Critical Analysis of the Data Protection Bill


The Data Protection Bill, 2019 (PDPB) was introduced in Lok Sabha by the Minister of physical science and knowledge Technology, on December 11, 2019. The purpose of this Bill is to provide for protection of privacy of individuals relating to their Personal Data and to establish a Data Protection Authority of India for the said purposes and the matters concerning the personal data of an individual. The Bill proposes to supplant the Information Technology Act, 2000 (Section 43-A) deleting the provisions associated with compensation due by firms for failure to safeguard personal information.

The PDPB inter alia prescribes the way within which personal information is to be collected, processed, used, disclosed, keeps, and transferred. The draft information protection bill was submitted by Justice BN Srikrishna committee within the Ministry of Electronics and Information Technology (MeitY) to produce for a solid legal framework on data protection in India. The bill acknowledges privacy as a basic right with provisions to safeguard personal[i].

The PDPB proposes to safeguard “Personal Data” concerning the identity, characteristics attribute, attribute of a natural person and “Sensitive Personal information like money information, health information, official symbol, sex life, sexual orientation, biometric information, genetic information, transgender standing, an epicene person standing, caste or tribe, non-secular or politics. The draft bill borrows goodly provisions from the General Information Protection Regulation (GDPR) of the EU Union that provides for a framework on information protection.

Applicability of the Bill

Under the provisions of the Report, an exception based on the principles of territoriality had been recommended. The Report stated that any entity located in India and only processing personal data of foreign nationals not present in India may be exempted from the application of the Bill by the Central Government. This exception wasn’t enclosed underneath the 2018 Bill. The shortage of such exemption created the scope and pertinence of the 2018 Bill a lot of over-reaching than the GDPR.

The 2019 Bill permits the Central Government to exempt from the appliance of the 2019 Bill, the process of non-public information of knowledge principals not among the territory of Bharat, consistent to any contract entered into with anyone outside the territory of Bharat, as well as any company incorporated outside the territory of Bharat, by any information processing system incorporated underneath Indian law. However, until the time that the Central Government notifies such Associate in the Nursing exemption, the good thing about an equivalent isn’t obtainable.

Further, underneath the 2018 Bill, the term about ‘any business that’s administrated in India’ in relevance the exercise of jurisdiction over any information fiduciary or information processing system not situated among India, is obscure and lacks specificity. Even the 2019 Bill doesn’t give any clarity concerning the on top of provision. Therefore, to tighten the scope of the 2019 Bill and convey in additional specificity about the pertinence of the 2019 Bill, the on top of the term ought to be specifically outlined or rationalization about an equivalent ought to are provided.


Definition of Personal Data

The definition of ‘personal information’ in the 2019 Bill has been significantly broadened to browse as “personal information means that data concerning or concerning a natural one that is directly or indirectly diagnosable, having relevancy any characteristic, trait, attribute or the other feature of the identity of such natural person, whether or not on-line or offline, or any combination of such options with the other data, and shall embody abstract thought drawn from such information for the aim of identification. Section 3 (28) of The Personal Data Protection Bill, 2019 and Section 3 (32) of The Personal Data Protection Bill, 2019 defines ‘profiling’ as “any form of processing of personal data that analyses or predicts aspects concerning the behaviour, attributes or interests of a data principal.

Under the 2018 Bill, personal information has dangerous been outlined to mean “data concerning or concerning a natural one that is directly or indirectly diagnosable, having relevancy any characteristic, trait, attribute or the other feature of the identity of such natural person, or any combination of such options, or any combination of such options with the other data as stated under Section 3(29) of the Act.

The growth of the definition of non-public information is doubtless a welcome live because it broadens the reach of the 2019 Bill, strengthening the privacy rights of knowledge principals reciprocally. Further, the definition conjointly besides covers any abstract thought drawn from personal information for the aim of identification since such abstract thought usually ends up in indirect identification of a natural person.

This is necessary as entities mistreatment technologies keep it up targeting on-line advertising and use human on-line activities and patterns to customize their advertisements. though information gathered from one’s on-line activities might not be capable of distinguishing someone one by one, however once taken put together or together with alternative characteristics, it might lead to distinguishing someone.

Amended Definition of Sensitive Personal information

Although the definition of sensitive personal information has for the most part remained an equivalent, an aware call to get rid of ‘passwords’ from that definition has been created underneath the 2019 Bill. This looks to be a shot on the part of the govt to contour the definition of sensitive personal information in line with international standards and legislations.

This was conjointly the necessity of the hour since entities that will not process sensitive personal information intrinsically, conjointly required to befit the next degree of compliance related to such information, just under password-enabling access to their services to afford increased information security to their users.

Foreign firms and transnational firms might currently realize it easier (in comparison with the taxing compliance needs underneath the 2018 Bill about sensitive personal data) to befits the provisions of the 2019 Bill because the tight provisions touching on sensitive personal information won’t be applicable on passwords.

Having aforementioned that, the 2019 Bill has preserved money information underneath the definition of sensitive personal information, which can still persuade to be onerous for foreign entities about the tight compliance needs for sensitive personal information underneath the 2019 Bill.

Under the Bill, the Central Government had the only and exclusive power to apprise sure alternative sorts of personal information as sensitive personal information. Underneath the 2019 Bill, the Central Government is currently needed to sit down with the Authority7 before notifying sure alternative sorts of personal information as sensitive personal data8.

Another welcome modification underneath the 2019 Bill is that, whereas the Central Government will specify classes of non-public information as sensitive personal information, they can’t expand the grounds of process, in contrast to the 2018 Bill. To serve the target and intent of the 2019 Bill in prescribing completely different levels of obligations and compliance for private information and sensitive personal information, it’s necessary for the Central Government and also the Authority to exercise caution whereas notifying any personal information as sensitive personal information[ii].

 Grounds of the Processing of Personal data

The 2018 Bill declared that non-public information could also be processed if such a process is critical for any performance of the Parliament or any state legislative assembly. The 2019 Bill has deleted this provision and restricted the process of non-public information, while not the consent of knowledge principal, for provision of any service or profit to the information principal from the State or for the issuing of any certification, license or allow for any action or activity of the information principal by the State, about the functions of the state-approved by law mentioned under Section 12(a) (i) and (ii) of The Personal Data Protection Bill, 2019.

The 2018 Bill declared that personal data is often processed, while not consent, for sure affordable functions as could also be nominal by the Authority. The Authority might specify the affordable functions which have the hindrance and detection of any unlawful activity as well as fraud, whistle processing, mergers and acquisitions, network and knowledge security, credit marking, recovery of debt, the process of in public obtainable personal information.

The 2019 Bill has broadened the reach of ‘reasonable purposes’ by adding ‘operation of search engines’ to the list that subject to sure conditions could also be notified as an affordable purpose. Therefore, personal information could also be processed while not the consent of the information principal for the aim of operations of search engines.

Although the extent and scope of the permissible process of non-public information underneath this head are going to be settled by the rules, this will, all told chance, be seen as a welcome move by firms operative search engines United Nations agency would are otherwise unduly burdened by compliance needs to get the consent of knowledge principals – that would hinder the potency of their service.

Extra Rights of Data Principal

The 2019 Bill provides the information principals with 2 additional rights concerning their personal data:

(a) The proper to access in one place the identity details of the information fiduciaries with whom their data has been shared:

Although this provision looks to own been enacted for the data principals to own information concerning and access to, the information fiduciaries with whom their data has been shared, it’s not clear on United Nations agency would have the main points of all the information fiduciaries with whom the personal data of the information principals are shared.

This becomes notably relevant in arrangements wherever the information must be shared among multiple data processors at completely different points in time. Further, as of currently there looks to be no clarity about the way within which this right shall be enforced underneath the 2019 Bill or United Nations agency would take responsibility for an equivalent.

(b) the right to information erasure.

Although this new right of erasure of personal data on request has explicitly found its way into the 2019 Bill, the 2018 Bill already imposed an obligation on the data fiduciaries to delete personal data once the purpose for which the same had been collected was achieved.

Privacy deliberately Policy

Under the 2018 Bill it was unclear whether a data fiduciary is required to have a separate privacy policy (as currently required under the current data privacy framework prescribed under the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011). The 2019 Bill has removed the above ambiguity and has expressly stated that a data fiduciary is required to formulate a privacy by design policy “Privacy Policy” that ensures that:

  • Social control, structure, business practices and technical systems square measure designed in a very manner to anticipate, identify, and avoid damage to the information principal;
  • The obligations of knowledge fiduciaries;
  • The technology utilized in the process of non-public information is by commercially accepted or certified standards;
  • The legitimate interests of companies as well as any innovation are achieved while not compromising privacy interests;
  • The protection of privacy throughout the process from the purpose of assortment to deletion of non-public data;
  • The process of knowledge is in a very clear manner; and
  • The interest of the information principal is accounted for at each stage of the process of non-public data.

The above states the interpretation within the ambit of section 22 of the Personal Data Protection Bill, 2019 .The 2019 Bill more states that the information fiduciary might submit its Privacy Policy to the Authority for certification within the manner as could also be prescribed14. Further, the 2019 Bill conjointly needs the information fiduciaries to show the certified Privacy Policy on their websites15.

New recognized classes of Data Fiduciaries

Consent Managers

The 2019 Bill has introduced the idea of ‘consent managers’ that ar information fiduciaries sanctionative information principals to manage their consent given to alternative information fiduciaries (“Consent Managers”). Beneath the 2019 Bill, the info principals will either provide or withdraw their consent either by themselves or through these Consent Managers.The 2019 Bill states that the Consent Managers are needed to register with the authority, however, doesn’t offer from now on the clarity with relation to WHO is needed or permissible to register as Consent Managers or the way during which consent of the info fiduciaries are managed by such Consent Managers.

Further, since the 2019 Bill designates Consent Managers as data fiduciaries, the Consent Managers will also be required to comply with the provisions of the 2019 Bill. Additionally, the Consent Manager is expected to manage consents through an interoperable platform. It is not clear on the way during which such ability is often achieved, technically and operationally, specifically taking into consideration the wise to, specific and clear consent demand, while not jeopardizing the power of every freelance information fiduciary to safeguard details of their business providing from alternative information fiduciaries (including their competitors registered as Consent Managers).

Social media intermediaries

The 2019 Bill conjointly introduces the idea of ‘social media intermediaries’. Social media intercessor has been outlined beneath the two019 Bill to incorporate “an intercessor WHO primarily or entirely allows on-line interaction between two or additional users and permits them to make, upload, share, circularize, modify or access data victimization its services however shall not embody intermediaries that primarily:

  • Change business or business homeward-bound transactions,
  • Offer access to the net,
  • Within the nature of search engines, an on-line book of facts, email services or on-line storage services.

In light-weight of the growing issues encompassing the impact of social media platforms on free and truthful elections reaching an exciting pitch, particularly within the West, and therefore the unfold of pretend news everywhere the planet, the 2019 Bill provides the Central Government the ability to appraise any social media intercessor as a big information fiduciary. important information fiduciaries are subjected to additional heavy responsibilities, like audits, maintenance of records, information protection impact assessments, and appointment of knowledge protection officers.

Further, each important information fiduciary shall change users WHO register their service from the Republic of India, or use their services in the Republic of India, to voluntarily verify their accounts. The voluntary verification of accounts shall be supplied with a demonstrable and visual mark of verification that shall be visible to all or any users of service.

Although such profile verification might curb the unfold of pretend news, it’s going to increase the operational price for such social media intermediaries, as they’d currently be needed to implement a mechanism that permits a user to verify his or her profile and might drive larger irresponsibleness. Further, there’s no clarity on what documents are accepted for the aim of verification and what consequences (if any) can follow from this verification.

In light-weight of the on top of provision, the Central Government ought to use caution before appraising social media intermediaries as important information fiduciary and may notify solely those social media intermediaries as important information fiduciaries that meet the relevant criteria prescribed beneath the 2019 Bill.

2.8. Restriction on Cross-Border Transfer of non-public information

The 2019 Bill has done away with the need for knowledge localization (that is, the need for each information fiduciary to store one (one) serving a copy of the private information on a server or information center that’s settled inside the territory of India). whereas this can be a welcome move within the interest of easy doing business and allowing world corporations to transfer and method personal information across totally different jurisdictions, the 2019 Bill still mandates storing a replica of sensitive personal information in the Republic of India.

While the relief of the information localization norms with relation to personal information would mean a discount in operational prices for quite a few organizations/companies that do not method sensitive personal data, the retention of localization needs for sensitive personal information beneath the 2019 Bill18 is probably going to draw criticism once more from stakeholders. This becomes significantly relevant, considering that the authority has the correct to expand the scope of information which will be treated as sensitive personal data beneath the 2019 Bill (please refer above). The 2019 Bill has conjointly ordered down sure conditions supported that sensitive personal information are often transferred outside the India  as per Section 34 of The Personal Data Protection Bill, 2019,

Further, with relation to the definition of ‘critical personal data’, the 2019 Bill remains silent because it was within the case of the 2018 Bill. it’s vital that the 2019 Bill or related to laws clearly outline the term crucial personal information or offer guiding principles of determination, to avoid confusion and untruth. However, the 2019 Bill currently permits ‘critical personal data’ to be transferred outside Republic of India (previously prohibited beneath the 2018 Bill) solely wherever transfer is:

  • To someone or entity engaged within the provision of health services or emergency services wherever such transfer is critical for prompt action; or
  • To a rustic or any entity or category of an entity in a very country, or to a world organization, wherever the Central Government has deemed such transfer to be permissible, and wherever such transfer, within the opinion of the Central Government doesn’t prejudicially affect the safety and strategic interest of the State as under Section 34 of Personal Data Protection Bill, 2019.

While the primary ground on that transfer of crucial personal information is allowed is commendable because it keeps society’s best interests in mind. However, the transfer of crucial personal information entirely as a result of the Central Government deems it permissible is simply too obscure and seeks to grant unbound powers to the Central Government, that was one in every one of the first reasons for the necessity to revise the prevailing regulative framework concerning information privacy.

Exemption for state agencies

The 2019 Bill provides the ability to the Central Government to exempt any governmental agency from yielding with the provisions of the 2019 Bill whereby a similar is deemed necessary or expedient within the interest of the sovereignty and integrity of India, the security of the country, friendly relations with foreign states, public order, or to forestall the incitement of commission of any offense concerning any of them on top of.

The on top of power unconditional with the govt is incredibly broad exploit scope of misuse and interpretation of a similar.

Creation of a Sandbox

The 2019 Bill needs the authority to make a sandbox for the aim of encouraging innovation in AI, machine learning, or the other rising technology publicly interest as stated under Section 40 of Personal Data Protection Bill, 2019. Entities enclosed within the sandbox are exempted from yielding with sure needs of the 2019 Bill.

Data fiduciaries WHO have obtained certification of their Privacy Policy shall be eligible to use for being enclosed within the sandbox, subject to sure extra conditions as provided beneath the 2019 Bill. The term that a qualifying information fiduciary seeks to utilize the Sandbox cannot exceed twelve (twelve) months and can’t be revived quite double, so leading to the most timeframe of thirty-six (thirty-six) months cumulatively.

Selection Committee

The composition of the Selection Committee with respect to the recommending the appointment of the Authority has been considerably revised under the 2019 Bill. As per the provisions of the 2018 Bill, the Selection Committee was to comprise of (a) Chief Justice of India or a judge of the Supreme Court, (b) the Cabinet Secretary, and (c) and expert nominated by the Chief Justice of India or by the judge of the Supreme Court.

As per the provisions of the 2019 Bill, the judicial representation on the Selection Committee has been done away with and the Selection Committee only comprises of (a) Cabinet Secretary who shall be the chairperson, (b) the Secretary to the government of India in the Ministry or department dealing with legal affairs, (c) the Secretary to the government of India in the Ministry or Department dealing with electronics and information technology.

 Excessive Liability

The 2018 Bill obligatory excessive liability on the administrators of a corporation or the officers accountable for the conduct of the business of the corporate at the time of commencement of the offense, that looked as if it would be a lawmaker live as even most international information protection legislation like GDPR don’t offer for such tight liability.

There was conjointly an absence of clarity beneath the 2018 Bill with relation to (a) the quantum of fine that’s to be obligatory on administrators and officers accountable (i.e. whether or not a similar quantum of fine are obligatory on administrators and officers accountable as could also be obligatory on the company) and (b) the character of liability obligatory inhume se between a knowledge fiduciary, machine, or between multiple information processors just in case of a knowledge breach.

Code of Practice & transnational Provisions

The 2018 Bill had sure extra provisions with relation to code of following that is eliminated from the 2019 Bill. Namely, it’s now not mandated for the Authority to issue codes of following outlining smart follows of knowledge protection or for the Authority to create such codes of practice in public obtainable on its web site.

The 2019 Bill has conjointly done away with provisions granting the Authority or any court, judicature, or statutory body to appear at non-compliance with a code of following by any information fiduciary or processor whereas determinant whether or not such information fiduciary or processor has desecrated the provisions of the 2019 Bill as mentioned under Section 61 (7), (8), and (10) of The Personal Data Protection Bill, 2018[iii].

Another vital issue to notice is that whereas the 2018 Bill had a complete chapter dedicated to ‘transitional provisions’ that provided for phased implementation of the provisions, the 2019 Bill has created a big departure from this approach. This suggests that the 2019 Bill can acquire an impact on such date(s) as notified. This might convince be significantly taxing given the restricted time to effectively meet all the expectations and obligations launched beneath the 2019 Bill.

Government’s use of anonymized information

A key addition to the 2019 Bill is that the Central Government might direct any information fiduciary or machine to produce any personal information anonymized or alternative non-personal information to change higher targeting of delivery of services or formulation of evidence-based policies by the Central Government.

What ought to be done to create the law perfectly? Many gray areas within the draft desire each parliamentary and oral presentation before it comes to fruition. There’s conjointly a necessity for industry-wide consultations before enacting the law. There’s a necessity for a separate law to deal with the overs.

Proposal for amendment in Information Protection Laws in India

The PDP Bill at massive seeks to ascertain a strong information protection framework in the Republic of India, as well as in relevance classification, assortment, and storage of non-public information. For additional details, please talk over with our analysis of the PDP Bill[iv].

The PDP Bill specifically describes ‘health information’ because the data associated with the state of the physical or psychological state of the information principal (provider of such data) and includes, inter alia, records concerning the past, gift or future state of the health of such information principal, information collected within the course of registration for, or provision of health services. The PDP Bill needs the consent of the information  supplier at the time of process such information however conjointly contemplates bound things wherever such personal data is also processed while not the consent of the information principal together with to reply to any medical emergency involving a threat to the life or a severe threat to the health of the information principal or the other individual and to undertake any life to supply medical treatment or health services to someone throughout a deadly disease, irruption of sickness or the other threat to public health.


The introduction of data protection bill in furtherance of a constitutionally secure right to privacy could be a tiny step toward occupying a leadership position on democratic data governance. However, the text of the bill mostly seems to be a crude merger of provisions within the GDPR with authoritarian leanings. Within the Indian bill, these embrace the facultative framework for state police investigation within the bill that without doubt entrenches government power to undermine national privacy. Further, the blurring of the distinctions between non-personal information and private information stay is regarding. The bill ultimately dilutes protections on individual information rights by facultative the govt. to access something it feels would work inside the laid-out classes of exemptions. Though’ some privacy-protecting measures within the bill mimic many provisions of the GDPR, the legislation wants important revisions if the Asian nation desires to be a frontrunner information a democratic, privacy-protecting approach to the internet.

India’s strategic interest doubtless lies in guaranteeing that it upholds its constitutional responsibility to its world and privileges national rights and economic welfare over mere business or official interests. But—particularly thanks to regarding exemptions within the text of the non-public information Protection Bill—it isn’t clear whether or not this objective is happy. Because the Joint Parliamentary Committee starts its deliberations on the draft of the bill, it remains to be seen whether or not the policymaking apparatus swings the correct means.


  • What is Data protection Bill, 2019?
  • Who will be responsible for providing legal framework to the Bill?
  • What are the objectives of the data protection bill?
  • How the bill has treated personal data and sensitive personal data separately?
  • Where does the data protection get the inspiration?





Leave a Reply

Your email address will not be published. Required fields are marked *