The Personal Data Protection Bill 2019: An Overview

Authored by : Kensiya Kennedy

In 2017, a landmark Supreme Court judgement declared the right to privacy as being protected as “an intrinsic part of the right to life and personal liberty under Article 21 and as a part of the freedoms guaranteed by Part III of the Constitution” [1] [2]. This judgement followed a petition filed in the Supreme Court of India challenging the constitutional validity of Aadhar on the grounds that the exercise violated an individual’s right to privacy. Following the judgement, the Supreme Court called the government to form a data protection law to address the concerns related to privacy in the digital age. Under the chairmanship of Justice B.N. Srikrishna, a committee of experts was set up in July 2017 to assess the current scenario of data protection in India, recommend ways to tackle the problems surrounding it and draft a data protection bill.

The Draft Bill was presented to India’s Ministry of Electronics and Information Technology (MEIT). The minister in-charge of MEIT, Mr Ravi Shankar Prasad tabled the modified Personal Data Protection (PDP) Bill on December 11, 2019. The Bill was then referred to a joint panel of members from both houses of the parliament. The joint panel is expected to present its report either before the end of the budget session or during the monsoon session of the parliament, which spans from July to September [3].



Data protection, though a long-running policy issue related to the larger concern of privacy, gained much traction in public discourse after the Facebook-Cambridge Analytica data scandal. Cambridge Analytica, a political consulting firm based out of Britain was using personal information from Facebook profiles without users’ consent, for political advertising. The event sparked a discussion on the power of data to steer opinion and affect outcomes, and on the appropriate measures required to prevent its exploitation [4].

‘Data is the new oil’ is a popular quote which highlights the power that data holds. Union Minister Ravi Shankar Prasad highlighted this by emphasising the importance of utilising ‘anonymised data’ for policy innovation during the presentation of the PDP Bill in the Parliament [5][6].

The Bill aims to protect the privacy of an individual and their personal data through checks and balances to preserve the trust between said individuals and the entities that have access to their personal data. According to the Bill, it aims to create a framework for “organisational and technical measures” of data processing, introduce “accountability of entities processing personal data”, and lay down norms for social media intermediaries and cross border transfer [7] [8].



The Bill brings into use many terms which are unique and signify an important aspect of its framework. The primary actor listed in the Bill is the ‘data principal’, or the source individual of personal data. Any person, company, juristic entity or individual, or the state who either alone or with some other actor determine the purpose and means of processing of personal data are referred to as ‘data fiduciary’.

A data fiduciary can be classified as significant after consultation with the Data Protection Authority (DPA). The DPA will be the body that oversees and enforces the application of the provisions of the Bill (when it becomes an Act). It will be headed by a chairperson and will have six members. According to the Bill, the members of the DPA are required to have at least ten years’ experience in the field of data protection, information technology, data management, data science, data security, cyber and internet laws, public administration, national security, or related subjects. The members will be appointed on the recommendation of a selection committee, the chairperson of which would be the Cabinet Secretary.

The classification of a data fiduciary as ‘significant’ will depend on the factors described in Section 26 of the Bill. The factors include the volume of personal data processed, sensitivity of the data, turnover of the fiduciary, etc. Some social media intermediaries with users above a threshold (which is to be set at a later date) and whose actions could have a significant impact on “electoral democracy, security of the state, public order or the sovereignty and integrity of India” shall be, after consultation with the Data Protection Authority, classified as a significant data fiduciary [9].

The Bill calls for the appointment and formation of other actors apart from the DPA to enforce and oversee the application of its provisions. One of these actors is the Data Protection Officer, who is to be appointed by every significant data fiduciary to help the latter adhere to the obligations listed by the Bill, monitor the data processing activities of the fiduciary, and to be the point of contact for the data principal for grievance redressal. Other actors include an Adjudicating Officer to decide penalties and the compensation for offences under the bill. and an Appellate Tribunal to hear pleas against the decisions of the Adjudicating Officer.

One of the crucial parts of the Bill is the way in which it defines personal data. Personal data is defined in the bill as

Data about or relating to a natural person who is directly or indirectly identifiable, having regard to any characteristic, trait, attribute or any other feature of the identity of such natural person, whether online or offline, or any combination of such features with any other information, and shall include any inference drawn from such data for the purpose of profiling [10].

If we consider one’s Facebook profile as an example, personal data in this case would constitute the user’s name, location details, phone number, etc. that Facebook has access to and can share with other entities, if required. These groups of data can be used to identify a person, their location, and their personal contact details, thus being classified as personal data. Furthermore, if the existing data allows for deduction of further information about the user, for instance their home address using location data, then the deduced information would also classify as personal data according to the Bill.

Personal data has two more levels of classification – sensitive personal data and critical personal data. ‘Sensitive personal data’ is defined as data that may disclose information relating to a person’s finances, health, sexual life, sexual orientation, biometric or genetic data, transgender or intersex status, caste, tribe, religious or political belief or affiliation. Section 15 of the Bill enables the central government to categorise data as ‘sensitive’ after consulting with the Data Protection Authority and sector regulator. This categorisation will be done if the processing of such data may harm the data principal or a significant group of data principals; or if there are confidentiality expectations attached to the personal data that are the same as that of sensitive personal data.

Sensitive data can further be classified as ‘critical personal data’ by the Central Government. The processing of critical personal data will take place only within India, according to the Draft Bill. The transfer of critical data outside India will be permissible only to persons or entities in the health or emergency services, or to international actors or groups of actors approved by the Central Government and the DPA.

To encourage innovation in artificial intelligence, machine learning, and other emerging technology that is in public interest, the Bill lays down the provision for the creation of a sandbox to encourage innovation. The fiduciaries will need to have a privacy-by-design policy that is certified by the DPA. After certification, the fiduciaries in the sandbox will be exempt from adhering to the limits of collection based on necessity mandated under Section 6 of the bill. They will also be exempt from having to specify the purpose of the collection, from the restrictions placed on retention of personal data, and from some sections that are under the obligations of the data fiduciary.



Chapter V of the Data Protection Bill gives Indian citizens several essential rights like the Right to Confirmation and Access (Section 17), Right to Correction and Erasure (Section 18), Right to Data Portability (Section 19), and Right to be Forgotten (Section 20). These rights allow citizens to seek information from the fiduciary on the level of processing that their data has been or is being subjected to, seek correction for inaccurate or outdated data, ask for transfer of data to other fiduciaries, and restrict the continuing disclosure of their data by the fiduciary.

Chapter IV of the Bill lays out special provisions to process personal data of children. As per these provisions, data fiduciaries handling data of children shall process it only after verifying the age of the child and after obtaining consent from the child’s parent or guardian. Commercial websites or online services aimed at children or who process large volumes of personal data belonging to children have been classified under the Bill as Guardian Data Fiduciaries. Such fiduciaries are barred from profiling, tracking, monitoring or targeting advertisements at children unless they are providing counselling or child protection in which case they shall be exempt from seeking verification. For instance, an online children-focused app like Byju’s will have to seek permissions from children’s parents or guardians and also will have to ensure that the child’s user data from the app is not exploited to target specific advertisements towards the child.

Another highlight of the Bill is the appointment of the Data Protection Officer as a point of contact for grievances of data principals. This makes it easier for data principals to get their concerns with a particular data fiduciary addressed.

The Bill also lays out the penalties for potential offenders. Offenders who process or transfer personal data in a manner that violates the Bill will be fined with either INR 15 crore or 4% of the annual turnover of the company, whichever is higher. Offences regarding the failure to conduct data audits are punishable with a fine of INR 5 crore or 2% of the data fiduciary’s annual turnover, whichever is higher.



The major controversy surrounding the Data Protection Bill is regarding the exemption given to government agencies under Section 35. While the Srikrishna Committee Bill (the 2018 draft) allowed the government to have access to personal data for security purposes, the 2019 Bill gives the government access to non-personal data as well. This has drawn criticism from Justice B N Srikrishna himself. According to him, non-personal data should have been addressed in a different bill and not be included with personal data because it gives the government the right to seek any non-personal data from companies. This clause allows the government to access business data, including data on intellectual property, business strategy, and mergers and acquisitions, that may not be personal data but necessary from a business point of view [11] [12]. This may send a negative message to the global investor network [13].

The 2019 Bill also does not include the principles of necessity and proportionality that the 2018 draft included. While necessity requires any access of personal data by government agencies to be proven necessary, the proportionality principle requires authorities to strike a balance between the means used and the intended aims. Such an exemption raises concerns regarding government surveillance of personal data [14].

Another concern is regarding the selection and composition of the DPA. The selection of the DPA is dependent on the Central Government. The original 2018 Bill included a judicial member in the form of the Chief Justice of India or another supreme court judge in the selection committee which the 2019 Bill does not include. The participation of judicial members in the process will increase the independence and accountability of the DPA as well as lead to better scrutiny of government agencies with access to personal data. The Bill requires that the members have adequate experience in particular fields (as discussed earlier). However, the composition mentioned in the Bill allows for members without any data protection or law background to also become members of DPA. This issue can be addressed by simply making it compulsory for a fraction of the DPA to have qualifications related to data protection and information technology.

The Bill also raises concerns for tech companies and start-ups. Inferences drawn from personal data also fall under the definition of personal data and therefore the Bill can subject the work of many tech companies to scrutiny and monitoring which can be a major deterrent to investment. Furthermore, to utilise data for innovation, companies will have to seek certification to be included in the sandbox. While the certification itself might be a roadblock for up-and-coming companies, the conditions for the certification include judging whether the activities of the fiduciaries are in ‘public interest’ or if they amount to ‘an innovative use of technology’. This ambiguity leaves a lot of room for inefficiencies with data protection itself.



The Bill represents a beginning to a framework that is essential to address digital privacy on the internet. The provision of essential rights to individuals in order to restrict the use and disclosure of their data by a fiduciary has the potential to empower individuals against its misuse. However, in its current form, concerns are raised because of lack of accountability attached to the access given to the Central Government and its agencies in the Bill. Exclusion of the principles of necessity and proportionality from the Bill also perpetuates the unconstitutional practice of allowing the government access to personal data without appropriate safeguards in place.








[6] Anonymised data is private or sensitive data that either does not have identifiers or has encrypted identifiers. Identifiers are parts of data that can connect an individual to a data.

[7] Social media intermediaries are platforms that enable online interaction between two or more users. The platforms might also let the users create, upload, and share information through the platform. For example Facebook, Twitter, Instagram etc.


[9] Ibid.

[10] Ibid.