https://indconlawphil.wordpress.com/2020/01/08/the-personal-date-protection-bill-2019-a-constitutional-critique/ [8] https://entrackr.com/2020/02/personal-data-protection-bill-2019-concern-both-citizens-and-companies/ [9] https://qz.com/india/1343154/justice-srikrishnas-data-protection-bill-for-india-is-full-of-holes/ [10] ibid [11] https://www.dvara.com/blog/2020/01/17/our-initial-comments-on-the-personal-data-protection-bill-2019/

  • Facebook
  • Instagram
  • Twitter
  • LinkedIn

© All Rights Reserved