Data Protection Bill: Protector of right to privacy?

Reading time: 8-10 minutes.


The world has seen the gradual development of technologies and also the need of new things as we move forward in time. The initial system barter trade, where the trade was between things, gradually changed to trade of goods and services for monetary value. The need for identity, the need of debit and credit cards, the need for mobile phones and a unique phone number, postal address, etc. These are all a person’s private information, or in other words, it is the personal data. Personal data is the data with which, a particular individual can be identified. The basic meaning of data in its basic sense is “Raw data or information”[1]. But when it comes to legal aspect, there has to be a particular definition about data which can be relied upon. That definition is given by Information Technologies Act,2000. It defines ‘data’ as, “A representation of information, knowledge, facts, concepts or instructions which are being prepared or have been prepared in a formalized manner, and is intended to be processed, is being processed or has been processed in a computer system or computer network, and may be in any form (including computer printouts magnetic or optical storage media, punched cards, punched tapes) or stored internally in the memory of the computer.”[2]. Some of the recent happenings in the world, where there the news of personal data of many people were stolen either by hacking or voluntary exchange of data, there was consideration of formulating new laws that could help protect the data.

              Data protection is defined as “Any method of securing information, especially information stored on a computer, from being either physically lost or seen by unauthorised person”[3]. The development and evolution of a law that aimed primarily for protecting the data can be said ineffective to certain extent. The data protection has been declared as a tort, since then, a challenge that has emerged is the said tort is contrary to the data protection law. The hurdle faced by the courts is that of assessment and recognition of damage when it’s the question of data that would involve. The year 2017, country received a landmark judgment which declared privacy as a fundamental right of each and every Indian citizen. The privacy of a person can be violated in 2 ways wherein first one is interfering in private matters and other one is stealing the data of person. The data here can be anything. It can be his name, his blood group, his contact number, his important documents, his debit and credit card details, bank details and many more. Those are also his personal property and hence must be protected from external hackers who try to steal this personal information for their benefit. This research paper would describe the steps taken by the central government in initiating actions for protecting the personal data of each and every individual.

                  The research aims at providing the readers complete understanding about the data protection laws, the history of how they evolved, their present status with the backing of information given by the central government and also the data protection bill that was enacted in the year 2019.


                The word data has been in use from time immemorial. Although the data in present day world is different from the data earlier. With the evolution of technology, the data collection mechanism also changed and upgraded itself along with the technology. The data that was being stored on paper, now is being stored in computers and other upgraded elite storage mediums. In olden days, the books of records were kept safe in a lock and none would dare to steal them. But in the modern-day world, people often try to steal the personal data as it is not difficult, because by just one click, any selected data can be yours with disturbing other files or data available. The world of hackers, who are professionals in coding and decoding are the ones who steal the personal data due to greed of money.

                Now in 21st century, data can be regarded as a personal asset and the most valuable one, because it can help a man earn a crore as well as loose a crore. When data has such capacity, its flow has to be regulated and has to be placed under check. The people are the ones that generate these useful data and certainly the responsibility of securing our data and right to know whether our data is secure is or not lies with us. Also, the people must have the knowledge of the ways in which their data are being processed. This is where the requirement of data protection laws can be highlighted. These laws were needed for the beneficiary of people and to create a transparent window about the use and processing of their personal data. India, is not the only country to enact these laws. There have been many enactments across the globe starting from Sweden to recent one in India. Developed countries like Australia, Brazil, Argentina, Canada, etc have enacted data protection laws. The first country to formulate and enact the data protection laws is Sweden. The country had passed the law of data protection almost 48 years ago i.e., in 1973 and the laws came to force from the yar 1994. The laws established a ‘Data Protection Authority’ and it declared the handling of personal by any company or person as illegal. The usage of any kind of information systems or anything that can help to process personal data without a license was declared an offense. In the latter half of 20th century, citizens of Europe started to worry about the increasing use of personal data and storage of personal data, the law was adapted by the other parts of Europe as well. Later in the year 1995, the European Union framed a set of data protection laws and the countries of EU decided to implement them.  It was known as ‘Data Protection Directive of 1995’ but implemented in 1998. So, the model of data protection laws is derived from the European nations.

Law in Indian Context:

                  India is regarded as the world second most populous country with 131 crore population. In such a country, the data is just like ocean where there will be collection of enormous data. This is one of the main branches which generates high income for the data collection and processing companies, exchanging the data outside the territory in exchange for monitory value. This flow of data is termed as “Cross border flow of data”. Now to regulate and protect the flow of personal data, “The Personal Data Protection Bill”[4] with 98 clauses and a schedule was passed in the year 2019 by the then Minister of electronics and information technology-Ravi Shankar Prasad. The primary aim of drafting and implementing the bill was “protection of privacy of individuals relating to their personal data, specify the flow and usage of personal data”[5]. So, from the preamble of the bill, it can be understood that, the bill was created for protection of people’s personal data and also to establish the relationship between the people and the data collecting and processing companies, termed as data fiduciaries. The whole point of drafting this bill was ‘privacy’.

                    On 24h August of 2017, there was a landmark judgment was delivered in the case of K. Puttaswamy v. Union of India[6]. The constitutional bench of supreme court held that privacyis the fundamental right of each and every citizen under article 21 of the Indian Constitution. The same was stressed upon in 2018, where a five-judge bench of Supreme Court, took note of the negligent act of government towards protection of data relating to an individual. But, the government in the year 2017 itself had constituted a committee headed by former justice Srikrishna to examine the issues related to data protection. The report of recommendation was submitted by the committee in the year 2018 and the laws were never made until the Supreme court suggested the government. After considering the recommendations made by justice Srikrishna committee, this bill was drafted in the year 2019. It seeks to bring a very strong and robust data protection legal framework that creates authorities, imposes limitations, establishes redressal agencies and at all cost, protect the privacy of the Indian citizens.

Recommendation by Supreme court:

                The bill lays down the obligations of the data fiduciaries. Data fiduciaries can be private data collecting and processing companies, state government and central governments, social media handlers like twitter, Facebook, WhatsApp, etc. The state and central governments are one of the largest fiduciaries that in wide array of state activities such as national security, welfare administration, etc. But there are many cases filed against the government themselves for breach of fundamental right. Only in recent times, the people have shown the courage of moving against the private companies for claiming compensation. The traditional approach in the cases of violation of any fundamental right, were taken by the constitutional courts. But the major focus of this law is to establish a Data Protection Authority (DPA) that functions independently from government. There should be no influence by the government on the body which ensures this law is implemented clearly and without any discrepancies. The bill provides the rights of data principal under the chapter 5 from clause 17-21. So, this cannot be violated by government as well and to ensure this is not happening, a completely independent and unbiased authority is needed.

The Data Protection Authority has been empowered under clauses 41-56 and these clauses specifies the duties, responsibilities, jurisdiction, codes of practice and other important rules. So as per this, there will be a chairman and other authorities appointed. So, for this authority to function independently and free from bias, the officers or the authorities, the government must not be involved. It has to be done by the judiciary or a judicial body comprised of sitting judges or the former judges. With this, the influence of the government can be prevented and also, the DPA can take steps if the government has violated the rules it has framed. Also, this bill lays down the provision of setting up, a separate tribunal for hearing the cases related to the violation of any clause under this act. The objectives of this draft must be implemented and ensured the data of individual and also to provide speedy justice and redressal if the right of privacy is violated. Although the draft bill is prepared with good intention, the further action by the government decides the fate of this act.      

Author: Karthik Surya MR, Christ University, Bangalore

[1]  1. Lesley Brown’s the New Shorter Oxford Dictionary (on Historical Principles), pg.595, Claredon Press’s,1993.

[2] Section 2(1)(o) Information Technologies Act, 2000

[3]  Bryan A. Garner’s Black’s law dictionary, 10th edition, Thompson Reuters, 2010

[4] Bill number 373 of 2019

[5] Preamble of the ‘Personal Data Protection Bill of 2019’

[6]  (2017) 10 SCC 1

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s