Have you ever clicked on I Agree
for accepting terms & conditions of a
mobile application or on any website like Facebook, Amazon, Netflix?
I am sure, everyone has but did you know when you click I Agree
agreeing for the interface to collect your personal information and other data,
however, you cannot do anything about it but to provide such information to
access the website or the application. So, to protect its citizens, the
Government of India has introduced a Personal Data Protection Bill,
2019 (Bill) in the parliament to safeguard the right to privacy of the people.
Where it all started:
Sweden was the first nation to pass Data Act (Datalagen) in May 1973, which
criminalized theft of data and gave freedom to data providers to access their
information. In 1978, the German Federal Data Protection Act (Bundesdatenschutzgesetz)
defined basic data protection requirements, such as the need for approval for
the processing of personal data. By 1979, several EU (European Union) member
states had introduced data protection regulation as fundamental rights into
In 1995 EU enacted Data Protection Directives, which regulated the processing of
personal data within the EU, the free movement of such data and aimed to protect
the fundamental right to privacy of the citizens of EU member states. In 2016,
EU enacted GDPR (General Data Protection Regulation) which was implemented in
2018, it imposes obligations onto organizations anywhere, so long as they target
or collect data related to people in the EU and defined the terms such as
Personal Data, Data processing, Data subject, Data controller, Data processor
etc. which broaden the horizon of data protection throughout the world.
In 2017, the Supreme Court of India, in the landmark case, K.S. Puttaswamy vs.
Union of India
 passed a judgement affirming the right to privacy as the
fundamental right under the constitution of India. Thereafter, to address the
need for protection of the personal information, the Government of India
constituted a Committee of Experts on Data Protection under the chairmanship
of retired Justice B. N. Srikrishna to prepare an act which can protect the
personal information of the citizens. In 2018, the committee submitted its
report titled A Free and Fair Digital Economy: Protecting Privacy, Empowering
Indians, which led to the introduction of Bill in the parliament in December
The current regulatory framework in India:
Presently in India, the relevant laws pertaining to privacy or personal data are
the Information Technology Act, 2000 and the Indian Contract Act, 1872.
Information Technology Act, 2000 only deals with the data which is present
online or electronically, it does not cover the manually processed data or
The Information Technology (Reasonable security practices
and procedures and sensitive personal data or information) Rules, 2011, hold the
companies using the data liable for compensating the individual, in case of any
negligence in maintaining security standards while dealing with the data and the
IT Act applies only to companies, not to the government. Furthermore, the rules
only deal with the sensitive personal data and the definition of such is narrow,
and some of the provisions can be overridden by a contract. Perusal to this, the
Government of India introduced the Bill to overcome the shortcomings in the
What's in the bill
The Bill governs personal data relating to individuals, and the processing,
collection and storage of such data. The Bill defines a Data Principal is an
individual whose personal data is being processed. The entity or individual who
decides the means and purposes of data processing is known as Data
Fiduciary. The Bill provides the processing of data by the government, any
Indian Company, any citizen of India or any person or body of persons
incorporated in India and Foreign companies dealing with personal data of
individuals in India. However, the Bill does not apply to the processing of
anonymised data, other than the anonymised data or other non-personal data which
enable Central Government to frame any policy for the digital economy.
The Bill aims to broaden the definition of Personal Data to read as
personal data means data about or relating to a natural person who is directly
or indirectly identifiable, having regard to any characteristic, trait,
attribute or any other feature of the identity of such natural person, whether
online or offline, or any combination of such features with any other
information, and shall include inference drawn from such data for the purpose of
The term inference in the definition refers to any inference drawn from personal
data for profiling; as such inference usually results in an indirect
identification of an individual as some companies that use digital technology
for targeted online advertising by monitoring the online activity pattern of a
person to customize their advertisements will now be regulated under the Bill.
The Bill defines Sensitive Personal Data as personal data, which may, reveal,
be related to, or constitute financial data, health data, official identifier,
sex life, sexual orientation, biometric data, genetic data, transgender status, intersex
status, caste or tribe, religious or political beliefs or affiliation.
The definition does not include passwords, and the decision to not include
passwords in the definition taken by the Government is in the view to make it
easier for both Indian and foreign multinational companies to comply with the
provisions of the Bill, as the rigid provisions related to the protection of
Sensitive Personal Data will not be applicable on passwords.
Processing of the personal data:
The Bill proposes the processing of data by Fiduciaries only if the consent is
granted by the Data Principal. Certain exceptions provided under the Bill are:
Rights of the data principal:
The Bill grants Data Principal
- if required by the State for providing benefits to the individual
- under any law for the time being in force
- legal proceedings (iv) to respond to a medical emergency
- necessary for reasonable purposes such as prevention of fraud, mergers
and acquisitions, recovery of debt, etc.
Privacy by design policy
- The right to confirmation and access:
- to obtain confirmation from the Fiduciary on whether their Personal Data
has been processed
- a summary of processing activities undertaken by the Data Fiduciary for
processing the Personal Data
- Data Fiduciary will concisely provide the abovementioned information and
that is clear to a reasonable person
- to have information about and access to, the Data Fiduciaries with whom
Personal Data of the Principal has been shared/stored.
- The right to correction and erasure:
the Data Principal will have the right to seek correction of inaccurate
data, complete the incomplete data, update the data or erase the data which
are no longer needed by the Data Fiduciary.
- The right to data portability:
Data Principal shall have the right to receive the Personal Data provided to
Data Fiduciary, the data which form part of any profile on the Data
Principal, or which the Data Fiduciary has otherwise obtained or the data
which have been generated in the course of the provision of services or use
of goods by the Data Fiduciary.
- Right to be forgotten:
The Data Principal shall have the right to restrict the data provided to
Data Fiduciary where such disclosure (i) has
served the purpose for which it was collected or is no longer necessary for the
purpose, or (ii) was made with the consent of the Data Principal and such
consent has since been withdrawn.
The Bill provides that Data Fiduciary is required to prepare privacy by design
- the managerial, organisational, business practices and technical systems
designed to anticipate, identify and avoid harm to the Data Principal;
- the obligations of Data Fiduciaries;
- the technology used in the processing of Personal Data is in accordance
with commercially accepted or certified standards;
- the legitimate interests of businesses including any innovation are
achieved without compromising privacy interest;
- the protection of privacy throughout processing from the point of
collection to deletion of Personal Data;
- the processing of Personal Data in a transparent manner; and
- the interest of the Data Principal is accounted for at every stage of
processing of Personal Data.
The privacy by design policy shall be published on the website of Data
Duties of data fiduciary:
The processing of Personal Data will be subject to:
The processing of Personal Data will be subjected to certain transparency and
accountability measures such as:
- a particular, clear and lawful purpose,
- notice is required to be provided by Data Fiduciary to Data Principal
for collecting or processing the Personal Data.
- Personal Data shall only be kept for the reason for which it was
collected and shall be removed/deleted at the end of the processing.
- the collection of Personal Data shall be limited to such data as is
required for the purpose of processing,
- consent must be obtained from the Data Principal at the outset of
processing the data.
- the Data Fiduciary shall verify the age and obtain parental/guardian
consent before processing the sensitive children's personal data.
Restriction on transfer of data outside India:
- taking the required measures by Data Fiduciary to ensure transparency in
the processing the Personal Data by enforcing security protections;
- notifying the authority of any infringement of Personal Data;
- amend/go through the privacy by design policy annually;
- data protection officer is to be designated for advising and controlling
the activities of the Data Fiduciary;
- to create a grievance resolution mechanism to deal with grievances from
Sensitive Personal Data may be transferred outside India for processing only if
the Data Principal gives express consent. However, such Sensitive Personal Data
should still be kept in India.
Exemption for government agencies:
The Bill empowers the Central Government to exempt any governmental agency from
complying with the provisions of the Bill wherein the same is deemed necessary
or expedient in the interest of the sovereignty and integrity of India, the
security of the country, friendly relations with foreign states, public order,
or to prevent the incitement of commission of any offence relating to any of the
The processing of Personal Data is also excluded from the provisions of the Bill
Creation of sandbox:
- Personal Data is processed in the interests of prevention, detection,
investigation and prosecution of any offence;
- disclosure of Personal Data is necessary for enforcing any legal right
or claim, seeking any relief, defending any charge, opposing any claim, or
obtaining any legal advice from an advocate in any impending legal
- processing of Personal Data by any court or tribunal for the exercise of
any judicial function;
- Personal Data is processed by a natural person for any personal purpose;
- processing of Personal Data is necessary for a journalistic purpose.
The Bill provides for the creation of Sandbox by the authority for encouraging
innovation in artificial intelligence, machine learning or any other emerging
technology in the public interest. The companies under the scope of Sandbox
shall be allowed an exemption of certain provisions of the Bill.
Any Data Fiduciary whose privacy by design policy is certified by the authority
shall be eligible to apply for inclusion in the Sandbox. The term for which a
qualifying Data Fiduciary can be included in the Sandbox shall not exceed 12
(twelve) months and shall not be renewed more than twice, resulting in a total
of 36 (thirty-six) months.
Penalties under the bill:
The Bill proposes the penalty on the failure of the Data Fiduciary to fulfil its
obligations for data protection and shall be punishable with a penalty which may
extend to INR 5 crores or 2% of its total worldwide turnover of the preceding
financial year, whichever is higher. And violation of processing data is
punishable with a fine of INR 15 crores or 4% of the annual turnover of the Data
Fiduciary, whichever is higher.
The Bill is a great step towards improving the laws related to personal privacy
of an individual by providing a more accountable and transparent system for
processing Personal Data of the individual. It aims to provide certain rights to
the individual to safeguard their interest.
India is a part of fast-growing technology, and in such an environment concept
of Sandbox will play a very vital role in promoting technological advances in
the country, but providing the government with unchecked and expansive powers to
exempt government agencies from the provision of the Bill may, under some
circumstances violate individual's fundamental right to privacy.
As the Bill is still under the consideration of Joint Parliamentary Committee
and the committee is expected to submit a report on the Bill soon. It is
expected that all the shortcomings of the Bill will be addressed before the same
is adopted and introduced. The Bill is projected to have a far-reaching effect
on Indian companies and multinational corporations doing business in India.
Written By: Shrishti Agarwal
- K.S. Puttaswamy vs. Union of India (2017) 10 SCC 1
- Personal Data Protection Bill, 2019 § 2 (India)
- Personal Data Protection Bill, 2019 § 91 (India)
- Personal Data Protection Bill, 2019 § 3(28) (India)
- Personal Data Protection Bill, 2019 § 3(36) (India)
- Personal Data Protection Bill, 2019 § 12 (India)
- Personal Data Protection Bill, 2019 § 17 (India)
- Personal Data Protection Bill, 2019 § 18 (India
- Personal Data Protection Bill, 2019 § 19 (India)
- Personal Data Protection Bill, 2019 § 20 (India)
- Personal Data Protection Bill, 2019 § 22 (India)
- Personal Data Protection Bill, 2019 § 33 (India)
- Personal Data Protection Bill, 2019 § 35 (28) (India)
- Personal Data Protection Bill, 2019 § 36 (India)
- Personal Data Protection Bill, 2019 § 40 (India)
- Personal Data Protection Bill, 2019 § 57 (1) (India)
- Personal Data Protection Bill, 2019 § 57 (2) (India)