This research draft analyses the Personal Data Protection Bill presented by
the Ministry of Electronics and Information Technology (MeiTY), in 2019. The
bill was brought up on the recommendations of a committee, chaired by Justice BN
Srikrishna after examining the issues related to data protection in India.
Security of personal data is a global issue that many countries are trying to
tackle including India. In India, the use of technology has increased to a great
extent thus, it is imperative to have such legislation for regulating entities
while processing the personal information of individuals. Since we have
legislation now, it is important to analyze the aspects of the bill and how it
will help citizens to protect their personal data from being harmed. This
research paper also includes a brief analysis of the JPC1
The idea of the Personal Data Protection Bill first came to light, in one of the
most celebrated cases in India, Justice KS Puttaswamy vs. Union Of India
in 2017, which declared 'privacy' as a fundamental right under Article 21 of the
Indian Constitution. The nexus between data and privacy and the need for such
regulations were found. With the constant growth of digitalization in India,
offenses as personal data breaches, are touching the skies.
With such legislations, it will be easier to regulate the data processing
entities and ensure that there is no harm to the personal data of an individual.
With the advent of technology and digitalization the threat to personal
information and personal data breach is increasing. As India is trying to adapt
to the new technology, these data breaching activities have become an obstacle.
Not just India, but many other countries are coming up with such legislation in
order to safeguard their citizens' personal information. Data released by
UNCTAD 2 (https://unctad.org/page/data-protection-
and-privacy-legislation-worldwide) says that 1% of the countries have
legislation on data protection, 9% of countries have draft legislations, 15% of
countries have no legislations, 5% countries have no data.
The bill was presented in Lok Sabha on December 11, 2019, by Dr. Ravi Shankar
Prasad the then Minister of Electronics and Information Technology (MeiTY). The
bill was presented on the recommendations of the BN Srikrishna committee.
Further, it was referred to the Joint Parliamentary Committee of both the houses
of Parliament (called JPC)*. The JPC was headed by a Member of Parliament
Some other aspects of the bill which were discussed, were 'Right to privacy and
'Right to be forgotten.' These two judgements had given the basis for the
formation of the personal data protection bill in 2019. Since the breach of
personal data or information leads to interference in an individual's private
life, it is very important to safeguard such data from physical as well as
digital domains. As this being one of the challenges of digitalisation, it is
the duty of the law makers of a country to come up with such dimensions which
would give a safe atmosphere to an individual.
The proposed bill gives us an insight of such an environment where there will be
timely checks on the activities of the data processing entities so that the
personal data of an individual is not harmed. The bill is designed in such a
manner that it regulates entities not only while processing data but also after
the process is complete.
It literally means that the entities are firstly required to delete the personal
data of an individual after the processing is complete and secondly remove it
from all the sites used while processing such data. This indicates to the 'right
to be forgotten or erasure' of personal information of any person.
No personal shall be discriminated on the basis of his past deeds of which he
has been acquitted from or for the personal ailments from which he might be
suffering. Thus, the bill gives us an insight of regulating data processing
entities keeping in mind the rights of data principals.
Definition Of The Terms Discussed In The Bill
- Data: is the large collection of information, facts, opinions
- Data Principal: the person whose data is collected and processed.
- Data Fiduciary: the person who collects and processes data. It
can be any state, a company, a firm etc.
- Data Processor: any state, company, any entity that processes
data on the behalf of a data fiduciary.
- Data Auditor: it means to audit data to establish how a company's
data fits in the purpose of the data processing.
- Biometric Data: facial images, fingerprints, iris scans, etc. are
known as biometric data. It is the recognition of an individual based on his
biological characteristics and the unique identity of a natural person.
- Adjudicating officer: it shall be a person having ability and
professional experience of not less than 7 years in the field of law, cyber
and internet, data protection and related subjects.
- Anonymisation: it refers to the transformation of personal data
of an individual in such a manner in which the identity of the data
principal remains hidden in an irreversible process, it also meets the
standards of irreversibility specified by the authority.
- Anonymised data: the data which had gone through the process of
- Child: under the bill, any person less than eighteen years of age
is termed as a child.
- Consent: it is the meeting or of minds or consensus between two
parties (here, the data principal and the data fiduciary) in accordance to
perform some activity. A data fiduciary cannot collect information without
the consent of the data principal.
- De-identification: it means that the data fiduciary can hide the
identity or the name of the data principal by using some fictious name or in
any other way which might indicate to that person, but not directly.
- Financial data: Any financial information of an individual as
account, card, payment history or payment platform of the data principal or
the relationship between a finance institution and the data principal which
includes financial status and credit history.
Joint Parliamentary Committee Report: Discussed In Brief
Data: Transforming India As Well As A Global Threat Data is the collection of large information at one place easy to access.
Digitalisation and technology has made the lives of people much easier. It
has helped India to reach the skies in terms of technological advancements.
India has a huge population being the second most populous country in the
world. An enormous amount of data is collected every day. Collecting such
data at one place is a huge task. The effective use of this data can take an
economy to greater heights. As every situation comes with a but, here also a
'BUT' arrives with capital letters. Since a huge chunk of data is available,
there is a possibility of data breach as well. This being a giant question
on the earth, a lot of countries are coming up with the legislation to
tackle this issue. Brazil, Australia, Canada, USA already have such
legislations and many more countries are trying to give their citizens a
safe environment to live.
New Asset And Dwindelling Consumer Trust As the new technologies are coming up, people are concerned about the use of
such technology and
whether it will be safe for them or not. It is difficult for the older
generations to adapt with the new aspects of technology. It is very natural
to think so, because everyone is concerned about the personal data of them
and their whereabouts.
The personal data protection bill assures the citizens that there will be
regular checks on the data fiduciaries to ensure that the personal
information of an individual is not leaked to the third party. At the same
time, checks are also done on the companies so that they keep the personal
information of any person safe with themselves. The whole idea behind this
is to make the consumer feel free to share their information with the
entities concerned without leaving any doubt in their minds.
Impact Of Data Breach On Health And Wellbeing Not just a person is getting affected financially, socially, emotionally but
also experiencing a threat to health as well. Because of such activities of
personal data breach a personal is not willing to trust people he is
surrounded by. This creates a sense of insecurity in a person's mind and a
fear to reside in any place.
Constant fear in the minds of people can directly affect their body and thus
affect the society as a whole. This has to be taken into consideration that
the health of people is also getting affected to a great extent in
connection with the protection of personal information of data principals.
People can suffer from various emotional attacks as excessive fear, anger,
frustration, outrage, insomnia, increase in stress level, depression, unable
to feel safe and trust people, lack of concentration, lack of interest in
activities and hobbies, helplessness etc.
Proliferation Of Bots And Fake AccountThough digitalisation and technological
advancements have made lives easier but some other concerns have also emerged. A major issue that has taken up the course is making of fake accounts of people with other names. They hack accounts of people and extract personal information leading to personal data breach.
The most prevalent ones are the social media platforms. The present generation is the most active on such platforms, and the most vulnerable to phishing and blackmailing
activities. It is really important for them to be very vigilant regarding their personal information to whom they are sharing with.
Growing Importance Of Data Protection And Localisation As far as data protection is concerned, every person
wants to give live in a very safe environment both physically and digitally. Moreover, the confidentiality of personal information of any person is extremely important to be maintained. This is the responsibility of both the person himself and the state. The policy makers of a country should ensure to safeguard the personal information of their citizens in a befitting manner. As more and more companies enter the digital domain, the more protecting data becomes a herculin's task. Now comes data localisation, firstly it refers to the cross- border movement of data. The authorities ensure that the personal data of an individual does not get intervened by any alien international agency.
Some of the provisions discussed by the bill include:
- Personal data of an individual cannot be transferred without the consent
of that particular individual.
- Sensitive personal data can be transferred but has to be stored in India.
- Critical personal data can be transferred but can be processed in India
- Data of the data principal can be transferred in health emergencies.
- The central government can transfer data of the data fiduciary outside
India or to any other entity when there is a question of national security.
Data Security As National SecurityData protection of citizens of a country is the responsibility of the law makers of a country. Thus, it is in the hands of bureaucrats to safeguard personal information of the citizens. Moreover, the technical information of any country specially defence is very important to keep safe from any kind of breach. People are the asset of any country be it direct breach to the personal data of a citizen or be it indirect in the form of harm to the national
security of a country, in both the cases there is a threat to the life of citizen of a country. Thus, is imperative to have such legislation in hand to prevent such issues.
Legal Mechanisms In India To Deal With Data Protection In IndiaIndia did not had any legislation before. To deal
such privacy issues related to data protection we had Information Technology Act 2000. After an amendment to it some rules were added known as, Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011. Other provisions related to it are Aadhaar (Targeted Delivery of Financial, and other Subsidies benefits and services) Act, 2016 and RTI (Right To Information) Act, 2005. But these didn't suffice the requirements of our country.
We needed a legislation which specifically and completely talked about the protection of personal data of an individual in India. As per the examinations and the recommendations of BN Srikrishna committee, the existing government in its previous tenure, in 2019, came
with the legislation for personal data protection. But the process does not end here, the above mentioned acts will also be framed in a way that these may include some of the provisions of the data protection.
BN Srikrishna Committee Recommendations: Discussed In Brief.
The committee recommendations were presented before the Lok Sabha by the
committee head, Supreme Court Judge Justice BN Srikrishna. The committee's
recommendations were presented in accordance with the Personal Data Protection
Bill 2019, and making Data Protection Framework. The recommendations were
presented after a very famous Supreme Court case KS Puttaswamy vs. Union Of
, in which right to privacy was discussed. This gave birth to the idea of
The major key points discussed were:
- Obligations of the data fiduciary:
The data processed by the data fiduciaries has to be clear, specific and lawful. The use of such personal
information of a data principal has to ensured that the processing and profiling is done in a fair and reasonable manner. The data collected by the data fiduciaries should satisfy the purpose of the data processing. The data fiduciary is entitled to give prior notice to the data principal before collecting data and the reason behind it.
- Consent of the data principal
Since data protection is directly related to privacy, it is absolutely necessary
for the data fiduciaries to have consent of the data principal. Personal
information processing has to be done with the free consent of the data
principal. But in certain cases processing of data can be done even without
consent of the data principal by the State or the authorities concerned. Issues
related to national security, confidentiality of the State, in compliance with
any order of the Courts and Tribunals, providing assistance to an individual
during some national calamities or disaster breakdown etc.
- Protection of children from personal data breach
The bill defines a child as an individual less than eighteen years of age. Since
a child is also an individual, it has to be ensured by the data fiduciaries that
the processing of personal information of children should be done keeping in
mind the rights and the best interest of the child. If the child is not of the
consenting age, the data fiduciaries must approach the parents or the guardian
of the child.
- Rights of the data principals.
The rights of data principal have been give importance in the bill.
Some of the primarily concerned rights given to the data principals are:
- Right to confirmation and access:
As the name
suggests, it is the right of an individual to have a check whether the personal
data given to the data fiduciary is being processed for the right purpose or
- Right to correction and erasure:
This right ensure data principals that they
can any time ask data fiduciaries to correct the information provided. Right to
erasure also includes the new concept raised in as 'right to be forgotten'. It
implies that the data fiduciary has to remove the personal data of the data
principal once processing of personal information in complete from the system
and the site used wile processing.
There are certain exemptions available for which personal data can be processed
without consent of the data principals. The grounds for such interventions can
be public welfare, law and order, emergencies, friendly relations with foreign
countries, security of State, legal proceedings etc. Apart from these, personal
data breach or misuse of personal information of the data principal shall not be
done. It is the responsibility of the authorities to keep personal information
of data principals confidential.
Data Protection Authority (DPA)
The data protection law will set up a Data Protection Authority (DPA), which
will be an independent regulatory body responsible for the enforcement and Effective implementation of the law.
The DPA shall perform the following
- Monitoring And Enforcement
- Legal Affairs, Policy, And Standard Setting
- Research And Awareness
- Inquiry, Grievance Handling, And Adjudication.3.
The personal data protection bill safeguards the personal information of an
individual from being breached. The step taken by the government is extremely
appreciable. Data protection has become a problem with technological
advancements. This bill provides citizens a safe environment where they can
sustain their lives with privacy and no third- party interference.
This bill regulates the data protection authorities or data fiduciaries who are
assigned by the government to process the personal information of an individual.
Addressing this issue the Joint Parliamentary Committee came up with certain
recommendations to tackle the problems which can come into effect on individuals
with personal data breach activities followed by the concerns on national
Another committee was constituted having Justice BN Srikrishna as its head, the
committee discussed the actions that would be taken by the government if there
is a breach on the part of the data fiduciaries and what are the duties they
must perform while processing the personal data of an individual. This research
paper gives a holistic idea about the Personal Data Protection Bill, 2019.
- PRSIndia: https://prsindia.org/billtrack/the-personal-data-
- Personal Data Protection Bill, 2019: PRSindia Bill Text 4173LS(Pre).p65
- JPC: Joint Parliamentary Committee report and the recommendations of the
BN Srikrishna committee, in connection to the bill.
- UNCTAD: United Nations Conference on Trade and Development.
page no 2/5