Scroll Top




In August 2017 the supreme court of India held that privacy is a fundamental right, flowing from the right to life and personal liberty under Article 21 of the Indian constitution, and privacy of personal data was seen as an essential aspect of the right to privacy. To examine various issues relating to data protection a committee of experts chaired by Justice BN Srikrishna was set up. The committee submitted the draft in July 2018 after further deliberations the bill was approved by the cabinet minister of India on 4th December 2019 as The Personal Data Protection Bill 2019 and tabled in the Lok Sabha on 11th December 2019. The bill appears to supersede the information technology act 2000 (section 43-A)[1].

The bill is a great leap towards data localization and its emphasis on the consent of data fiduciary do provide an environment that respects the right to privacy and establishment of the Data Protection Authority of India (DPA) which will be an independent regulatory body under section 41[2][3] of The Data Protection Bill, 2019 this will increase the effectiveness of the law and the efficiency in data processing with all the commendable provisions there are some spaces due to which the bill is being criticized these spaces are needed to be identified and to be acted upon to make the law more effective.


Bill also states the concept of “harm” which refers to discriminatory treatment which can be interpreted as any kind of denial or withdrawal of any kind of a service resulting from the evaluation of data principle (the person whose information is being collected and being processed) will be covered. The problem which arises is that the word discriminatory is abstruse here, this provides a wider ambit for the types of discrimination which can be taken into consideration and also reduces the scope for data fiduciaries (the State, a company, any juristic entity, or any individual who alone or in conjunction with others determines the purpose and means of the processing of personal data) to collect data as they can fall into discriminatory practices[4].

This ambiguity in the term discriminatory treatment raises a significant cause of concern as the data fiduciaries will find it difficult to collect information so there should be clear grounds of discrimination as there are in the Constitution.


By the data protection bill, 2019 all the companies should provide options to the users to verify identity voluntarily and if the users are not willing to verify their identities they will be a target of government scrutiny or investigation. It takes a lot of resources both financial and technical to build a large verification system hence the creation of social media platforms will only be feasible for large companies which will increase the risk of privacy. Many social intermediaries believe that anonymity sometimes brings benefits such as whistleblowing and protection from stalkers.


The Personal Data Protection Bill, 2019 will also mandate the companies to share non-personal data (it includes aggregated data through which individuals cannot be identified For example, while an individual’s own location would constitute personal data where on the other hand information derived from multiple driver’s locations, which is often used to analyze traffic flow, is non-personal data) with the government on the grounds of public good and planning purposes. This will raise privacy concerns and will have a catastrophic impact on companies as many enterprises keep trade secrets in the form of non-personal data. The government should make changes in these provisions as they put companies in a cramped position.


The bill also provides a major exception to the government in section 35[5] of the Personal Data Protection Act, 2019 After having provided privacy safeguards, the bill empowers the Central government in Section 35 to allow any government agency to bypass all these in the (a) interest of sovereignty and integrity of India, security of the state, friendly relations with foreign states or public order and (b) for preventing any cognizable offence relating to the above (a) However this will be subject to procedures or mechanisms of the respective agency. But the bill does not talk about the Parliamentary law which should be framed for the purpose of what is necessary or proportionate to such interests being achieved. Section 35 basically negates the privacy of the common people who will never be able to know that their data is being used by the government agencies in the name of national security.[6]

This exemption will concentrate all the power in the hands of the central government, due to which there will be no system of checks and balances left, this will also decrease transparency and accountability in data collection and processing of the data hence the chances of abusing the power can increase.


There are many such organisations that have to invade the privacy of some suspects which could be due to various reasons like national security itself and for doing the same the agencies have to intrude with the suspects. These agencies are important as they track, estimate, and eliminate such activities but after The Personal Data Protection Bill, 2019 these agencies will find difficulty in surveillance hence the bill will make such entities legally vulnerable. The government should provide norms or a mechanism for these agencies to operate.


During the era of the digital revolution, the protection of data has become an utmost concern for the people as personal data of a person can be easily collected from cyberspace and can be used vexatiously. The Personal Data Protection Bill, 2019 is a good initiative by the government to move towards data localisation and to provide right to privacy to its people but still the gaps in the bill are likely to reduce the effectiveness of the law. The government should decentralize the power which is being gained through section 35 and also devise a mechanism for the intelligence agencies to carry out surveillance activities without infringing the right to privacy. Government should also consider companies by further classifying non-personal data and selecting the data which is needed and informing it in advance to the companies. Government should also focus on ascertaining the grounds of discrimination to remove ambiguity. There may be some spaces in the bill but with some adjustments and alterations, the days of data localization can be achieved.   

Author(s) Name: Sarthak Mittal (Guru Gobind Singh Indraprastha University, Delhi)



[1] The Information Technology Act,2000 (Act 21 of 2000) 

[2] The Data Protection Bill, 2019 ( Bill no. 373 of 2019)

[3]  Section 41 of The Data Protection Bill, 2019 refers to establishment of an independent body for data protection

[4] Anirudh Burman, The Draft Personal Data Protection Bill is Flawed, HINDUSTAN TIMES (December 16, 2019)

[5] Ibid

[6] Archita Roy and Rachita Ranjan, ”The personal Data Protection Bill, 2019: An Analysis” Manupatra (2019)

Related Posts