Analysis of Personal Data Protection Bill, 2019

By Sukhmani Kaur-

Personal data protection bill,2019 was introduced in Lok Sabha by the minister of electronics and information technology. The bill seeks to provide for the protection of personal data of individuals, and establishes a data protection authority for same. The committee submitted the draft personal data protection bill, 2018 in July 2018. After further deliberations, the bill was approved by the cabinet ministry of India on 4 December 2019 as the personal data protection bill 2019 and tabled in the Lok Sabha on 11 December 2019. The bill is based, in large part, on the proposed draft of the personal data protection bill 2018(“draft bill”) which was attached to the report submitted to the government by the committee of experts constituted under the chairmanship of Justice Srikrishna of the draft bill and its comparison with the European union's general data protection regulation. (Gdpr) .

To provide for the protection of the privacy of individuals relating to their data, specify the flow and the usage of personal data, create a relation of trust processing the personal data, protect the fundamental rights of individuals whose personal data are processed, to create a framework for organisational and technical measures in the processing of data, laying down norms for social media intermediary, cross border transfer, accountability of entities processing personal data, remedies for unauthorized and harmful processing and to establish a data protection authority of India for the said purposes and matters connected therewith or incidental thereto. The PDPB proposes to protect “personal data” relating to the identity, characteristics trait, attribute of the natural person, and sensitive personal data such as financial data, sex life, health data, biometric data, genetic data, transgender status, intersex status, caste or tribe, religious or political beliefs.

The following is a summary of the key changes relevant to private data fiduciaries. The bill has also made certain changes to the provisions relating to the processing of personal data by central and state governments. The aforementioned provisions are not the focus of this summary and will be examined separately. It is intended to be read with a draft bill. There have been no advertisements, personal communication, solicitation, invitations, or inducement of any sort whatsoever from us or any of our members to solicit any work through websites.

The bill includes exemptions for processing data without an individual's consent for reasonable purposes, including the security of the state, detention of any unlawful acts of fraud, whistleblowing, medical emergencies, credit scoring, operation of search engines, and processing of publicly available data. The bill calls for the creation of an independent regulator data protection authority, which will oversee assessment and audits, and definition making. Each company will have a data protection officer (DPO) who will liaison with the DPA for auditing, grievance redressal, recording maintenance, and more. The bill “purpose limitation” and “collection limitation” clause, which limits the collection of data to what is needed for a " clear, specific, lawful" propose. It also grants individuals the right to data portability and the ability to access and transfer their data. The bill stated the penalties as Rs 5 crore or 2 percent of worldwide turnover for minor violations and Rs 15 crore or 4 percent of total worldwide turnover for more serious violations.

Data is the large collection of information that is stored in a computer. While the fiduciary controls how and why data is processed, the processing itself may be by a third party, the data processor.

Data can be broadly classified into two types: personal and non-personal data. Personal data pertains to characteristics, traits, or attributes of identity which can be used to identify an individual. Non – personal data includes aggregate data through which individuals cannot be identified. For example, while an individual's location would constitute personal data, information derived from multiple drivers' locations which are often used to analyse traffic flow, is non–personal data.

The individual whose data is being stored and processed is called the data principal in the PDPB BILL.

Consent: consent has been emphasized as the key basis for processing personal data in which section 11, however other bases for processing continue to be defined in section 12,13and 14.

Data retention: The bill includes language requiring deletion of data after the conclusion of the period of its purpose of processing and also includes a provision for explicit consent to be obtained for longer retention. It is unclear whether such retention under consent will override the purpose requirements under section 4 of the bill.

Processing of sensitive personal data: under the bill, "passwords" have been removed from the definition of sensitive personal data. The draft bill required informed consent for the processing of sensitive personal data after knowing all significant consequences. Under the bill, data fiduciaries are only required to satisfy the lower standard of informing data principals of significant harm.

Evidence of compliance: The draft bill proposed requiring the data fiduciaries to demonstrate that all processing of personal data by them complied with its provisions. This broad requirement has been done away with but has been retained for demonstrating consent under section 28.

Age verification and privacy by design policies: Mechanisms for verification of the age of minors will now be prescribed under the regulations rather than be determined by data fiduciaries. Similarly, privacy by design policies will, subject to any contrary regulations, now be certified by the authority rather than left to the discretion of the data fiduciaries and will, subject to any contrary regulation, now be certified by the authority rather than left to the discretion of the data fiduciary and will be required to be published on the websites of the data fiduciary.

Recommended exception for search engines: A potential “reasonable purpose” which will permit the processing of data has been included for the operation of search engines. This was changed sought by multiple stakeholders.

Apart from this has become a potential avenue for the invasion of privacy, as it can reveal extremely personal aspects. Also, it is now clear that much of the future’s economy and issues of national sovereignty will be predicted by the regulation of data. The physical attributes of data – where data is stored, where it is sent, where it is turned into something useful – are called data flows. Data localisation arguments are premised on the idea that data flows determine who has access to the data, and who profits off it, who. For example, the central government can exempt any of its agencies in the interests of security of the state, public order, sovereignty and integrity of India, and friendly relations with foreign states. Processing of personal data is also exempted from provisions of the bill for certain other purposes such as prevention, investigation, or prosecution of any offense, or research and journalists' purposes. Further, personal data of individuals can be processed without their consent in certain circumstances such as :

1. If required by the state for providing benefits to the individual.

2. Legal proceedings

3. To respond to a medical emergency.

The bill provides the data principal with certain rights with respect to their data. These include seeking confirmation on whether their data has been processed, seeking transfer of data to other fiduciaries, and restricting continuing disclosure of their data if it no longer necessary or if consent is withdrawn.

To ensure compliance with the provisions of the bill and provide for further regulations with respect to the processing of personal data of individuals, the bill sets up a data protection authority. The authority will be comprised of members with expertise in the field such as data protection and information technology. Any individual, who is not satisfied with the grievance redressal by the data fiduciary can file a complaint to the authority.


Pursuant to the PDPB being enacted into an act, there are several compliances to be followed by organizations processing personal data to ensure the protection of privacy of individuals relating to their data.

Consent of the individual would be required for the processing of personal data. Based on the type of personal data being processed, organizations will have to review and update data protection policies, codes to ensure these are consistent with the revised principles such as update their international breach notification procedures implemented appropriate technical and organizational measures to prevent misuse of data, data protection officer to be appointed by the significant data fiduciary and instituting grievance redressal mechanisms to address complaints by individuals.

Author- Sukhmani Kaur


Asian Law College, Noida

13 views0 comments

Recent Posts

See All