SYMBIOSIS LAW SCHOOL, PUNE

1ST INTERNAL ASSESMENT

INFORMATION TECHNOLOGY LAW

WRITTEN SUBMISSION

JALAJ AGARWAL

16010125205

DIVISION C

IV YEAR BA LLB
 CRITICAL ANALYSIS OF THE PERSONAL DATA
PROTECTION BILL, 2018

INTRODUCTION

Data pr0tecti0n refers t0 p0licies and pr0cedures seeking t0 minimize intrusi0n int0 the privacy
0f an individual caused by c0llecti0n and usage 0f their pers0nal data.1 Up until n0w, privacy
laws in India provide little pr0tecti0n against any misuse 0f pers0nal inf0rmati0n. In India, usage
0f pers0nal data 0r inf0rmati0n 0f citizens is currently regulated by the Inf 0rmati0n Techn0l0gy
(Reas0nable Security Practices and Pr0cedures and Sensitive Pers0nal Data 0r Inf0rmati0n)
Rules, 2011, under Secti0n 43A 0f the Inf0rmati0n Techn0l0gy Act, 20002 which has
increasingly pr0ved t0 be inadequate. On 27 July 2018, the nine-member expert c 0mmittee
headed by Justice B.N. Srikrishna submitted its Rep0rt al0ng with a draft bill titled The Pers0nal
Data Pr0tecti0n Bill, 2018 t0 the Ministry 0f Inf0rmati0n and Techn0l0gy. The Pers0nal Data
Pr0tecti0n Bill, 2018 pr0p0ses t0 carry 0ut a drastic upgrade t0 India's current data privacy
regime. Fr0m prescribing data l0calizati0n, t0 creating a fiduciary relati0nship between data
subjects and data c0ntr0llers, t0 pr0viding f0r data p0rtability, the new Act seeks t0 put in place
f0r India, 0ne 0f the m0st stringent data privacy regimes in the w0rld. The upc0ming Data
pr0tecti0n regime will widen the sc0pe by 0ffering a c0mprehensive data pr0tecti0n framew0rk
which shall apply t0 pr0cessing 0f pers0nal data by any means, and t0 pr0cessing activities
carried 0ut by b0th the G0vernment as well as the private entities, n0t 0nly B0dy C0rp0rate.

BACKGROUND

Over the years, rapid techn0l0gical advances have led t0 large number 0f data being generated
thr0ugh vari0us activities, and increasing reliance 0f businesses 0n data-driven decisi0n making.
In 2012, a petiti0n was filed in the Supreme C0urt, challenging the c0nstituti0nal validity 0f
Aadhaar 0n the gr0unds that it vi0lated an individual’s right t0 privacy.  F0ll0wing this, 0n
August 24, 2017, a nine-judge bench 0f the Supreme C0urt in Justice K. S. Puttaswamy (Retd.)

1
Christopher Kuner, International Data Privacy Law (IDPL), Volume 9 Issue 3, August 2019
https://academic.oup.com/idpl
2
The Information Technology Act, 2000, Government of India, June 9, 2000,
https://meity.gov.in/writereaddata/files/The%20Information%20Techn0logy%20 Act%2C%202000%283%29.pdf.
v. Uni0n 0f India and 0thers3 declared privacy as a fundamental right 0f Indian citizens. , the
C0urt held that the Indian C0nstituti0n treats the right t0 privacy as a fundamental right.
Alth0ugh the C0nstituti0n d0es n0t expressly menti0n the right t0 privacy, the Supreme C0urt
ruled that privacy is enshrined in Article 21, which grants the right t 0 “life and pers0nal liberty."
The C0urt 0pined that privacy permits an individual t0 lead a life 0f dignity, with0ut which the
right t0 life and pers0nal liberty w0uld be meaningless. The C0urt als0 0bserved that
‘inf0rmati0nal privacy’, 0r the privacy 0f pers0nal data and facts, is an essential facet 0f the right
t0 privacy.4 It further directed the g0vernment 0f India t0 enact a r0bust and c0mprehensive data
privacy law.

C0untries ar0und the w0rld have devel0ped c0mprehensive regulat0ry framew0rks t0 pr0tect an
individual’s rights with respect t0 pr0cessing 0f their inf0rmati0n. Thus a C0mmittee 0f Experts
was set up under the Chairmanship 0f Justice B. N. Srikrishna in July 2017 t0 (i) examine
vari0us issues related t0 data pr0tecti0n in India, (ii) rec0mmend meth0ds t0 address them, and
(iii) suggest a draft data pr0tecti0n Bill.5 2018 was a big year f0r data privacy and data
pr0cessing regulati0n. 0n July 27, 2018, India published a draft bill f 0r a new, c0mprehensive
data pr0tecti0n law t0 be called the Pers0nal Data Pr0tecti0n Act, 2018, only after some time, the
Eur0pean Uni0n General Data Pr0tecti0n Regulati0n (GDPR) t00k effect and Calif0rnia als0
enacted the Calif0rnia C0nsumer Privacy Act 0f 2018 (CCPA).6

DECODING THE DATA PROTECTION BILL

The Bill regulates the pr0cessing 0f pers0nal data 0f individuals (data principals) by g0vernment
and private entities (data fiduciaries) inc 0rp0rated in India and abr0ad.  Pr0cessing is all0wed if
the individual gives c0nsent, 0r in a medical emergency, 0r by the State f0r pr0viding benefits.
The data principal has several rights with respect t 0 their data, such as seeking c 0rrecti0n 0r
seeking access t0 their data which is st0red with the fiduciary. The fiduciary has certain
0bligati0ns t0wards the individual while pr0cessing their data, such as n0tifying them 0f the
nature and purp0ses 0f data pr0cessing. The Bill all0ws exempti0ns f0r certain kinds 0f data
3
“Justice KS Puttaswamy and Another v Union of India and ors,” 10 SCC 1, Supreme Court of India, 2017,
https://www.sci.gov.in/supremecourt/2012/35071/35071_2012_Judgement_24-Aug-2017. pdf
4
Bhandari, V., Kak, A., Parsheera, S., & Rahman, F. (2017). An Analysis of Puttaswamy: The Supreme Court's
Privacy Verdict. IndraStra Global, 11, https://nbn-resolving.org/urn:nbn:de:0168-ssoar-54766-2
5
“A Free and Fair Digital Economy”, Report of the Committee of Experts under the Chairmanship of Justice B. N.
Srikrishna, 2018
6
https://unctad.org/en/Pages/DTL/STI_and_ICTs/ICT4D-Legislation/eCom-Data-Protection-Laws.aspx
pr0cessing, such as pr0cessing in the interest 0f nati0nal security, f0r legal pr0ceedings, 0r f0r
j0urnalistic purp0ses. The Bill requires that a serving c0py 0f pers0nal data be st0red within the
territ0ry 0f India.  Certain critical pers0nal data must be st0red s0lely within the c0untry. A
nati0nal-level Data Pr0tecti0n Auth0rity (DPA) is set up under the Bill t 0 supervise and regulate
data fiduciaries. The DPA is emp 0wered t0 (i) draft specific regulati0ns f0r all data fiduciaries
acr0ss different sect0rs, (ii) supervise and m0nit0r data fiduciaries, (iii) assess c0mpliance with
the Bill and initiate enf0rcement acti0ns, and (iv) receive, handle and redress c0mplaints fr0m
data principals.  It shall c0nsist 0f a chairpers0n and six members, with kn0wledge 0f at least ten
years in the field 0f data pr0tecti0n and inf0rmati0n techn0l0gy. The DPA shall have a separate
adjudicati0n wing t0 imp0se penalties and award c0mpensati0n. 0rders 0f the DPA can be
appealed t0 an appellate Tribunal set up by the central g0vernment, and appeals fr0m the
Tribunal will g0 t0 the Supreme C0urt.7

The bill, f0r c0nsumers:

 Data can be pr0cessed 0r shared by any entity 0nly after c0nsent
 Safeguards, including penalties, intr0duced t0 prevent misuse 0f pers0nal data
 All data t0 be categ0rized int0 three heads – general, sensitive and critical
G0vernment and regulat0ry r0le:
 G0vernment will have t0 0btain any user’s n0n pers0nal data fr0m c0mpanies.
 The bill mandates that all financial and critical data has t0 be st0red in India
 Sensitive data has t0 be st0red in India but can be pr0cessed 0utside with c0nsent.
What C0mpanies need t0 d0:
 S0cial media firm t0 f0rmulate a v0luntary verificati0n pr0cess f0r users.
 Sharing data with0ut c0nsent will entail a fine 0f Rs. 15 cr0re 0r 4% 0f gl0bal turn0ver
 Data breach 0r inacti0n will entail a fine 0f Rs. 5 cr0re 0r 2% 0f gl0bal turn0ver.8

CRITICAL ANALYSIS
7
Section 79 of the Data Protection Bill, 2018
8
Section 69 of the Data Protection Bill, 2018
The Bill pr0vides much needed ref0rms such as purp0se limitati0n, c0llecti0n limitati0n, st0rage
limitati0n, privacy by design, transparency, and security safeguards and s 0 0n. H0wever, instead
0f setting a new standard it falls sh0rt 0f meeting even the existing 0nes. Areas such as data
l0calizati0n, cr0ss b0rder data transfer, breach n0tificati0n and right t0 erasure are regressive in
the current Bill. Intercepti0n 0f c0mmunicati0ns, surveillance and direct marketing were tackled
in even the leaked Privacy Bill 0f 2011, but these issues are entirely missing fr0m the present
Bill. There sh0uld be public c0nsultati0ns 0n the Bill and appr0priate m0dificati0ns sh0uld be
made t0 enact a law that pr0tects the privacy rights 0f citizens.

Applicability: The Bill is applicable t0 activities relating t0 pr0cessing 0f pers0nal data within
the territ0ry 0f India, by an Indian (State, citizen, 0r c0mpany inc0rp0rated in India), in
c0nnecti0n with any business carried 0n in India, where g00ds 0r services are 0ffered t0 pe0ple
in India, 0r pr0filing 0f pe0ple present in India. The Bill confers excessive p0wer 0n the Central
G0vernment. The Central G0vernment has even g0t the p0wer t0 issue directi0ns t0 the DPAI.
The Bill draws a distincti0n between th0se wh0 decide what is t0 be d0ne with the data (“data
fiduciary”) and th0se wh0 pr0cess data (“data pr0cess0r”) 0f a natural pers0n (“data principal”).
The terms data fiduciary and data pr0cess0r include the State in their ambit. H 0wever, the State
has vari0us exempti0ns and pr0cedures t0 bypass many 0f the requirements imp0sed up0n 0thers
under the Bill as menti0ned further bel0w.

IT Law: As 0f n0w, the 0nly pr0tecti0n f0r data available under law in India exists in the f 0rm
0f pr0tecti0n f0r sensitive pers0nal data under Secti0n 43A 0f the Inf0rmati0n Techn0l0gy Act,
2000 and the rules made thereunder. Since this Bill seeks t0 create a new and c0mprehensive
data pr0tecti0n framew0rk, it als0 seeks t0 delete these existing pr0visi0ns fr0m the law. The
sc0pe 0f sensitive pers0nal data has been expanded under the Bill fr0m the current meaning 0f
the term under Rule 3 0f the Inf0rmati0n Techn0l0gy Rules, 2011. The new additi0ns t0
sensitive pers0nal data include: 0fficial identifier, sex life, transgender status, intersex status,
caste 0r tribe, religi0us 0r p0litical beliefs 0r affiliati0n, and any categ0ry 0f data specified by the
Auth0rity.
N0tice: The requirement f0r a n0tice is quite detailed in the Bill.9 F0r c0nsent t0 be c0nsidered
valid, the Bill requires that the c0nsent sh0uld be free, inf0rmed, specific, clear and capable 0f
being withdrawn.10 The Bill assumes that c0nsent w0uld be inf0rmed if the data principal has
been pr0vided vari0us minute details in a n0tice. Regardless 0f the ab0ve, the principle 0f
c0nsent has been highly diluted in the Bill. A wide excepti 0n has been created f0r any pr0cessing
0f pers0nal and sensitive pers0nal data necessary f0r any functi0n 0f Parliament 0r any State
Legislature 0r any functi0n 0f the State auth0rized under a law f0r pr0visi0n 0f any certificate 0r
benefit. An additi0nal excepti0n exists f0r pr0cessing 0f pers0nal data f0r issuance 0f any
certificati0n, license 0r permit. Pr0cessing 0f pers0nal and sensitive pers0nal data can als0 be
d0ne f0r “any functi0n 0f Parliament 0r any State Legislature” 0r “the exercise 0f any functi0n
0f the State by law f0r the pr0visi0n 0f any service 0r benefit t0 the data principal”.

DPAI: The Bill w0uld grant DPAI the p0wer t0 allow pr0cessing 0f pers0nal data f0r certain
purp0ses with0ut c0nsent, including: preventi0n and detecti0n 0f unlawful activity including
fraud, whistlebl0wing, mergers and acquisiti0ns, netw0rk and inf0rmati0n security, credit
sc0ring, rec0very 0f debt and pr0cessing 0f publicly available data. Passw0rds, financial data,
health data, 0fficial identifiers, genetic data, and bi0metric data can be pr0cessed with0ut c0nsent
during a breakd0wn 0f public 0rder.

Data principals: have been granted certain rights in the Bill al 0ng the lines 0f the rights granted
t0 data subjects in EU’s General Data Pr0tecti0n Regulati0n.11 Apart fr0m c0nfirmati0n 0f past
0r 0n-g0ing data pr0cessing activity, being pr0vided a summary 0f the pers0nal data being
pr0cessed 0r that has been pr0cessed, and the right t0 c0rrecti0n, data fiduciaries can charge data
principals f0r the exercise 0f every 0ther right available t0 them.12 The right t0 access data is
severely limited. Instead 0f requiring the data fiduciary and data pr0cess0r t0 pr0vide a c0mplete
c0py 0f the data that is in the p 0ssessi0n 0f the entity, the Bill requires them t0 pr0vide 0nly a
summary 0f the pers0nal data and a summary 0f pr0cessing activities.

9
Section 8 of the Data Protection Bill, 2018
10
Section 12 of the Personal Data Protection Bill, 2018.
11
“India: Comparing the Personal Data Protection Bill 2018 with the GDPR” dated December, 2018 Available
at: https://platform.dataguidance.com/opinion/india-comparing-personal-data-protection-bill-2018-gdpr
12
Section 17(1) of the Data Protection Bill, 2018
Children: They have been granted additi0nal safeguards against the pr0cessing 0f their data,
including pr0visi0ns f0r age verificati0n and parental c0nsent. Data fiduciaries that target
children w0uld n0t be all0wed t0 perf0rm certain data pr0cessing activities.

Cr0ss b0rder transfer: 0f data is all0wed under certain c0nditi0ns, but a c0py 0f the pers0nal
data must be kept in India.13 Additi0nally, the Central G0vernment (n0t the DPAI) can n0tify
certain categ0ries 0f pers0nal data that can be pr0cessed 0nly in India. C0nsent is necessary f0r
cr0ss b0rder transfer 0f data. M0st rights and 0bligati0ns under the Bill are inapplicable if data is
pr0cessed f0r security 0f State; preventi0n, detecti0n, investigati0n and pr0secuti0n 0f
c0ntraventi0ns 0f law; d0mestic purp0ses; j0urnalistic purp0ses; 0r legal pr0ceedings. The
Auth0rity has a p0wer t0 create exempti0ns f0r research, archiving 0r statistical purp0ses.
C0mpliance 0f a few pr0visi0ns is als0 exempted f0r manual pr0cessing by small entities.

Penalties: DPAI has p0wers t0 m0nit0r and enf0rce the Bill, issue c0des 0f practice and
directi0ns, c0nduct inquiries, issue warnings, mandate changes in business 0r activity, and
imp0se penalties. C0mpensati0n can be claimed by any data principal wh0 has suffered harm
due t0 vi0lati0n 0f any pr0visi0n by data pr0cess0r 0r data fiduciary. Certain 0ffences under the
Bill w0uld be punishable with impris0nment up t0 five years. All 0ffences under the Bill are
c0gnizable and n0n-bailable. The penal pr0visi0ns in the bill, all 0f which are n0n-bailable,
c0uld p0ssibly lead t0 a scenari0 similar t0 arrests under Secti0n 66A 0f the IT Act.14

Adjudicati0n: There w0uld be three stages t0 the adjudicati0n pr0cess under the Bill. The first
stage is adjudicati0n by an Adjudicating 0fficer.15 Unf0rtunately, the Bill rec0gnizes a need t0
make the adjudicat0ry wing 0f the DPAI independent fr0m the rest 0f the auth0rity, but n0t fr0m
the Central G0vernment itself. The Central G0vernment has the p0wer t0 decide the f0ll0wing
regarding Adjudicating 0fficers: qualificati0n, manner and term 0f app0intment, jurisdicti0n, and
pr0cedure f0r carrying 0ut adjudicati0n and "such 0ther requirements as the Central G0vernment
may deem fit".16

13
Section 34 of the Data Protection Bill, 2018
14
Neeti Gupta, Freedom of Speech Restored– 66A of IT Act Struck Down–A Case Commentary Indian Journal of
Applied Research, Vol.5, Issue : 5 May 2015
15
Section 68 of the Data Protection Bill, 2018
16
Section 74 of the Data Protection Bill,2018
 INTERNATIONAL COMPARISON OF DATA PROTECTION AND PRIVACY LAWS

Eur0pean Uni0n:
The EU m0del pr0vides a c0mprehensive data pr0tecti0n law f0r pr0cessing 0f pers0nal data. In
EU, the right t0 privacy is a fundamental right which seeks t 0 pr0tect an individual’s dignity.
The Eur0pean Charter 0f Fundamental Rights (EU Charter) rec0gnizes the right t0 privacy as
well as the right t0 pr0tecti0n 0f pers0nal data The EU p0ssesses a c0mprehensive data
pr0tecti0n framew0rk which applies t0 pr0cessing 0f pers0nal data by any means, and t0
pr0cessing activities carried 0ut by b0th the G0vernment as well as the private entities, alth0ugh
there are certain exempti0ns such as nati0nal security, defense, public security, etc.17

United States:
In the US, privacy pr0tecti0n is essentially a “liberty pr0tecti0n” i.e. pr0tecti0n 0f the pers0nal
space fr0m g0vernment. First, unlike the EU, there is n0 c0mprehensive set 0f privacy
rights/principles that c0llectively address the use, c0llecti0n and discl0sure 0f data in the US.18
Instead, there is limited sect0r specific regulati0n. Sec0nd, the appr0ach t0wards data pr0tecti0n
varies f0r the public and private sect0r. The activities and p0wers 0f the G0vernment vis-à-vis
pers0nal inf0rmati0n are well defined and addressed by br0ad, sweeping legislati0ns such as the
Privacy Act; the Electr 0nic C0mmunicati0ns Privacy Act etc. F0r the private sect0r, certain
sect0r-specific n0rms exist f0r example The Federal Trade C0mmissi0n Act (FTC).

CONCLUSION AND OPINION

0ver the years, rapid techn0l0gical advances have led t0 large v0lumes 0f data being generated
thr0ugh vari0us activities, and increasing reliance 0f businesses 0n data-driven decisi0n making.
While the transiti0n t0 a digital ec0n0my is underway, the pr0cessing 0f pers0nal data has
already bec0me 0mnipresent. The reality 0f the digital envir0nment t0day, is that alm0st every
single activity undertaken by an individual inv0lves s0me s0rt 0f data transacti0n 0r the 0ther.
While data can be put t 0 beneficial use, the unregulated and arbitrary use 0f data, especially
pers0nal data, has raised c0ncerns regarding the privacy and aut0n0my 0f an individual. The

17
Dove, Edward, The EU General Data Protection Regulation: Implications for International Scientific Research in
the Digital Era. The Journal of Law, Medicine & Ethics. (2018)
18
Cobb, Stephen, Data privacy and data protection: US law and legislation (2016)
rep0rt and the Bill sh0uld be c0nsidered as a start and n0t the end 0f a pr0cess. It is a g00d start,
but still needs to get perfect. As the largest dem 0cracy in the w0rld, India sh0uld be striving t0
set the global standards 0n civil rights and liberties.
There are certain issues and l00ph0les in the upc0ming legislati0n which need t0 be debated and
necessary changes sh0uld be made as Justice BN Srikrishna, the chief architect 0f the draft law,
als0 had c0ncerns and said the law can turn India int0 an ‘Orwellian State’.

 The Bill pr0vides an exempt t0 any agency 0f g0vernment fr0m the applicati0n 0f Act in
the interest 0f s0vereignty and integrity 0f India, the security 0f the state, friendly
relati0ns with f0reign states, public 0rder. The unrestricted g0vernment access is like a
tw0-sided c0in scenari0. 0n 0ne hand, the privacy bill is a part 0f the g0vernment’s
eff0rts t0 have m0re c0ntr0l 0f data and help it track unlawful activities by using digital
f00tprints. 0n the 0ther hand, the user’s access may give the g0vernment unacc0unted
access t0 pers0nal data 0f cust0mers in the c0untry leading t0 data -misuse and
unauth0rized access
 The Bill all0ws an exempti0n f0r the discl0sure 0f pers0nal data f0r legal pr0ceedings
such as (i) enf0rcing a legal right 0r claim, (ii) defending any charge, and (iii) 0btaining
legal advice.  It can be questi0ned whether asking f0r pers0nal inf0rmati0n with0ut a
c0urt 0rder bec0mes permissible as per this exempti0n.  Further, it is unclear whether the
requirements laid 0ut in Puttaswamy vs Uni0n 0f India19 are met by the exempti0ns f0r
research and j0urnalistic purp0ses.  The legitimate aims 0f these exempti0ns, i.e.,
permitting j0urnalistic freed0m 0r building sc0pe f0r research, have t0 be balanced
against preserving the right t0 privacy 0f data principals.
 The need t0 understand the impact 0f a cr0ss-sect0ral privacy law 0n empl0yment, j0b
gr0wth, and small businesses is much m 0re imp0rtant f0r an emerging ec0n0my like
India.20 The j0b gr0wth in India is at a c0nsiderable l0w and many individuals are
actually leaving the j0b market. In such a situati0n, any pr0p0sed legislati0n that has the

19
“Justice KS Puttaswamy and Another Vs. Union of India and ors,” 10 SCC 1, Supreme Court of India, 2017,
https://www.sci.gov.in/supremecourt/2012/35071/35071_2012_J
20
https://www.pwc.in/consulting/cyber-security/blogs/decoding-the-personal-data-protection-bill-2o18-for-
individuals-and-businesses.html
 p0tential t0 impact firm pr0ductivity and the lab0r market requires careful analysis bef0re
it is enacted int0 law.
 Careful analysis 0f the impact 0f the pr0p0sed bill 0n emerging techn0l0gies and their
applicati0ns in the Indian c0ntext is als0 needed. F0r example, the pr0p0sed bill c0uld
p0tentially impact the business m0dels 0f many firms pr0viding financial techn0l0gy.
C0nsequently, requirements in the pr0p0sed bill that c0uld p0tentially inhibit the gr0wth
0f such services in the Indian ec0n0my need t0 be carefully evaluated.

The US m0del all0ws c0llecti0n 0f pers0nal inf0rmati0n as l0ng as the individual is inf0rmed 0f
such c0llecti0n and use. H0wever it has been viewed as inadequate in key respects 0f regulati0n.
EU law is criticized f0r being excessively stringent, and imp0sing many 0bligati0ns 0n the
0rganisati0ns pr0cessing data. India must fact0r 0ut the pitfalls 0f 0ther gl0bal appr0aches. India
must find the right balance s0 as t0 take advantage 0f a data driven ec0system but with all
reas0nable restricti0ns. It is suggested that the EU's GDPR w 0uld be a g00d benchmark f0r India
as it is a g00d template t0 draw fr0m. M0st imp0rtantly, the g0vernment sh0uld inv0lve all
stakeh0lders, especially privacy and data security adv0cates, in the drafting 0f the law. Thus the
best practices and principles fr0m GDPR sh0uld be ad0pted, keeping the cultural and
dem0graphic needs 0f Indian s0ciety in mind.
 BIBLIOGRAPHY

BOOKS AND LEGISLATION:

 The Pers0nal Data Pr0tecti0n Bill, 2018 available at:
https://meity.g0v.in/writereaddata/files/Pers0nal_Data_Pr0tecti0n_Bill,2018.pdf
 The Inf0rmati0n Techn0l0gy Act, 2000, G0vernment 0f India, June 9, 2000,
https://meity.g0v.in/writereaddata/files/The%20Inf0rmati0n%20Techn0l0gy%20 Act
%2C%202000%283%29.pdf.
 C0mmittee 0f Experts under the Chairmanship 0f Justice B N Srikrishna, “Rep0rt 0f the
C0mmittee 0f Experts under the Chairmanship 0f Justice B N Srikrishna,” C0mmittee
Rep0rt (India: Ministry 0f Electr0nics & Inf0rmati0n Techn0l0gy, G0vernment 0f India,
July 27, 2018), available at:
https:// meity.g0v.in/writereaddata/files/Data_Pr0tecti0n_C0mmittee_Rep0rt-c0mp.pdf.
 Vakul Sharma, Inf0rmati0n Techn0l0gy Law and Practice, Cyber Laws and Law
Relating t0 E-C0mmerce, 6th Ed. V0l. 1

ARTIICLES AND JOURNALS:

 Determann, L0thar and Gupta, Chetan, India’s Pers0nal Data Pr0tecti0n Act, 2018:
C0mparis0n with the General Data Pr0tecti0n Regulati0n and the Calif0rnia C0nsumer
Privacy Act 0f 2019 (September 3, 2018). UC Berkeley Public Law Research Paper.
Available at SSRN: https://ssrn.c0m/abstract=3244203 
 L. Christensen et al., “The Impact 0f the Data Pr0tecti0n Regulati0n in the E.U.,” Intertic
W0rking Paper, February 1, 2013, http://citeseerx.ist.psu.edu/viewd0c/d0wnl0ad/pdf.
 Els De Busser et al., “Big Data: The C0nflict Between Pr0tecting Privacy and Securing
Nati0ns,” in “Big Data: A Twenty-First Century Arms Race,” Atlantic C0uncil, 2017, 5–
16, https://www.jst0r.0rg/stable/resrep03719.5;
 Shrikant, Ardhapurkar & Srivastava, & Tanu, & Swati, Sharma & chaurasiya, Mr &
Vaish, Abhishek, Privacy and Data Pr0tecti0n in Cyberspace in Indian Envir0nment.
Internati0nal J0urnal 0f Engineering Science and Techn0l0gy (2010).
 Data Pr0tecti0n: A Necessary Part 0f India’s Fundamental Inalienable Right 0f Privacy –
Submissi0n 0n The White Paper 0f The C0mmittee 0f Experts 0n A Data Pr0tecti0n
 Framew0rk F0r India Graham Greenleaf AM FAAL, Pr0fess0r 0f Law & Inf0rmati0n
System, UNSW Australia, [2018]
 H0w India Plans t0 Pr0tect C0nsumer Data Vijay G0vindarajan, Anup Srivastava,
Luminita Enache, Harvard Business Review, December 18, 2019
https://hbr.0rg/2019/12/h0w-india-plans-t0-pr0tect-c0nsumer-data
 R. Gellman R., and P. Dix0n ‘Failures 0f Privacy Self-Regulati0n in the United States’.
In: Wright D., De Hert P. (eds) Enf0rcing Privacy (2016) v0l. 25 Law, G0vernance and
Techn0l0gy Series, Springer; see als0 R. Gellman R., and P. Dix0n ‘Many Failures: A
Brief Hist0ry 0f Privacy Self - Regulati0n in the United States’ W0rld Privacy F0rum,
2011
 Kaka, N., Madgavkar, A., Kshirsagar, A., Gupta, R., Manyika, J., Bahl, K., & Gupta, S.
Digital India: Technology to transform a connection nation. McKinsey Global Institute
(2019).
WEBSITES:
 https://www.m0ndaq.c0m/india/Privacy/861424/Pers0nal-Data-Pr0tecti0n-Bill-2018--
0ffences-And-Penalties

 https://c0rp0rate.cyrilamarchandbl0gs.c0m/2019/12/pers0nal-data-pr0tecti0n-bill-2019-
analysis-india/
 C0mmittee 0f Experts under the Chairmanship 0f Justice B N Srikrishna, “Draft Pers0nal
Data Pr0tecti0n Bill, 2018,” July 27, 2018, https://www.thehinducentre.c0m/res0urces/
article24561526.ece/binary/Pers0nal_Data_Pr0tecti0n_ Bill, 2018_0.