Includes a representation of information, facts, concepts, opinions or
instructions in a manner suitable for communication, interpretation or
processing by humans or by automated means;
Means data about or relating to a natural person who is
directly or indirectly identifiable, having regard to any characteristic, trait,
attribute or any other feature of the identity of such natural person, whether
online or offline, or any combination of such features with any other
information, and shall include any inference drawn from such data for the
purpose of profiling
Origin And The Need For A Data Protection Law In India
The right to privacy has been established by the Supreme Court as a fundamental
right under article 21 in its landmark judgement in the K.S Puttaswamy case
This normative foundation of the proposed personal data protection framework is
true to the ratio of the judgment of the Supreme Court of India in
Puttaswamy. In this judgement the supreme court has explicitly mentioned
about a data protection framework which should be undertaken by the state, which
encompasses the values of privacy coupled with other values.
The instances of data leaks in India are rising day by day and all this
information is being sold online.
Some of such famous leakages are:
- The Facebook Cambridge Analytic Scam 
- Personal information leaked on McDonalds delivery app .
In the backdrop of these circumstances, an expert panel headed by former Supreme
Court judge Justice B.N. Srikrishna was set up as it was necessary to form a
legal framework as suggested by the court to protect such data privacy of the
users in India.
The existing framework for data privacy in India is the IT Act 2000. Even Though
it contains a few provisions namely s 43A, 69, 72, and 72A for data protection,
it is not completely robust for the present technological era and might not be
enough to tackle such issues now and also in future. Although novel attempts for
data protection at times were introduced, the pace of development of the digital
economy has made it inevitable that some shortcomings have become apparent over
So the personal data protection bill 2019, comes on the heels of similar
legislation being introduced in other countries that seek to enshrine the right
to privacy of citizens in a digital age where companies seek to track every
parcel of information of citizens for their own gain.
What Does This Bill Cover
The Personal Data Protection Bill, 2019 restricts the transfer of Sensitive
Personal Data outside India, but gives an exemption where it can be stored
outside India subject to the approval of the Data principal The conditions where
the data could be transferred out side India are also given under the Bill.
This Bill aims to address the concern of data being transferred outside India by
Localizing the data this move had stirred a debate and many corporates demanded
that government needs to adopt a fine balance between commerce and privacy.
current bill addresses this concern of data localization and relaxes the norms
for cross border data transfer. Data protection The data protection
authority established under the act has the duty to monitor this cross border
Though the transfer of critical data is still primarily banned, exemptions in
this clause for health and emergency service have been introduced, in addition
to this central government may authorize such persons as in Section 34(2)(b) of
the bill where the data may be transferred to if this data transfer is not
prejudicial to the interests of state and is not a threat to national security.
The processing of personal data can be done only with the consent of the data
principal, but here also there exist few exemptions in the bill that allow the
personal data to be processed without consent. Government can process the
data with no consent from the data principal in 6 ways that, these include
providing medical assistance, services in the time of disturbed public order,
issuing any license, etc.
De Merits Of The Bill
The state in the mask of surveillance cannot prevent the citizens from acting or
thinking freely. This position was settled in Puttaswamy and PUCL v. UOI
. The one part of the data protection Bill is making the state liable
if any agency processes data without the consent of data fiduciary but on
the other hand, the act is entrusting the power on central govt to exempt its
agencies from application of the act. This shows the shifting of the
principle from the king can do no wrong
to King can be exempted (from
liability) to do wrong
It is very pertinent to look into Data Protection Bill in the wake of recent
Pegasus allegations Central govt. The central govt desisted from submitting any
details to SC which answers the question whether Pegasus spyware was acquired by
Union of India just by citing national security. Under Section 5(2) of
Telegraph act, the central government is empowered to intercept the messages
with the condition precedent of any public emergency and Section 69 of
Information Technology Act provides broad powers for central government to
intercept the data.
Now the question which can be raised here is not Whether Pegasus surveillance
was in accordance with the principles of IT Act but whether central govt can
empower a foreign entity like Israeli NSO to conduct surveillance on Indian
Citizens. Under 69 of IT Act, the Indian government can issue directions to
intermediaries to intercept, monitor or decrypt the information and Section
2(w) of IT Act defines intermediary as the person who stores or receives the
data like telecom providers, online payment sites etc but not foreign agencies
like Israeli NSO. So clearly Israeli NSO does not fall within the ambit of
Section 69 of IT Act, 2000. So the central govt is not empowered under the
existing laws to direct foreign private entities who are not intermediaries to
gain illegal access and to conduct surveillance.
But the central government under section 37 of Data Protection Bill, 2019,
it can exempt the application of this act for any foreign company to conduct
surveillance or to process the data. So the foreign companies like NSO can
collect, store and use data even without the consent of individuals as the
foreign companies can be exempted from application of this act by the central
Also Section 35 gives unbridled powers to central govt agencies from the entire
act by exempting certain agencies from application of this act. The grounds for
exemption under Chapter VIII are Security of the state and Public order which
are very broad in nature. BN Sri Krishna committee had just included the
security of state as an exemption considering public order as very broad ground
but the central government in the draft 2019 bill included public order as one
of the ground for exempting state agencies and empowering foreign companies from
application of this act.
The SC itself in Ramlila Maidan Incident Dt v. Home secretary case
the distinction between public order and Law & Order is nevertheless clear.
Providing exemption only on the ground of security of state meant that it could
only be used when the country was under threat but providing an unambiguous
ground like public order which may lead to misuse by the government in many
Section 110 of UK Data Protection Act, 2018 is providing exemptions from the
application of the Act only on the grounds of National Security. and they
haven't extended the grounds to public order. Even for National Security, a
certificate need to be issued by a minister of the crown under Section 111
and they can also appeal to the tribunal against that certificate where the
tribunal could monitor whether the granting of that certificate is in
proportional to the need for that certificate which was laid down in Puttaswamy
judgment but in India there was no such mechanism or regulation for exempting
the government agencies.
As there exists unfettered power for the government to exempt to the government
agencies from any provision of the act under Section 35. There must be
certain procedure or detailed reasons how and why the government wants to exempt
such government agency. Section 12 of the bill is also on the same footing which
needs to harmonize the privacy of the individuals and the powers of government
to process the data with no consent.
- Personal Data Protection Bill, 2019, § 3(11).
- Personal Data Protection Bill, 2019, § 3(28).
- K.S Puttaswamy v. Union of India, (2017) 10 SCC 1.
- B.N Srikrishna Committee Report, A Free and Fair Digital Economy
Protecting Privacy, Empowering Indians" p.10.
- K.S Puttaswamy v. Union of India, (2017) 10 SCC 1, Para 179.
"Formulation of a regime for data protection is a complex exercise which
needs to be undertaken by the State after a careful balancing of the
requirements of privacy coupled with other values which the protection of
data sub-serves together with the legitimate concerns of the State"
- Cambridge Analytica and Facebook: The scandal and the Fallout so far.
- In India, in early 2017 it was reported that personal information(2.2
million users) from McDonald's delivery app was leaked due to inadequate
security features, See McDonald's India delivery app ‗leaks users data', BBC
News (20 March 2017) available at https://www.bbc.com/news/technology-39265282
(last accessed on 29 Nov, 2021).
- B.N Srikrishna Committee Report, "A Free and Fair Digital Economy
Protecting Privacy, Empowering Indians" p. 7. "For instance, the definition
of sensitive personal data is unduly narrow, leaving out several categories
of personal data from its protective remit; its obligations do not apply to
the government and may, on a strict reading of Section 43A of the IT Act, be
overridden by contract. The IT Act and SPD Rules have also suffered from
problems of implementation due to delays in appointments to the adjudicatory
mechanisms created under the IT Act"
- Personal Data Protection Bill, 2019, § 33
- Personal Data Protection Bill, 2019, § 34.
- Reserve Bank Information Technology Pvt Ltd, Analysis of Personal Data
Protection Bill (2019), 2, https://pub.rebit.org.in/inline-files/ReBIT_PDPBill2019_Analysis.pdf
- Personal Data Protection Bill, 2019, § 19(2)(g)
- Personal Data Protection Bill, 2019, § 12.
- Personal Data Protection Bill, 2019, § 85.
- Personal Data Protection Bill, 2019, § 35.
Manohar Lal Sharma v. Union of India, MANU/0989/SC/2021.
- The Telegraph Act, 1885, § 5(2).
- The Information Technology Act, 2000, § 69.
- The Information Technology Act, 2000, § 69(3).
- Personal Data Protection Bill, 2019, § 37.
- Personal Data Protection Bill, 2019, § 2(31).
- Ramlila Maidan Incident v. Home Secretary, Union of India (2012) 5 SCC 1
- The Data Protection Act (UK), 2018, § 110.
- The Data Protection Act (UK), 2018, § 11.
- Dissent by the Jairam Ramesh before the Joint parlamentary Committee.