Data Protection bill

Reading time: 4 minutes

In recent years the question related to privacy has been in debate reason being the internet has penetrated widely in last two decades.

As per Puttaswamy, the landmark judgment delivered by the Supreme Court in the year 2017 recognized the right to privacy as one of the fundamental rights within article 21 and directed the government to frame policy concerning protection of privacy of the citizens.

Data Protection Bill is India’s first attempt to legislate on the issue of data protection and privacy. The bill has been drafted by the committee headed by retired justice B N Srikrishna

The committee has retained the Clause with a minor change. It allows the Government to keep any of its agencies outside the purview of the law. The Clause in the name of “public order”, ‘sovereignty’, “friendly relations with foreign states” and “security of the state” allows any agency under the Union Government exemption from all or any provisions of the law.

The clause is for “certain legitimate purposes” and also there is precedent in the form of the reasonable restrictions imposed upon the liberty of an individual, as guaranteed under Article 19 of the Constitution and the Puttaswamy judgment.

It is commonly referred to as the “Privacy Bill” and intends to protect individual rights by regulating the collection, movement, and processing of data that is personal, or which can identify the individual. The Bill is landmark legislation meant to regulate how various companies and organizations use individuals’ data inside India. The 2019 draft of the Bill proposed the formation of a Data Protection Authority (DPA), which would regulate the use of users’ personal data by social media companies and other organizations within the country…

Data Protection (Meaning):

Data protection is the process of safeguarding important information from corruption, compromise or loss. Data is the large collection of information that is stored in a computer or on a network. The importance of data protection increases as the amount of data created and stored continues to grow at unprecedented rates.

 Main Provisions and Key Terms:

Data- “Data” means and includes a representation of information, facts, concepts, opinions, or instructions in a manner suitable for communication, interpretation, or processing by humans or by automated means.

The Bill trifurcates data as follows:

Personal data: Data from which an individual can be identified like name, address etc.

Sensitive personal data (SPD): Some types of personal data like as financial, health, sexual orientation, biometric, genetic, transgender status, caste, religious belief, and more.

Critical personal data: Anything that the government at any time can deem critical, such as military or national security data.

  • The Bill includes exemptions for processing data without an individual’s consent for “reasonable purposes”, including security of the state, detection of any unlawful activity or fraud, whistleblowing, medical emergencies, credit scoring, operation of search engines and processing of publicly available data.
  • The Bill calls for the creation of an independent regulator Data Protection Authority, which will oversee assessments and audits and definition making.
  • Each company will have a Data Protection Officer (DPO) who will liaison with the DPA for auditing, grievance redressal, recording maintenance and more.
  • The Bill proposes “Purpose limitation” and “Collection limitation” clause, which limit the collection of data to what is needed for “clear, specific, and lawful” purposes.
  • It also grants individuals the right to data portability and the ability to access and transfer one’s own data. It also grants individuals the right to data portability, and the ability to access and transfer one’s own data.
  • Finally, it legislates on the right to be forgotten. With historical roots in European Union law, General Data Protection Regulation (GDPR), this right allows an individual to remove consent for data collection and disclosure.
  • Data Principal: The individual whose data is being stored and processed is called the data principal in the PDP Bill.
  • Data Fiduciary: The ‘data fiduciary’ may be a service provider who collects, stores and uses data in the course of providing such goods and services.
  • Data Transfer: Data is transported across country borders in underwater cables.
  • Data localization: It is the act of storing data on any device physically present within the borders of a country.

Why Does India need Data Protection Law?

Amid the proliferation of computers and the internet, consumers have been generating a lot of data, which has companies show them personalized advertisements based on their browsing patterns and other online behavior. Companies began to store a lot of these databases without taking the consent of the users and did not take responsibility when data leaked. To hold such companies accountable, the government in 2019 tabled the data protection bill for the first time.

According to the Internet and Mobile Association of India (IAMAI)’s Digital in India report 2019, there are about 504 million active web users and India’s online market is second only to China. A large collection of information about individuals and their online habits has become an important source of profits. It is also a potential avenue for invasion of privacy because it can reveal extremely personal aspects. Companies, governments, and political parties find it valuable because they can use it to find the most convincing ways to advertise to you online.


Data localization can help law-enforcement agencies access data for investigations and enforcement. As of now, much of cross-border data transfer is governed by individual bilateral “mutual legal assistance treaties”.

Accessing data through this route is a cumbersome process.

Instances of cyber attacks and surveillance will be checked.

Recently, many WhatsApp accounts were hacked by an Israeli software called Pegasus.

Social media is being used to spread fake news, which has resulted in lynchings, national security threats, which can now be monitored, checked, and prevented in time.

Data localization will also increase the ability of the Indian government to tax Internet giants.

A strong data protection legislation will also help to enforce data sovereignty.


Many contend that the physical location of the data is not relevant in the cyber world. Even if the data is stored in the country, the encryption keys may still be out of reach of national agencies.

National security or reasonable purposes are open-ended terms, this may lead to intrusion of the state into the private lives of citizens.

Technology giants like Facebook and Google have criticised the protectionist policy on data protection (data localization).

They fear that the domino effect of protectionist policy will lead to other countries following suit.

Protectionist regime supress the values of a globalised, competitive internet marketplace, where costs and speeds determine information flows rather than nationalistic borders.

Also, it may backfire on India’s own young startups that are attempting global growth, or on larger firms that process foreign data in India.

Way Forward:

In this digital age, data is a valuable resource that should not be left unregulated. In this context, the time is ripe for India to have a robust data protection regime.

It is time that requisite changes are made in the Personal Data Protection Bill, 2019. It needs to be reformulated to ensure that it focuses on user rights with an emphasis on user privacy. A privacy commission would have to be established to enforce these rights.

The government would also have to respect the privacy of the citizens while strengthening the right to information. Additionally, the technological leaps made in the last two to three years also need to be addressed knowing that they have the capacity of turning the law redundant.


According to the Supreme Court in the Puttaswamy judgment (2017), the right to privacy is a fundamental right and it is necessary to protect personal data as an essential facet of informational privacy, whereas the growth of the digital economy is also essential to open new vistas of socio-economic growth.

In this context, the government policy on data protection must not deter framing any policy for the growth of the digital economy, to the extent that it doesn’t impinge on personal data privacy.


Author: Pradeep singh kanwal, DSNLU

Editor: Kanishka VaishSenior Editor, LexLife India