Legal Status of Privacy Rights in India – A Comprehensive Analysis of Personal Data Protection Bill, 2019

By Bhavna Sarma, Research Scholar at RML National Law University, Lucknow, India and CyberBRICS Associated Scholar


Internationally, the right to privacy is well recognised as a fundamental right. Article 12 of the Universal Declaration of Human Rights recognizes the right to privacy and it states that “No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honor and reputation. Everyone has the right to the protection of the law against such interference or attacks.” Also, Article 17 of the International Covenant on Civil and Political Right and Article 16 of the Convention of the Rights of the Child acknowledge privacy rights.

Talking particularly about India, in 2017, the Supreme Court of India in the landmark judgment of K.S. Puttaswamy v. Union of India (2017 10 S.C.C) declared Right to Privacy is a natural, absolute, inheritable, and fundamental right as enshrined under Article 21 of the Constitution of India. This historical judgment is the result of the increasing rate of cybercrimes especially privacy infringements in India not only by individuals but also by social media platforms, various organizations, etc., and even alleged to be done by the Government. This calls for stringent privacy laws to legally enforce the right to privacy in India.


Presently the law that deals with Cybercrimes in India is the Information Technology Act, 2000 but it is not efficient enough to concur the matters related to personal data regulation. Hence, the authorities realized the need for a law to regulate the unbounded usage and circulation of personal data of Indians and came up with the Personal Data Protection bill, 2019.

The Indian Personal Data Protection Bill, 2019 (PDPB) was introduced in the lower house of the parliament in December 2019. It’s been more than one year and a half, but still the PDPB, 2019 is struggling in the parliamentary procedures and yet to come into existence. The delay may be justified as India needs strong personal data protection laws to handle and secure the data the country’s huge population.

The impulse behind bringing a data protection law was mainly to protect the personal data of the individuals who are exorbitantly exploited for one reason or another. It aims to provide a framework for organizational and technical measures to be taken while processing the data. The focus is also laid upon regulating the conduct of internet intermediaries, cross-border transfers, accountability of entities (Government, Companies or individual), remedies for unauthorized and harmful processing, and establishing a Data Protection Authority of India.

Let’s take a glance at the key features of the proposed bill:

1. Scope of the bill: The bill governs the processing of personal data by the government, companies, both Indian and foreign which deals with the personal data of Indians. The subject matter of the bill is restricted to personal data. The bill has defined personal data under section 2(28) as “data about or relating to a natural person who is directly or indirectly identifiable, having regard to any characteristic, trait, attribute or any other feature of the identity of such natural person, whether online or offline, or any combination of such features with any other information, and shall include any inference drawn from such data for the purpose of profiling;” The definition of personal data has a wide ambit which has strengthened the privacy rights of the individuals for every data which directly or indirectly touches the personal traits of an individual. It has further sub-categorized data into sensitive data. Sensitive data is any data that reveals or relates to finance, health, official identification, sex life, biometric, genetic, transgender status, intersex status, caste or tribe, religious or political belief or affiliation, and any other data of the same kind. This sub-categorization was much needed as some sort of personal data requires special attention and protection.

2. Chapter II of the bill deals with Obligations of the data fiduciary: A ‘data fiduciary’ is anyone who determines the purpose and means of processing the personal data (Section 2(13)). It is obligatory upon the data fiduciary to process the personal data only for a clear and lawful purpose and always fairly and reasonably, ensuring the privacy of the data principal. It should also be careful that the purpose for which the data is collected should be used for that specific purpose only and it should retain the personal data only for the time duration necessary for that purpose and once the purpose is justified, the data shall be deleted. Though it may be retained for a longer period if explicitly consented to by the data principal. No data shall be processed by the data fiduciary without the consent of the data principal except in necessary circumstances such as for the performance of any function of the State authority; for compliance with any order or judgment of any court of tribunal in India; to respond to any medical emergency

involving a threat to the life or severe threat to health of data principal or any individual, to undertake any measure to provide assistance or services to any individual during any disaster or any breakdown of public order.

3. Chapter IV of the bill exclusively deals with processing and collection of personal and sensitive data of children. The personal data of children shall be processed in the best interest of the children. Every data fiduciary must conduct age verification and parental consent before processing the personal data of children. Though special attention is given to the processing of personal data of the children, still this provision can act as blanket restriction on the children as the bill placed a child of 13 years and a child of 17 years on similar lines. The maturity level of a 17-year-old much higher than a 13-year-old and taking consent for each and every activity of a 17 year grown up might not be justified. Categorization of age group was much needed. The bill ignored the fact that many social media platforms and applications restrict the age limit to 13 years. This factor might create conflict between the social media platforms and personal data bill provisions.

4. Under Chapter V of the bill, specific rights of the data principals are laid down such as the right to confirmation that data fiduciary has processed its personal data and also to have access to the other data fiduciaries with whom the data has been shared, right to correction of personal data in case the data was inaccurate, misleading, incomplete, out-of-date, and get the data erased which is no longer in use, right to restrict or prevent the continuing disclosure of his personal data and Right to be forgotten.

5. Under Chapter VI of the bill, emphasis is placed upon the transparency and accountability of the data fiduciary. It is mandatory that data fiduciary shall publish a privacy design policy that contains every minute detail about the data processing mechanism and maintain proper transparency in the data processing (Section 22). All necessary steps should be taken by the data fiduciary in maintaining transparency in processing the personal data of the individual (Section 23). It is also the duty of the data fiduciary to inform the authority about the breach of any personal data processed by the data fiduciary where breach is likely to cause harm to any data principal (Section 25). The bill has classified data fiduciaries as significant data fiduciaries based upon the following factors – volume of personal data processed; sensitivity of personal data processed; turnover of the data fiduciary; risk of harm by processing by the data fiduciary; and use of new technologies for processing (Section 26). A significant data fiduciary shall appoint a data protection officer to perform functions such as – providing information and advice to the data fiduciary on matters relating to fulfilling its obligation required by the act; monitoring personal data processing activities of the data fiduciary to ensure such processing doesn’t violate the provisions of this act; etc. (Section 30).

6. Chapter VII of the bill talks about certain restrictions on the transfer of personal data outside India. Critical personal data shall not be processed outside India and in case of processing the sensitive data outside India, prior consent should be taken from the data principal (Section 33). However, in certain instances critical data can be processed outside India, namely for health services, emergency services, and with government approval. The definition of critical personal data is not provided in the bill and it is left for the central government to decide.

7. Under Chapter VIII of the bill, a very wide power is given to the central government where it can exempt any of its agencies from the applicability of this act and allow the usage of the personal data of the individuals to safeguard the security of the state, public order, sovereignty, and integrity of India and friendly relations with a foreign state, or preventing incitement to the commission of any cognizable offence related to matters laid just above (Section 35). This can act as a blanket provision over all the decisions taken by the central government in the name of matter being ‘necessary’ or ‘expedient’ and there are chances of it being misused against the interest of the citizens.

8. Chapter IX of the bill talks about establishment of a strong data protection authority with significant powers and functions upon the members of the authority for the smooth functioning of the authority. The Authority shall be a body corporate having a perpetual succession and a common seal. It shall have all the power to acquire, hold and dispose of property. It can sue and can be sued (Section 41). The authority shall consist of a chairman and other members. The chairperson enjoys power of general superintendence and direction of the affairs of the authority, whereas it shall be the duty of the authority to protect the interests of data principals, prevent any misuse of personal data, ensure compliance with the provisions of this Act, and promote awareness about data protection. Other functions of the authority are – monitoring and enforcing application of the act; taking prompt and appropriate action in response to personal data breaches; maintaining a database of significant data fiduciaries; examination of data audit reports; issuance of certificate of registration to data auditors and taking decision regarding renewal, withdrawal, suspension or cancelation of such certification, promoting awareness and understanding of the risks, rules, safeguards and rights in respect of protection of personal data amongst data fiduciaries and data principals; monitoring technological developments and commercial practices that may affect protection of personal data; promoting measures and undertaking research for innovation in the field of protection of personal data, advising centre and state government or any other authority on measures required to be taken to promote protection of personal data and ensuring consistency of application and enforcement of this Act (Section 49). The authority has power to conduct inquiries, on its own or on a complaint, on the activities of the data fiduciary or data processor for assuring that they are not detrimental to the interest of data principal or contravened any the provisions or rules or regulations of the act (Section 53). Also, the establishment of an Appellate tribunal is proposed in the bill which will hear and dispose the appeals from the decision of the adjudication authority (Chapter XI). The appellate tribunal shall have the same power as are vested in a civil court under the Code of Civil Procedure, 1908 and shall be guided by the principle of nature justice (Section 73).

9. A very innovative step is taken by the drafters of the bill as they talk about creating a sandbox by the authorities to encourage innovation in artificial intelligence, machine learning, or any other emerging technology in the public interest (Section 40). Any entities who apply for the creation of sandbox are exempted from the applicability of all or any of the provisions of this bill in respect of the processing of personal data. These entities have to obtain a certificate of their privacy policy from the authority before applying for the sandbox.

10. A separate chapter is dedicated to penalties and compensation in case of the contravention of provisions in the bill (Chapter 10). Types of acts for which penalties are imposed are – failure to comply with the request of data principal, failure to furnish a report, return, or information to the authority, failure to comply with directions of the authority. The last chapter of the bill relates to Offences. The offences recognized under the bill are – re-identification and processing of de-identified personal data without consent, violating the provisions of the bill, failure to conduct a data audit. An offence under this bill is declared as cognizable and non-bailable. It seems that the bill has fallen off in identifying the different types of privacy-related crimes prevalent across the world and didn’t provide any classification of offences. Also, it is specified that no court shall take cognizance of any offence under this bill, other than a complaint made by the authority. It implies that the person has the first approach to the authority in case of any privacy infringement. This straightaway takes away the right of an individual to approach the court. Also, the chapter on Penalties and Compensation and Offences should be clubbed to provide a conceptualized understanding of the offenses and penalties together.


India is at a nascent stage in the development of its digital policies, unlike Europe and other regions and countries which have well-designed and well-formulated privacy laws. India is still evolving and growing in this domain and has a long way to go. Though coming up with a law to regulate personal data is a welcoming step in India, it needs modifications and amendments as discussed above. The bill is yet to be finalized and it is expectant that the lacuna will be filled before the bill ultimately comes into force. However, India being a sovereign country should keep the enforcement and implementation of privacy laws at priority as it is not just the demand but a need of the time. Besides domestic law, an international agreement is also recommended among countries to provide more harmonious data protection norms and remedies to curb the issue of inter-country privacy