The Personal Data Protection Bill, 2019

Ministry: 
Law and Justice

 Introduced

Lok Sabha
Dec 11, 2019

 Referred

Standing Committee
Dec 11, 2019

 Report

Standing Committee Report

by the first day of the last week of the Budget Session, 2020




 The Personal Data Protection Bill, 2019 was introduced in Lok Sabha by the Minister
of Electronics and Information Technology, Mr. Ravi Shankar Prasad, on December 11,
2019. The Bill seeks to provide for protection of personal data of individuals, and
establishes a Data Protection Authority for the same. 
 
 Applicability: The Bill governs the processing of personal data by: (i) government,
(ii) companies incorporated in India, and (iii) foreign companies dealing with personal
data of individuals in India. Personal data is data which pertains to characteristics, traits
or attributes of identity, which can be used to identify an individual.  The Bill
categorises certain personal data as sensitive personal data.  This includes financial data,
biometric data, caste, religious or political beliefs, or any other category of data
specified by the government, in consultation with the Authority and the concerned
sectoral regulator.
 
 Obligations of data fiduciary: A data fiduciary is an entity or individual who
decides the means and purpose of processing personal data. Such processing will be
subject to certain purpose, collection and storage limitations.  For instance, personal data
can be processed only for specific, clear and lawful purpose.  Additionally, all data
fiduciaries must undertake certain transparency and accountability measures such as: (i)
implementing security safeguards (such as data encryption and preventing misuse of
data), and (ii) instituting grievance redressal mechanisms to address complaints of
individuals.  They must also institute mechanisms for age verification and parental
 consent when processing sensitive personal data of children.
 
 Rights of the individual: The Bill sets out certain rights of the individual (or data
principal). These include the right to: (i) obtain confirmation from the fiduciary on
whether their personal data has been processed, (ii) seek correction of inaccurate,
incomplete, or out-of-date personal data, (iii) have personal data transferred to any other
data fiduciary in certain circumstances, and (iv) restrict continuing disclosure of their
personal data by a fiduciary, if it is no longer necessary or consent is withdrawn.
 
 Grounds for processing personal data: The Bill allows processing of data by
fiduciaries only if consent is provided by the individual. However, in certain
circumstances, personal data can be processed without consent.  These include: (i) if
required by the State for providing benefits to the individual, (ii) legal proceedings, (iii)
to respond to a medical emergency.
 
 Social media intermediaries: The Bill defines these to include intermediaries which
enable online interaction between users and allow for sharing of information. All such
intermediaries which have users above a notified threshold, and whose actions can
impact electoral democracy or public order, have certain obligations, which include
providing a voluntary user verification mechanism for users in India.
 
 Data Protection Authority: The Bill sets up a Data Protection Authority which may:
(i) take steps to protect interests of individuals, (ii) prevent misuse of personal data, and
(iii) ensure compliance with the Bill. It will consist of a chairperson and six members,
with at least 10 years’ expertise in the field of data protection and information
technology.  Orders of the Authority can be appealed to an Appellate Tribunal.  Appeals
from the Tribunal will go to the Supreme Court.
 
 Transfer of data outside India: Sensitive personal data may be transferred outside
India for processing if explicitly consented to by the individual, and subject to certain
additional conditions. However, such sensitive personal data should continue to be
stored in India.  Certain personal data notified as critical personal data by the
government can only be processed in India. 
 
 Exemptions: The central government can exempt any of its agencies from the
provisions of the Act: (i) in interest of security of state, public order, sovereignty and
integrity of India and friendly relations with foreign states, and (ii) for preventing
incitement to commission of any cognisable offence (i.e. arrest without warrant) relating
to the above matters. Processing of personal data is also exempted from provisions of
the Bill for certain other purposes such as: (i) prevention, investigation, or prosecution
of any offence, or (ii) personal, domestic, or (iii) journalistic purposes.  However, such
processing must be for a specific, clear and lawful purpose, with certain security
safeguards.
 
 Offences: Offences under the Bill include: (i) processing or transferring personal data
in violation of the Bill, punishable with a fine of Rs 15 crore or 4% of the annual
turnover of the fiduciary, whichever is higher, and (ii) failure to conduct a data audit,
punishable with a fine of five crore rupees or 2% of the annual turnover of the fiduciary,
whichever is higher.  Re-identification and processing of de-identified personal data
 without consent is punishable with imprisonment of up to three years, or fine, or both.
 
 Sharing of non-personal data with government: The central government may direct
data fiduciaries to provide it with any: (i) non-personal data and (ii) anonymised
personal data (where it is not possible to identify data principal) for better targeting of
services.
 
 Amendments to other laws: The Bill amends the Information Technology Act, 2000
to delete the provisions related to compensation payable by companies for failure to
protect personal data.

 
DISCLAIMER: This document is being furnished to you for your information. You may choose to
reproduce or redistribute this report for non-commercial purposes in part or in full to any other person with
due acknowledgement of PRS Legislative Research (“PRS”). The opinions expressed herein are entirely
those of the author(s). PRS makes every effort to use reliable and comprehensive information, but PRS
does not represent that the contents of the report are accurate or complete. PRS is an independent, not-for-
profit group. This document has been prepared without regard to the objectives or opinions of those who
may receive it.

In July 2017, the Ministry of Electronics and Information Technology (MeitY),

Government of India (GoI), constituted a committee of experts under the
chairmanship of the retired Supreme Court judge Justice B. N. Srikrishna. The
committee was entrusted with the responsibility of identifying lapses in the present
data protection regulations and preparing more robust and comprehensive data
protection laws. After working for nearly a year, the committee submitted the
draft Personal Data Protection (PDP) Bill, 2018, in July 2018.
Since its introduction last year, MeitY has solicited comments and suggestions on
the PDP Bill from the public, various stakeholders, ministers and consultants. Based
on these suggestions, a revised Personal Data Protection Bill, 2019 (Draft Bill),
was cleared by the Union Cabinet on December 4 2019.
The key changes/highlights of the Draft Bill are as follows:

Definitions: The definition of ‘sensitive personal data’, as laid out in section 2(36) of

the Draft Bill, does not include the term ‘passwords’ any more.
Sensitive personal data is now defined as such personal data which may, reveal, be
related to, or constitute:
 financial data

 health data

 official identifier

 sex life

 sexual orientation
 biometric data

 genetic data

 transgender status

 intersex status

 caste or tribe

 religious or political belief or affiliation, or

 any other data categorised as sensitive personal data by the authority and the
sectoral regulator concerned.

 Prohibition of processing of personal data

 Restriction on retention of personal data
 Grounds for processing of personal data without consent in certain cases
 Processing of personal data for other reasonable purposes
 Right to correction and erasure
 Privacy by design policy
 Transparency in processing of personal data
 Classification of data fiduciaries as significant data fiduciaries
 Data protection officer (DPO)
 Prohibition on processing of sensitive personal data and critical personal data outside
India
 Conditions for transfer of sensitive personal data and critical personal data
 Penalties
 Sandbox for encouraging innovation, etc.
 Re-identification and processing of de-identified personal data
Prohibition of processing of personal data

Clause 4 seeks to prohibit processing of personal data without any specific, clear
and lawful purpose. Earlier, the concept of reasonable processing was categorically
prescribed, which could have resulted in possible processing of data without
consent. The amended draft does away with that provision.
The Draft Bill is another step taken by GoI in its initiative towards implementing data
privacy laws in India. The said Draft Bill has been referred to a joint selection
committee of the Parliament for further review and is expected to be tabled in the
forthcoming budget session.

Furthermore, the Draft Bill incorporates important aspects such as consent,

reasonable purpose, processing of personal data only with consent. We may look
forward to the Draft Bill being recognised as a law in the forthcoming budget session.
Acknowledgements: This article has been researched and authored by Debashree
Mukherjee, Ankit Virmani and Sonali Saraswat