PERSONAL DATA PROTECTION BILL,

2019: AN OVERVIEW
BY DIYA SAREEN

The Data privacy issues in India have been becoming more prominent over the past few years.
According to Computer Emergency Response Team-India (CERT-In) over 3.94 lakh cyber-
security issues were reported in 2019. What is most alarming is the fact that the security breaches
involved 48 websites of central and state governments.

Big Startups like OYO, Vedantu and Nykaa also fell victims to cyber hacking, exposing their
users’ data. Such data privacy issues continue to occur due to the absence of proper legislative
framework.

The urgent need to introduce a proper data protection law arose when Justice K.S. Puttaswamy
(Retired) filed a petition in the Supreme Court challenging the constitutionality of Aadhaar on
the grounds that it violates the right to privacy. The Supreme Court in this case held that the
privacy is a fundamental right, flowing from the right to life and personal liberty under Article
21 of the Constitution. It further added that privacy of personal data and facts is an essential
aspect of the right to privacy. 1 

It was after this judgment that on 11 December’2019 the Government of India introduced an
updated draft of the Personal Data Protection Bill in the Lok Sabha which was later referred to
the Joint Select Committee and is yet to be tabled for discussion in the parliament.

But before going into the details of the bill let us know a little about personal data and data
protection.

1
Available at: https://www.ThePersonalDataProtectionBill2019:AllYouNeedtoKnow last visited on: 6/07/2020
Personal Data and Data Protection:

Personal data refers to characteristics, traits or attributes of identity, which can be used to
identify an individual whereas Data protection refers to policies and procedures seeking to
minimize intrusion into the privacy of an individual caused by collection and usage of their
personal data. 2

Personal Data Protection Bill:

Personal Data Protection Bill is a set of rules that define how personal data should be processed
and stored, and lists people’s rights with respect to their personal information. The bill clearly
states that:

i) The businesses would have to tell the users about their data collection practices and seek
their consent.

ii) They would have to collect and store evidence of the fact that the notice was given to the
users and the consent was duly received because the bill gives the users the right to
withdraw their consent from giving their personal information.

iii) The bill also allows consumers to transfer their data, including any inferences made by
businesses based on such data, to other businesses.

iv) The bill gives consumers the right to access, correct, and erase their data.

v) The bill requires all businesses to make organizational changes to protect data better
which includes privacy-by-design principles (an approach in which privacy is a key
consideration in how the business is organized), security safeguards, and so on.

vi) The bill also stipulates that all Sensitive Personal Data should be stored in India and the
critical personal data should not be transferred out of India.

2
Available at: https://www.IndiaProposesPersonalDataProtectionBill last visted:6/07/2020
 vii) A group of Significant Data Fiduciaries i.e. the people who are in charge of checking that
the data is stored fairly and responsibly, will have extra duties, such as carrying out data
audits and appointment of data protection officers.

viii) Lastly, the bill also contains rules relating to Non-Personal Data, where the government
can ask any business to share valuable Non-Personal Data such as aggregate mobility
data collected by apps such as Ola and Uber with the government.3

To ensure compliance with the provisions of the Bill, and to provide for further regulations with
respect to processing of personal data of the individuals, the Bill provides for a Data Protection
Authority, which will be comprised of members with expertise in fields related to data protection
and information technology.

Any person, who is not satisfied with their grievance redressal by the data fiduciary, can file a
complaint to the Authority. The Orders of the Authority can be appealed to an Appellate Tribunal
from where the Appeals from the Tribunal will go to the Supreme Court.4

Exceptions of Personal Data Protection Bill:

The bill provides for certain exceptions such as:

i) The central government can exempt any of its agencies from providing personal information
in the interest of security of state, public order, sovereignty and integrity of India, and
friendly relations with foreign states.

3
Available at: https://www.duexpress.in/the-pros-and-cons-of-the-data-protection-bill-2019 last visited on:
6/07/2020
4
Available at: https://www.drishtiias.com/daily-updates/daily-news-editorials/personal-data-protection-bill-2019
last visited on: 6/06/2020
 ii) The certain provisions of the bill will not be applicable to the government if the information
of personal data is required in cases such of prevention, investigation, prosecution of any
offence, research or for journalistic purposes
iii) The personal data of individuals can be processed without their consent in certain
circumstances such as:

 If required by the State for providing benefits to the individual.

Penalties related to the bill:

The bill gives the DPA the power to fine any business that does not comply with the bill or the
regulations made by either the DPA or the government. The maximum amount of penalties that can
be imposed is 150 million Indian rupees i.e. about $2.1 million, or 4 percent of the global turnover
of the firm in the preceding financial year.

Key changes in the updated bill:

The major key changes in the updated bill include:

1. Exemption to the Government: The new bill gives the Indian government much more
freedom for exemption. It allows the government to exempt its agencies from the law on
much more broadly defined grounds whereas the old bill allowed exemption to be used in
personal data only in the case of interest of national security only if it was authorized by the
parliament and was deemed necessary and proportionate.
2. Exemption for manual processing by small entities: Both the versions of the bill allow
exemptions for small businesses that look after customers’ personal information manually.
Under the old bill, such businesses needed to meet three conditions which were based on
annual turnover; whether they shared personal data and how much personal data they
processed. But under the new bill, the new Data Protection Authority decides which small
businesses qualify for exemption.
5
Available at: https://economictimes.indiatimes.com/news/economy/policy/personal-data-protection-bill-indias-
digital-safety-kit/articleshow/72429680.cms?from=mdr last visited on: 6/07/2020
3. Offences and Penalties: The old bill listed several actions as criminal offenses. These
included causing harm by obtaining, transferring, or selling personal data and re-identifying
and processing anonymous personal data without consent. Under the new bill only re-
identification and processing of de-identified personal without consent is punishable with
imprisonment.  

4. Non-Personal Data: The old bill did not have any provisions related to non-personal data
whereas the new bill allows the government to obtain and use non-personal data, in order to
better deliver services or to develop evidence-based policies.
5. Storing of Personal information: The old bill only required a copy of all the personal data
to be stored in India whereas the new bill mandates storing all sensitive personal data in
India. The data may be transferred abroad if needed for health or other emergency services,
or if the government decides to permit it.6

Current Scenario:

In India: Currently the usage and transfer of personal data is regulated under the Information
Technology (IT) Rules, 2011, under the IT Act of 2000.

Worldwide:

In Unites States: The US does not have any centralized, formal laws in place at federal level to
protect the electronic transmission and storage of individuals' data to the extent of the GDPR, but
some federal legislation does exist to protect data more generally. 

The devolution of power to state level means that a number of US states have passed their own data-
related laws. Some states are more active than others.  California, for example, has a long story of
adopting privacy-forward legislation.  The California Consumer Privacy Act (CCPA), which will
become effective on January 1 2020, will enhance  privacy rights and consumer protection, by giving
residents in California the right to use the CCPA to know exactly what personal data is being
collected, how it is being used and say no to the sale of their personal data to suitably protect
themselves. The Act will also require businesses to make changes in support of these new rights.  
6
Available at: https://www.WhatisinIndia’sDataSweepingBill last visited on: 7/07/2020
 In Brazil: The General Data Protection Law, which will be enforceable in 2020, aims to
supplement and replace the 40+ data privacy-related laws the country already has in place. Not only
will it supersede the existing laws, it will also clarify any conflicts that have arisen between them.
Similarly to the GDPR, the regulation is extensive and will be applicable to all sectors of the
economy.

It clearly defines the concept of personal data, sensitive personal data and public data and the liability
surrounding any breaches. The legislation applies to any company that serves the Brazilian market,
whether it has offices in the country or not. Organizations that fall under the scope of the law will be
required to upgrade security measures, including the adoption of a Data Protection Officer,
implementation of a security program and development of an incident response and remediation plan

should a breach occur. 

In Bahrain's: Data Protection Law came into force in August 2019, superseding any existing data
protection laws in Bahrain and making it the first country in the Middle East to introduce such a law.
The regulation provides individuals with rights in relation to how their data is collected, processed
and stored. 

Conclusion:

The new bill introduced is a two-sided sword and has its own pros and cons. It will not only
affect India but will have a Global effect. As projected by NITI Ayog, India is headed towards
730 million internet users by 2020. Globally, India ranks among top 10 spam sending countries
and among top 5 countries to be affected by cyber crime. Hence, the bill works to check the
instances of cyber attacks and the spread of fake news.

The bill also entitles the individuals to a large number of rights which make the individuals well
aware of the nature and the purpose of the data collected. Even though the bill empowers the
individual with certain rights, it has many loopholes. The government is entitled to access the
personal data under wide reasons including national security, sovereignty, integrity etc which
may lead the state to intrude in the lives of the citizens defeating the purpose of the bill. The
procedure of appointments of the members is also widely contested.7

Data Localization suppresses the ‘global’ context of marketplace. So, the new startups which aim

at global growth will face losses. Under this bill, the tech-giants like Facebook and Google are

asked to allow the users to voluntarily verify their accounts in manner that is to be prescribed in

the future.

Although the main purpose of the bill is to protect the privacy of the individuals but the

provisions prove contrary to this fact. There is a need to restructure the wider objectives of the

bill along with the minute details.

7
Available at: https://duexpress.in/the-pros-and-cons-of-the-data-protection-bill-2019 last visited on: 7/07/2020