Scroll Top



Ideas and technology are being modernized daily as the generation evolves. People are slowly moving towards digitalization and using virtual platforms. India has come up with a project called “Digital India”, where there is biometrical identification, many smart cities have been built, and everything is done online. As a result, both our personal and non-personal data must be protected from misuse, which necessitates strong legal procedures, frameworks, and regulations. For that reason, the Personal Data Bill has been introduced by the Indian Ministry of Electronics and Information Technology (PDP Bill) on December 11, 2019, and 2020. The bill is being analyzed by the Joint Parliamentary Committee (JPC)[1]. The JPC has been given a short time to analyze the bill and draft it as law, but in the budget session of 2020, the experts and stakeholders asked for more time to study and analyze the bill. So it’s still pending. If it passes, then it will promote the principle of the “Right to Privacy” of individuals. The policies of data protection are to reduce the wrongful entry of someone into the privacy of an individual by collecting and using their data.

Evolution of Data Privacy Concept in India

With the changing era and generations, our ideas and technology are also changing. The concept of data privacy can be traced to Indian history, which emphasizes not disclosing matters of worship, sex, and family matters to be known by others. In ancient India, the right to privacy was there from the time of Dharmashastra, according to which privacy was related to positive morality, and the concept was very well established during that time.

Judicial Role in Privacy and Data Protection.

In the Constitution of India, the right of privacy was not there from the beginning. It has slowly evolved through many Supreme Court judgments, from the 1960s, the judiciary has dealt with the right of privacy as a constitutional right and also as a common law right. The question of recognizing the right to privacy as a right arose in the case of Kartar Singh v. State of U.P 1963,[2] It was held by the SC that privacy is not a fundamental right but violation of personal liberty cannot be done as it is covered under the umbrella of Article 21 of the constitution. The same view was observed by the Apex Court in the case of M.P Sharma V. Satish Chandra 1954[3]. SC upholds the view of the U.S Supreme Court, that the privacy of an individual needs to be protected from unreasonable interruption from police authorities.  As Long as privacy doesn’t affect the public at large it should be protected. So in this context, another case that needs to be mentioned is Govind v. State of M.P 1975,[4] in this case, it was observed by the Supreme Court that:-

  • Right to Privacy is not an absolute right and has to go through the ‘state interest test’
  • Surveillance can not be said to be an infringement of the right to life and privacy, because only those persons who are suspected to commit crimes are put under surveillance.

The strong challenge that the right to privacy faced before nine-bench judges is in the case of K.S. Puttaswamy v. Union of India[5] In which a retired Karnataka High Court judge Puttaswamy goes against the government’s Aadhaar scheme (a form of uniform biometrics-based identity card) the card was made mandatory for the availability of government schemes and benefits. The issue was that this scheme violated the right to privacy. A nine-judge bench was set to decide whether the Right to Privacy is a fundamental right and whether it will be guaranteed by Article 21 as the right to live with dignity. It was recognized by the Supreme Court that the Right to Privacy is not an intrinsic part of the Right to life and personal liberty under article 21 of the constitution and it’s not expressly a fundamental right. However, there are many judgments regarding the right to privacy but the data privacy and protection laws are less focused and not clear.


Data protection is at a critical stage in India and needs to be reformed. As cybercrimes are increasing day by day, There is a high chance that India will become the epicenter of cybercrimes if stable and strong data protection and privacy law do not come into existence. India does not have enough digital security, which requires restoration with due legislative provisions along with suitable public and employee awareness. As India progresses along the path of digitalization and IT sectors, business processing outsourcing (BPO) is growing, and it contains a lot of sensitive information about the individuals, such as credit card details, money-related information, and even their medical history. To protect this information, a tight and strong data protection law is needed. Although the Information Technology Act of 2000[6] has laws regarding digital and IT data protection, it doesn’t address the requirements. 

Now in this digital era, we need to create a digital economy without causing any harm to individuals’ privacy and ensure innovation, advancement, and empowerment through digital governance. The New Personal Data Protection Bill of 2019 will ensure data protection from unauthorized and harmful processing and it will build trust between the people and the companies or entities that process personal data. Justice B.N Krishna said ”The Data Protection Bill will be like new shoes, tight in the beginning but will be comfortable eventually”.[7]  To draft the Data Protection Bill a committee was created by the Ministry of Electronics & Information Technology. This bill is created under the principle and framework of ”General Data Protection Regulation” (GDPR)[8]  recently notified in the European Union. The Bill will replace section 43A of the Information Technology Act 2000, this bill of 2019 is a revised version of the 2018 bill that gives a lot of focus on the consent of the individuals. This bill is passed then it will be a modified version of the 2018 bill with many new and better provisions.


This bill creates a shield for the data that are processed by humans and by AI. In the upcoming age of crypto, this bill is very much needed. In section 3 of this bill, data has been divided into two categories:-[9]

  • Personal
  • Sensitive Personal Data

Chapter III of this Bill gives more focus and protection measures to the sensitive Personal Data which includes:-

  • An individual password
  • Financial data
  • Sex Life Privacy
  • Biometric data
  • Genetic data
  • Intersex, caste and tribe status or,

any other data which falls under the ambit of sensitive personal data under section 15 of the bill. In the earlier bill, the religion or political beliefs were not included but in this bill, sensitive data covers that part. This Bill controls and keeps a check on transferring individual personal data by both government or private entities situated in India or incorporated overseas. This bill has the right to correct the inaccurate and incomplete data another right to forget the date on which consent has been withdrawn can be done by the Data Principal and all these rights are given in chapter V of the bill.

It creates a regulatory body to observe information processing activities. The terms used in the bill for the protection of data includes:-

  1. Data Fiduciary – any person including the state, a company, any jurist entity, or any individual who alone or in connection with others determines the means or purpose of processing personal data. Section 4 to 11 of chapter II of the Personal Data Protection Bill 2019, describes the obligations of data fiduciary. The person who will process the data must do it in a specific, clear, and lawful manner. The data principal must ensure that the privacy of the data is maintained.
  2. Data Processor:- it is the person, which includes a State or an entity or any individual who will process the data on the behalf of the Data Fiduciary, but the person doesn’t include the employee of the data fiduciary. Before processing data, consent must be taken but this bill also talks about situations of processing data without consent, and chapter III of the bill defines those grounds.
  3. Offenses: Chapter XIII of this bill includes the offences like. If any person without the consent of the data processor misuse any data then he will be liable for punishment with imprisonment for terms not more than 3 years or a fine of two lakh rupees or both. It also contains punishment for the state or company if they transfer data with the consent of the individuals except in special situations.

Penalties are laid down under chapter X of the bill. The penalties range from five crores or 4% of the total worldwide turnover. Compensation can also be claimed for misuse of data or any violations of any provisions of the bill.

  1. Data mirroring is a process through which a replicating content of the Personal Information is to be saved according to the 2018 bill[10]. This bill removes the requirement of data mirroring.
  2. Any critical personal data can be stored and processed but before processing permission of data principal is required and there shall be limitations on such data. The Data shall be deleted after processing.
  3. This bill has established conditions for the companies and firms that want to operate a business in India, that if they want to collect personal data of the individuals for that they have to obtain permission from the users. The users can control their data and request the firms to delete it as they also have the right to be forgotten.
  4. Sensitive personal data can be transferred outside India if the individuals give their consent but critical personal data can only be processed in India. There are exceptions for processing personal data like:
  • If there is any need for investigation or prevention of any offence,
  • for research purposes,
  • for personal, domestic or journalistic purposes,
  • for the security of the state


This bill is a great initiative for the betterment of the data privacy policies of India. This will protect the data of different sectors and it will make the legal framework of India more strong regarding data privacy. The Government is all set to pass this bill in the budget session of FY22 as crypto has entered India which needs great digital protection. Through this bill, people will be aware of the nature and purpose of the data that will be collected. But as this bill has advantages and it also has some loopholes.  Government can access data at a wide range and also has increased state power regarding data surveillance under section 35 of the bill the government can remove any agency of the state from the application of the Act. There are also no signal global data protection agreements. So according to me, this bill has some minute details that need to be a bit more restructured with wider objectives.

Author(s) Name: Dibakar Banerjee  (Law College Durgapur (Kazi Nuzrul Islam University)


[1] ‘Joint committee report on Data Protection Bill tabled in both Houses of Parliament’ ,  India Today ( December 21,  2021)  <‘> accessed 15 February 2022

[2] Kartar Singh V. State of U.P & Others (1963)  AIR 1295 <> accessed 15 February 2022

[3] M.P Sharma & Ors V.  Satish Chandra & Ors (1954) AIR 300 <> accessed 15 February 2022

[4] Govinda V. State of M.P & Anr (1975) AIR 1378 <> accessed 15 February 2022

[5] K. S Puttaswamy & Anr  V. Union of India & Ors (2012) AIR 494 <> accessed 15 February 2022

[6] ‘Information Technology Act’s’ [2000]   <> accessed 15 February 2022

[7] ‘Protect critical personal data of citizens: draft Bill’ The Hindu ( New Delhi, 28 July 2018 ), <> accessed 15 February 2022

[8] ‘ Deloitte ‘ The General Data Protection Regulation GDPR ‘ <> accessed 15 February 2022

[9] PRS legislative Research, ‘Personal Data Protection Bill 2019’ <> accessed 15 February 2022

[10] PRS legislative Research, ‘ Personal Data Protection Bill 2018 <> accessed 15 February 2022