Personal Data Protection Bill 2019 – An Overview


In 2019, the Personal Data Protection Bill was presented in the Lok Sabha by the Minister of electronics and Information Technology i.e. by Mr. Ravi Shankar Prasad. This Bill came in front while keeping the purview of the right to privacy under the ambit of Article 21 of the Indian Constitution in view as it is a well-known ruling giving by the Apex Court of India in the case of K.S. Puttaswami v. Union of India.

Objects of the Bill

The objects of the Personal Data Protection Bill, 2019 are to safeguard the privacy of individuals by way of protecting or securing personal data. This Bill is to create a safe environment for the personal data of any individual being processed along with protecting the right of data fiduciaries. The Bill brings both rights and duties to both parties whose data is being processed and who is professing the data. The Personal Data Protection Bill, 2019 has come with the idea of creating a secured environment or the protected mechanism for the data processing, cross-border transfer, providing some rules for social media intermediaries, describes liabilities of agencies which are processing the personal data of any individual and also this Bill provides for the remedies to any or every individual whose data have been processed for any kind of illegal, unauthorized and harmful means.

In all, this Bill provides a framework for the Data protection authority of India for achieving all the purposes. The Personal Data Protection Bill will become the first law for the protection of personal data and consequently, it will repeal section 43A of the IT Act, 2000. Although India is not the party to any convention dealing with the protection of personal data like data protective directive but India is a party to the Universal Declaration of Human rights and ICCR and both of them have recognized the right of privacy as a fundamental human right.

Online Privacy

The terms like “internet privacy” and “digital privacy” are also referred to as online privacy. Online privacy is concerned with privacy in regard to an individual’s personal, financial and other browsing information when he is online. Online privacy is getting so much limelight these days as it plays a very significant role as when an individual is online, which and what information is gathered by who is not known exactly.  In an era where the inclination is more towards the online system, it becomes very important to keep your data or information safe so that no one can take any harmful use of your personal information or sensitive data. Personal data is highly at risk when an individual is online as the data privacy either personal or financial or other sensitive data is required to maintain as that of privacy in the physical world.

Data Protection

Privacy is a considered fundamental right in-law of various nations. India has also considered privacy as a fundamental right and when it comes to privacy; data protection laws are their safeguard the interest of the people who are engaging online because personal data is highly prone to be misused if the privacy is not kept or maintained. Section 43A and Section 72A of the Information technology Act, 2000 provide for compensation in a case where there is improper disclosure of personal information. Data protection is clearly understood as the steps or the measures which are taken up for protecting the data of an individual engaging online from any harassment or misuse either by preventing some criteria or by specifying some rules so that the privacy of a person can be safe.

Personal Data Protection Bill of 2019

The Personal Data Protection Bill, 2019 has defined personal data as it includes any data by which the identity of any individual could be reached to whom that data belongs. Personal data is nothing but any kind of data that embodies any such characters or features or traits or attributes by which an identity of an individual could be reached or located. The term “sensitive personal data” is also elaborated in this Bill as it includes financial data, health data, and biometric data, sex life, and genetic data, the religious or political affiliation of any individual. The central government is duly authorized to categorize data as sensitive data that too after discussing it with the other authorities.

There are some obligations given under this Bill as per clause 11 of the Bill. It is an obligation on the data fiduciaries to collect data to the extent required or necessary for the purpose of data processing. The data fiduciary is obligated to take consent. The Personal Data Protection bill has also facilitated or prescribed the legal way of collecting or processing the data. It is the duty imposed on the data fiduciary to be enough cautious while collecting data so that it should be accurate, complete, updated and not misleading in any manner. The data fiduciary has to take the legal consent before initiating the processing of data and the data being processed shall not be stored more than the time span as required or necessary for such processing.

There is also Clause 3 in the Bill mentioned which describes certain exemptions to the data fiduciary to process the data without any legal consent and such grounds may be; for the government policies, for the purpose of employment or any other purpose as prescribed under the Bill. The personal data of any individual or individuals may be processed without any consent for the purpose of functions as required to be performed by the State as the authority given by law. Any other reasonable reasons may be to prevent or to investigate any unlawful activity where consent is not required for processing the personal data of any person.

The concepts like personal data and sensitive personal data of children have also been discussed under Chapter IV of the Personal Data Protection Bill as the liability is on the head of data fiduciary to safeguard the rights as well as the interests of children while their data is being processed. The consent of a child whose data is being processed along with verification of age is to be taken into account before data processing as a duty imposed on the data fiduciary and this is the duty of data fiduciary to take consent from the parents or the guardians of the child prior to initiating the processing of the data.

In order to ensure that collected data is or will not use in illegal or harmful ways, there are some rights given to the individual whose data has been collected for being processed as the main goal of this Bill to protect the right to privacy of an individual. The person whose data is collected for processing is known as the data principal.  Such rights are summarized as:

1. There is right to be forgotten which is exercised in case where the consent of the data principal is withdrawn, where the data is taken for those which are prohibited under law or for any unlawful means and where the purpose of sharing the data has been fulfilled or the information given is no longer needed.

2. The data principal possesses the right to correction in which if it seems required to the data principal for the purpose of the processing; he/she may exercise this right in certain following conditions:-

  1. Right to correct the data where it is inaccurate or seems misleading.
  2. The data principal has the right to complete the incomplete information or database for processing.
  3. The data principal by exercising this right may update the information which is out-of-date.
  4. The data principal reserves the right of receiving the appropriate reason or justification for declining his/her request of making corrections in the data.

7. There are rights given to data principals as against data fiduciary.

  1. The data principal possesses the right to ask or demand the status of the process of data processing either it is started or completed or in the middle.
  2. The data principal reserves the right of taking back its data from the data fiduciary.
  3. The data principal reserves the right of asking or demanding the summary of the whole processing that has been run over its data.
  4. The data principal reserves the right to know the identity of the data fiduciary with whom he/she is sharing its personal data for processing.

Chapter 6 of the Bill provides for such measures to be taken in order to maintain transparency and accountability in any processing of data. The data fiduciary is required to get registered its privacy policy as such privacy policy is to be formulated for the purpose of safeguarding the interests of the data principal or of the person whose data is being processed. Some standards are to be there for the verification of technology so that the transparency in the processing can be maintained. The Bill has also provided for maintenance of certain measures to ensure transparency and accountability in the data processing. By virtue of the Personal Data Protection Bill, there are restrictions on the transfer of personal data outside India. There are some exemptions given under the Personal Data Protection Bill in cases where the data is being processed for any research purpose or any journalistic purpose, statistical purpose, or any other purpose.

The central government of India is empowered to establish the authority which would be known as the National Data Protection Authority of India which would be constituted with six members along with one chairperson. The chairperson of such authority will be empowered to deal with the concerned affairs. The most important function this authority performs is to safeguard the right to privacy of any individual or to prevent any misuse of any data being processed. The central government is also empowered to set up a tribunal by way of notification for the purpose of hearing and disposing of matters concerned or given under the Personal Data Protection Bill, 2019.

Major Issues

The major issues are coming in front which is the government has stated that the localization of data will surely help law – enforcing agencies for accessing the data or for the purpose of processing the data in any investigation and enforcement. Various companies which are established in India support or stand in favor of localization as they store and process most of the data.

For example: recently, Pay TM has come up in a stand of localization but on the other hand, reliance Jio has stated that data regulation for privacy and for the purpose of security will have little teeth without localization. The argument stating that localization will enhance the ability of the Indian government to tax internet giants. The groups of civil society have argued against it as stating that this idea of protectionism may backfire on the government of India as the open-ended exceptions are given to the government allowing the surveillance as given in the bill. The giants like Facebook, Google, and their bodies especially those having ties with the US, possessing the heavy backlash.

The issue in front is highlighted as the data fiduciaries are allowed to transfer the data outside India but no such grounds or situations are mentioned in which such permissions are given. The bill is strongly building up a shield for the right to privacy but in this Bill, no such mechanism regarding Redressal as against authority is given. Another major issue is that the total control over the personal as well as the sensitive data is given to the government which may consequent in authoritarian rule.


While observing the issues, it is suggested that there must be provisions regarding the Redressal mechanism. Also where the data is processed under the exemptions provided for the purpose of security of the state, it is suggested that the availability of judicial review in such cases may create accountability over the state for exercising such exemptions in processing data.  It is also suggested that a criterion of obtaining permission for data processing without consent on the ground of national security from either tribunal or the Supreme Court should be mandated. The data principals should be given the right to file a suit against the authority for any sort of grievances that occurred to them due to such processing of data.


Thus, this controversial Bill has come up with the object of creating a transparent and accountable framework of data collecting and processing along with keeping the right to privacy in mind. The Personal Data Protection Bill of 2019 is of regulatory nature and was drafted after the judgment of the Puttaswami case in which the right to privacy was included under the ambit of Article 21. In the Personal Data Protection bill, 2019 certain restrictions are on the data fiduciaries which they have to keep in mind while processing any data and also this bill provides certain rights to ensure that their data is not being misused.

Where everything is inclining towards online, it is strongly suggested to keep your data safe in order to prevent any unlawful activity also to keep check security of any application an individual is using. It is also suggested to use two-factor authentication and to read the privacy policies before availing of any services. The current status as shown a joint parliamentary committee is considering this Bill and after much consideration, it would have to be passed by both the houses of parliament then, have to be given assent from the president and to be notified in the official gazette; then it will become law.

This article has been written by Deepshikha Gautam, 3rd Year B.A LL.B student at Banasthali Vidyapeeth.

Law Corner