The Personal Data Protection Bill, 2019 was introduced in the Parliament on December 11, 2019, and is based on the draft law presented by the Ministry of Electronics and Information Technology, by a nine-member committee of experts led by Justice B.N. Srikrishna in July 2018. A significant Supreme Court judgment to the Bill is the K.S. Puttaswamy vs. Union of India, wherein a nine-judge bench upheld the importance of the right to privacy as guaranteed under Article 21 of the Indian Constitution. The Personal Data Protection Bill, 2019 aims to protect the privacy of individuals concerning their personal data and regulates the relationship between individuals and entities that process their personal data. At the same time, it aims to create a resilient digital economy by ensuring innovation through digital governance. Key provisions of the Bill are ‘Data localization and individual consent would be required for the processing of personal data. Data Protection Officer to be appointed by the Significant Data Fiduciary, and instituting grievance redressal mechanisms to address complaints by individuals.

Key provisions of the Bill

  • Applicability: The processing of data to be done within the territory of India by either the government, any individual in India or any foreign company having the data of people in India. 
  • Data Fiduciary: Data fiduciaries are bound to have a transparent way of processing data, make sure the data is secured with the necessary safeguards, the data processed should have a lawful purpose, notice is supposed to be given to the individual whose data is being processed and the consent of the individual should be taken for the processing of data. 
  • Consent: There are cases where the consent of the individual is not taken for the data processing. If the data is processed for any legal proceedings, by the government for the benefit of the individual, reasonable purposes. 
  • Data Principal: The data principal has the right to know the information about the data fiduciary, right to erasure of data, make corrections in the data, restrict the data or remove the data (except the sensitive data)
  • Data Protection Authority: The Data Authority makes sure that the data is not being misused and the processing and usage of the data is in compliance with the provisions of the Bill. 
  • Transfer of Data: Sensitive personal data can be transferred outside the territory of India with the consent of the individual. Whereas the critical personal data cannot be transferred outside the territory of India.
  • Exemptions: The Government has the right to remove any agency given in the provisions of the Bill, for the security and integrity of the country.
  • Penalties: Penalties up to five crores for violations.

Comparison to International Conventions

  • Comparing the provisions of the European Union’s General Data Protection Regulation (GDPR), Brazil’s General Data Protection Law and India’s Personal Data Protection Bill (PDPB).
  • The GDPR definition of Personal Data is specific to information used to identify an individual whereas the PDPB definition of personal data is broader including profiling and interpretation of the data with any other information is in accordance with it. 
  • The GDPR ensures the basis for processing, whereas the PDPB does not provide a necessary basis for the processing of data.
  • The requirements for consent under PDPB are more flexible when compared to the GDPR, where there are certain contractual necessities to be fulfilled.
  • In cases where the users withdraw their consent of their data, it is not specified in the new 2019 bill whether the consent would be asked as the Bill fails to address such issues. Whereas GDPR has provisions to re obtain user consent in the transition plan. 
  • There are over 10 lawful bases for processing the sensitive data under the GDPR, whereas the PDPB does not have such detailed provisions.
  • The PDPB allows the individual to ask the data fiduciaries to delete their data with them, but this does not include the personal data (name, email address, home address and phone number). Whereas, GDPR gives the right to the individual to ask to delete all data from the data fiduciaries.
  • The Bill does not give the individual a solid right on the ownership of their data, whereas Brazil’s General Data Protection gives assured ownership to the individuals on their personal data.


  • Even though the copy of the data is within the territory of India, the encryption keys can still be not in the reach of the national agencies.
  • In every provision that gives the government power over the data, the term ‘national security’ or ‘reasonable use’ is used which is not defined in the Bill and is very vague.
  • Even though the Bill aims for transparency, the Right to Information Act cannot be used to know the processing of the data by the government.
  • No clear provisions on the implementation of the Bill.
  • No solid ownership right is given to the data principal over their data.
  • No obligations on the data fiduciaries to notify the affected individuals in case of data breach. 


  • Data Localization can help in investigations in law enforcement agencies. 
  • Cyber-attacks can be kept on check. 
  • Fake news, or wrongful propagandas that is a threat to national security can be kept in check.
  • Increase Data Sovereignty in the country. 
  • Data localization can help in increasing tax on the internet bodies in the country. 


Although this bill has some loopholes or flaws that need further consideration, such as not properly attending to the concern regarding the right to privacy, ambiguity about the functioning of DPA, etc. If the government really wants this bill to be successful, then you 

  • need to relax your guidelines on cross-border data transfer, the operation of the DPA in the actual sense of the word to make it independent, 
  • to include retired judges of the Supreme Court or the Supreme Court and persons with experience in the field of data protection in the DPA.  
  • To give the individuals full ownership over their personal data, give proper clarification on the provisions and implementation of the Bill, 
  • to re obtain the consent from the user and to give RTI Act precedence in circumstances of breach or conflict. 
  • Government should give lawful and reasonable exemptions to its national security agencies such as the Central Bureau of Investigation (CBI), Research and Analysis Wing (RAW), Intelligence Bureau etc. so that they can use personal and non-personal data for detection of criminals and prevention of any cognizable offence.

The article has been written by Hiranmayi Rajeev,  a 2nd-year law student at Alliance University Bangalore.

The article has been edited by Shubham Yadav, a 4th-year law student at Banasthali Vidyapith, Jaipur.

Latest Posts


Leave a Reply

Your email address will not be published. Required fields are marked *