INTRODUCTION In contemporary times, we are stepping towards an era of Digital Data Transfer. We are exchanging our sensitive information globally. The security of this sensitive information has become a challenge nowadays which is often compromised. This article examines the Personal Data Protection Bill, 2019, that was introduced in Lok Sabha by the Minister of […]


In contemporary times, we are stepping towards an era of Digital Data Transfer. We are exchanging our sensitive information globally. The security of this sensitive information has become a challenge nowadays which is often compromised. This article examines the Personal Data Protection Bill, 2019, that was introduced in Lok Sabha by the Minister of Electronics and Information Technology, Mr. Ravi Shankar Prasad on December 11, 2019. The bill proposes the privacy and regulate the processing of “sensitive” and “critical” personal data. The bill presented in the parliament overlooks the draft that was submitted by Justice Srikrishna-led panel in 2018. In this article, we shall address how the bill passed deals with the preventive approach rather than the protective approach. In this article, we shall also address privacy in relation to the 2019 bill.


Data has become the most important resource of the today’s world. It has become subject to misuse and theft. The bill primarily focuses on protecting that data which is used to identify a person like financial details, biometrics and religious and caste beliefs. This information is collected by the Data Fiduciaries. Therefore, the bill obliges the government and companies dealing with the personal data of the individuals to respect these rights. The draft of the 2019 bill is largely inspired by the by the European Union’s General Data Protection Regulation (GDPR). The definition of ‘personal data’ under the Personal Data Protection Bill, 2019 Bill is read as “personal data means data about or relating to a natural person who is directly or indirectly identifiable, having regard to any characteristic, trait, attribute or any other feature of the identity of such natural person, whether online or offline, or any combination of such features with any other information, and shall include inference drawn from such data for the purpose of profiling.”

The Data Protection Bill, 2019 provides for a legal framework for the collection and use of the data. This bill proposes a Data Protection Authority (DPA) to collect and regulate the legal framework. The bill makes consent a centerpiece of the proposed data protection framework. The bill proposes that personal data should only be processed on the basis of free, informed, and specific consent, with provisions that allow such consent to be withdrawn. Any data processing that is used without such consent would be a violation and could result in penalties. This bill has a separate category of “sensitive personal data” and states that such data can be processed only with “explicit consent.” Consent has to be taken from the user after bestowing on the adequate information about the kinds and purposes for which the data would be collected and processed. The personal data shall be collected only to the extent that is necessary for the purposes of processing of such personal data. The data fiduciary will have to ensure the data are accurate and stored only for the period necessary for satisfying the purposes of data collection. It will also be accountable for all compliance requirements under the bill. As per the bill, the data principal can claim to correct the inaccurate data under Sec. 18 (right to correction and erasure). As per Sec. 20 of the bill, the data principal shall have the right to restrict or prevent the continuing disclosure of his personal data by a data fiduciary under specified conditions.” This bill demands the data fiduciary to redress the grievances of the data principal with efficiency in a speedy manner under Sec. 32. The bill also provides for the “Adjudicating Officer” to decide penalties and award compensation.


The composition of the selection committee has been changed considerably under the 2019 Bill. As per the provisions of the 2018 Bill, the Selection Committee was to comprise of (a) Chief Justice of India or a judge of the Supreme Court, (b) the Cabinet Secretary, and (c) and expert nominated by the Chief Justice of India or by the judge of the Supreme Court. But in 2019 Bill the judicial representation on the Selection Committee has been quashed and now the selection Committee constitutes only (a) Cabinet Secretary who shall be the chairperson, (b) the Secretary to the government of India in the Ministry or department dealing with legal affairs, (c) the Secretary to the government of India in the Ministry or Department dealing with electronics and information technology.


The 2019 Bill states that only “sensitive personal data” and “critical personal data” may be transferred outside India for processing. Therefore, a requirement to store the sensitive personal data in India has been put.

Despite abolishing ambiguities from the 2018 bill, there are still some areas where the new bill constitutes a set of challenges. The proposed bill doesn’t provide for a robust enforcement mechanism for cross-border data transfer. The GDPR in this regard has presented itself with the comprehensive approach. It clearly says unless the transferee country has an “adequate level of protection” mechanism, the data may not be transferred or certain “appropriate safeguards” are to be verified before the transfer of such data. But in 2019 bill, Section 34 is not clear about ‘adequate level of protection’. Section 34 of this draft empowers the Central Government to exempt any governmental agency from complying with the provisions provided in the bill. Here, the scope of misuse is wide and can be misused.’ The procedure of appointments of the members is widely contested. Under this bill, the government is empowered to use the data in a wide scope including national security, sovereignty, integrity etc. In this bill, the tech-giants like Facebook and Google are asked to allow the users to ‘voluntarily verify’ their accounts in manner that is to be prescribed in the future. These policies are criticized widely.

The 2019 bill proposes to impose significant compliance costs on firms engaged in data processing. While smaller ones are exempt from many obligations, these exemptions will only apply to businesses that manually process data. As a result, a large cross-section of economic actors would have to incur significant costs to implement the bill.


Amidst this lockdown, there has been mass violation of privacy, the Central Government has forced the public and private employees to download ‘Aarogya Setu’ App. A writ petition has been filed by the Kerala High Court challenging the steps taken by the Central Government. John Daniel by whom the petition is filed, contends that these directions issued by the government violate right to privacy and personal autonomy as explained in K.S Puttaswamy decision in 2017. This app takes away the right of the person to control and decide the information related to him. The penal action is imposed over the employees of the enterprises under Section 58 of the Disaster Management Act, 2005, in case they fail to comply with the orders to use this app. However, this is arbitrary as penal action cannot be imposed without the mens rea.

There has been another violation of privacy via zoom app predominantly used for the video conferencing. Because of the restriction of movement of people this app has gained momentum mainly used for attending meetings and online classes. It has been found that this app is not secured with end to end encryption as safety feature and it has been reported that some ransom emails have been received by the users of this app.


The article challenges some of the provisions of the bill. In this article, we have highlighted some major features of the bill with an insight to the loopholes where this bill lacks. We have also addressed the major violations taking place amidst this COVID-19 pandemic. Although 2019 Bill has relaxed some stringent provisions that were present in 2018 bill. However, there are certain provisions of the 2018 Draft that were questioned, they still remain unaddressed in 2019 draft also. Most of the provisions lack clarity and enforcement mechanism. If it would be passed that will only increase petitions in the court. As we all know that the 2019 Bill is still to be reviewed by the Joint Parliamentary Committee and the shortcomings will hopefully be taken into account and the Committee will come out with best solution possible.