top of page

Personal Data Protection Bill

Last Modified: January 16, 2020 | 6 min read READ

Pranita Parakh

The Personal Data Protection Bill, 2019 has been proposed by the BJP Government to the Parliament in the winter session on 11 December 2019. The bill has been cleared by the Union Cabinet and has been put forward to be analyzed by a Joint Parliamentary Committee of the Parliament. The Bill will provide details on how the personal data will be collected and stored and utilized with the consent of the individuals and also prescribe penalties for misuse of the data. The bill places a set of duties and accountability on the parties using the personal data of and individual and penalties to be paid in case of unauthorized use or misuse of the same.  The bill was drafted and modeled by an expert group under the chairmanship of former Supreme Court judge BN Srikrishna.

The Preamble of the bill mentions that the right to privacy is a fundamental right and therefore the bill aims to protect the same. It is necessary to create a culture that fosters free and fair digital economy while respecting the informational privacy of the individual.

An exhaustive definition has been put forward by the Bill for “Data”. Accordingly, data means and includes a representation of information, facts, concepts, opinions, or instructions in a manner suitable for communication, interpretation, or processing by humans or by automated means.[1]

The act talks about two types of data-

  1. Personal data

  2. Personal sensitive data

Personal data has been defined in as, it means data about a natural person having regard to his characteristics, traits, attributes, or any other feature of his identity or combination of such features with information, through which he can be identified directly or indirectly. [2]

“Sensitive Personal Data means personal data revealing, related to, or constituting, as may be applicable (i) passwords; (ii) financial data; (iii) health data; (iv) official identifier; (v) sex life; (vi) sexual orientation; (vii) biometric data; (viii) genetic data; (ix) transgender status; (x) intersex status; (xi) caste or tribe; 6 (xii) religious or political belief or affiliation; or (xiii) any other category of data specified by the Authority under section 22.”[3] This definition is from the draft prepared by the Committee but the Bill introduced in the Parliament does not include passwords as Sensitive Personal Data.

There are 3 parties involved in the entire processing of data.

  1. Data Principal- is the natural person to whom the personal data relates.

  2. Data Processor- the party who processes personal data on behalf of Data Fiduciary.

  3. Data Fiduciary- the party who determines the purpose and means of the processing of the data collected from the Data Principal.


The draft Bill lays down that for processing of data the Data Principal must have given consent to the processing of such data of his no later than the commencement of such processing. The bill lays down 2 test of consent.

  1. Personal Data can be processed only when the consent is free, informed, specific, clear, and capable of being withdrawn.

  2. Personal Sensitive Data can be processed only when the consent of the principal is explicit. It requires to meet a higher threshold for informed, specific, and clear over and above the one required for processing of Personal Data.

The bill says that the person processing personal data owes a duty to use the data to process the data in a fair and reasonable manner however no guidelines have been laid out by the government as to what would constitute fair and reasonable use thus leaving scope for conflict and misuse. Personal data may be processed without consent if it is necessary for any function of the state, or is done in compliance with any law or order of court or tribunal, or for prompt action, or for purposes related to employment, or for other reasonable purposes.

The number of exceptions provided for personal sensitive data are however less in number and does not include for purposes related to employment and for other reasonable purposes.

The bill provides the following rights to Data Principal-

  1. Right to conformation and access- he has the right to confirm whether the fiduciary is processing or has already processed the data and also to receive a brief summary of the data being processed and the activities undertaken by the fiduciary.

  2. Right to correction, completion, and updating of the data. The bill proposed in the Parliament also puts forward the right to erasure.

  3. Right to data portability- the principal shall have the right to allow the transfer of personal data from one data fiduciary to another.

  4. Right to be forgotten- the principal shall have the right to restrict or prevent the continuing disclosure of his personal data by a data fiduciary when the disclosure has served the purpose or when the consent has been withdrawn or was made contrary to the provision of the law being in force.

The bill provides for the appointment of the Data Protection Officer. The DPO is appointed by the entity processing the data (data fiduciary) to provide information and advice to the fiduciary on fulfilling its obligations or duties according to the act, monitor that the data processing does not violate the provisions of the act, to act as a point of contact between the principal and the entity for raising any grievances, and any other function which the fiduciary may think fit.

The bill also provides for the establishment of a Data Protection Authority (DPA) by the Central Government. The authority has the responsibility of promoting awareness among the principals. It also has the powers to monitor and enforcing the application of the provisions of the act, specifying reasonable purposes for which data may be processed, specifying the residuary category of sensitive personal data, etc. as specified in the bill.

The penalty imposed for non-compliance can extend upto 15 crores or 4% of the worldwide turnover of the data fiduciary. "total worldwide turnover" means the gross amount of revenue recognized in the profit and loss account or any other equivalent statement, as applicable, from the sale, supply or distribution of goods or services or on account of services rendered, or both, and where such revenue is generated within India and outside India.”[4]

[1] Section 3(12) of the Personal Data Protection Bill, 2018.

[2] Section 3(29) of the Personal Data Protection Bill, 2018.

[3] Section 3(35) of the Personal Data Protection Bill, 2018.

[4] Section 57(3) (a) of the Personal Data Protection Bill, 2018.

bottom of page