Anonymised data:
Narrow definition and prohibition on processing of anonymous data but exception provided to the central government by Clause 91 where it can collect and use such data without any mechanism in place to regulate such use.

Consent:
As per Clause 11, taking consent before processing data is mandatory but too many exceptions have been provided to it which ends up diluting the provision's power.

Detailed regulation needed for enforcing Clause 18:
Although in the subclauses to Clause 18 it lays down the procedure on how the data principal will be able to perform the necessary tasks, it will still require a detailed regulation.

Notifying principal regarding data erasure:
Clause 9 of the 2019 Data Protection Bill provides for the deletion of data by the data fiduciary, but it does not provide any system for notifying the data principal regarding the same.

Right of erasure:
The 2018 Draft Bill camouflaged the full exercise of the right by stating that the data principal shall have the right to restrict or prevent continuing disclosure of personal data, which was clearly ambiguous in nature. Clause 20 of the proposed Bill does not shift much from the abovementioned words, thereby retaining the earlier criticised provision. The proviso to the clause states that no order shall be made under this sub-clause unless it is shown by the data principal that his right or interest in preventing or restricting the continued disclosure of his personal data overrides the right to freedom of speech and expression and the right to information of any other citizen.

Discretion of the adjudicating officer in data principal's rights:
the enforcement of the data principal's right to restrict or prevent continuing disclosure of personal data vests upon the discretion of the adjudicating officer. In this context, not only does the GDPR provide clarity regarding erasure of personal data, it provides for a wider set of provisions to obligate the data controller in the erasure of the data. Therefore, this proves to be another provision which lacks clarity as to the rights of the data principal.

Reporting of Personal Data Breach:
The Draft Bill, presented a bizarre provision wherein it provided that in case of breach of personal data, neither the data fiduciary nor the data protection authority shall have any obligation or any requirement to inform the data principal about the breach and this has not been changed by the 2019 Data Protection Bill.

Data more prone to leaks:
The data protection authority has the right to publish a breach on their website but retains the right to inform the data principal on its own accords, thereby exposing the data principal to a large number of leaks of his personal data and thereby its misuse

Mechanism for prevention of data breach:
The 2019 Data Protection Bill also fails to provide for a system capable of countering such breach of data in a well-equipped manner. The mechanism is merely a notification of such breach to the necessary websites and other platforms.

The GDPR, under Article 34 provides for a stricter regime where the authority, upon considering the likelihood of such breach shall notify to the data subject and it is surprising that the PDPB does not follow the GDPR regime despite being based on it.

Data Localisation and Cross-Border Transfer of Data:
For data transfer, the 2019 Bill states that only sensitive personal data and critical personal data may be transferred outside India for processing and a requirement to store the sensitive personal data in India has been inserted. The proposed 2019 Bill neither provides for a robust enforcement mechanism for such cross-border data transfer nor does it come up with the incorporation of higher standards of data storage in the country. On the other hand, the GDPR has presented itself with a much better holistic approach in this regard.

Ambiguous definition of adequate under Clause 34:
India's data protection regime has merely mentioned under Clause 34(1)(b) that the Central Government, after consultation with the authority, has allowed the transfer to a country or, such entity or class of entity in a country or, an international organisation on the basis of its finding that: (i) such sensitive personal data shall be subject to an adequate level of protection, having regard to the applicable laws and international agreements;, wherein the meaning of adequate level of protection demands clarification.

Inadequate protection against government:
The bill does not protect individuals against the Indian government as effectively. It stipulates that critical or sensitive personal data, related to information such as religion, or to matters of national security, must be accessible to the government if needed to protect national interest. Such open-ended access could lead to misuse, as also noted by B N Srikrishna, one of the persons who chaired the committee that drafted the original bill.

Data Protection Authority:
Chapter IX of the bill that outlines the establishment of a Data Protection Authority (DPA), is problematic too. It will be led by a chairperson and six committee members, appointed by the central government on the recommendation of a selection committee. But this committee will be composed of senior civil servants, including the Cabinet Secretary, raising questions about the board's independence. The government's power to appoint and remove members at its discretion also stokes fears about its ability to influence this ostensibly independent agency. Unlike similar institutions, such as the RBI or SEBI, the DPA will not have an independent expert or member of the judiciary on its governing committee.

Limited powers of DPA in comparison with the Central Government:
The powers and functions that were originally intended to be performed by the Authority have now been allocated to the Central Government. For example: (i) In the 2018 Bill, the Authority had the power to notify further categories of sensitive personal data. Under the present Bill, the Central Government in consultation with the sectoral regulators has been conferred the power to do so. (ii) Under the 2018 Bill, the Authority had the sole power to determine and notify significant data fiduciaries, however, under the present Bill, the Central Government has in consultation with the Authority been given the power to notify social media intermediaries as significant data fiduciaries.

Power to expropriate intellectual property by CG:
The PDP Bill provides for the government-mandated sharing of privately collected and developed non-personal data. Section 91(2) of the Bill states that the Government may direct any data fiduciary or data processor to provide any personal data anonymised or other non-personal data to enable better targeting of delivery of services or formulation of evidence-based policies by the Central Government. This provision does not indicate the manner in which the Government will use such data and does not specify whether businesses mandated to share such data will be compensated.

Exemptions for small businesses:
The PDP Bill allow exemptions for small businesses that look after customers' personal information manually. Under the Bill proposed by the Expert Committee, such businesses needed to meet three conditions, based on annual turnover; whether they shared personal data; and how much personal data they processed. But under the PDP Bill, the new Data Protection Authority decides which small businesses qualify for exemption and the Bill does not prescribe any qualification to be eligible for the exemption.

Possible harassment of whistleblowers- As per Section 14 of the PDP Bill, the Government can process personal data without consent for some reasonable purposes which include whistleblowing. The section further empowers the Government to determine by way of regulation as to whether the requirement of notice to data principal is required or not. This could result in systematic harassment of whistleblowers who may expose scams or irregularities.