Draft Personal Data Protection Bill, 2019

  1. Introduction 

The Personal Data Protection Bill, 2019 [PDP Bill, 2019 or PDPDB 2019] was introduced in 2019 with the aim of providing a clearer and robust framework for the protection and processing of data and data-related rights for the Indian citizens. Since, the usage and attendance for internet and internet-related services were showing unprecedented rise, the need for protecting the privacy rights of individuals in addition to the use of data by the entities was said to be the focal point of address.  

Although, the Bill never saw the light of the day, notable developments accompanied the Bill before heading for further scrutiny at the hands of the Joint Parliamentary Committee who, after great deliberation and considerations, published a report based on the comments and recommendations made by the stakeholders.  

In this write-up, the PDP Bill, 2019 shall be discussed in detail, focusing on its history, key provisions which came along with it as well as the strengths and weaknesses before concluding.  

2. The Genesis of the PDP Bill, 2019 

In July 2017, a committee led by Justice B.N. Srikrishna was established to examine India’s data protection framework and propose a new data protection law. In July 2018, the committee released a draft Personal Data Protection Bill 2019, which drew from the principles of the European Union’s General Data Protection Regulation (GDPR) and aimed to provide individuals with extensive data protection rights while promoting India’s digital economy. The draft bill was open for public comments until September 2018, after which the committee submitted its report on the bill to the Ministry of Electronics and Information Technology (MeitY). 

In December 2019, the MeitY introduced the Personal Data Protection Bill, 2019, in the Lok Sabha, the lower house of the Indian Parliament. The bill incorporated several of the Srikrishna committee’s recommendations but also made significant changes. These changes included weakening the provisions on individual rights and consent, as well as giving the government more powers to exempt specific data processors from the bill’s requirements. The bill is still under review and has yet to be passed into law. 

Draft Personal Data Protection Bill 2019

3. Key Provisions of the PDP Bill, 2019 

I. The Consent Factor:  

The PDPB incorporates the consent rules included in the 2018 Bill, but it specifies that agreement must be expressly sought after the data principal has been given the option to individually consent to the use of several kinds of sensitive personal data [Clause 11(3)]. However, the PDPB also states that the provision on consent shall not be applicable for the State to perform any function for which the State is legally authorized, for the State to provide any service or benefit to the Data Principal, or for the State to issue any certification, license, or permit for the Data Principal to take any action [Clause 12]. 

II. The Right to Confirmation and Access: 

The PDPB incorporates the provisions of the 2018 Bill while additionally granting the data principal the ability to obtain in one location the identities of the data fiduciaries and the kinds of personal data shared with them [Clause 17(3)]. 

III. Right to Correction and Erasure 

According to the 2018 Bill, the data principal has the right to request from the data fiduciary that erroneous or misleading personal data be corrected, incomplete personal data be filled up, and outdated personal data be updated. The data fiduciary may disagree with the necessity for such adjustments, but the data principal may then demand that the data fiduciary make it clear that they dispute the personal data in question (Clause 25). The PDPB offers a similar perspective. 

IV. Right to Data Portability 

The Srikrishna Report believed that the right to data portability was essential for the smooth operation of the digital economy and that it also gave data owners more influence over their own personal information (Page 75). Consequently, the 2018 Bill permits data principals to have their personal data transferred if such processing has been carried out by automated means [Clause 26(1)]. If data portability is not technically possible, would compromise any data fiduciary’s trade secrets, or is required for state activities, the 2018 Bill does not authorize it [Clause 26(2)]. The 2018 Bill’s [Clause 19] provisions were accepted by the PDPB.

V. Right to be Forgotten 

The PDPB adopted the clause in the 2018 Bill but required the data principal to prove to the adjudicating officer that their right to restrict the dissemination of personal data outweighs any other citizen’s right to free expression or the right to receive information [Clause 20(2) proviso]. The Adjudicating Officer’s judgment may also be challenged under PDPB [Clause 20(5)]. 

4. The GDPR Connection 

  1. Similarities 
  • Both the PDP Bill of 2019 and the GDPR work to safeguard people’s privacy and personal data. 
  • Both regulations mandate that data controllers get individuals’ informed consent before collecting and using their personal information. 
  • Both laws provide people the ability to view, update, delete, and transfer their personal data. 
  • These regulations carry severe penalties and fines for infringement of data protection. 

2. Differences 

  • Jurisdiction: The PDP Bill, 2019, only applies to Indian data controllers and processors, but the GDPR extends to all data controllers and processors operating inside the European Union. 
  • Data localization: The PDP Bill, 2019, mandates that all personal data be handled and kept solely in India, but the GDPR permits the export of data from the EU under certain circumstances. 
  • Sensitive personal data: While the GDPR protects all personal data equally, the PDP Bill, 2019, offers extra protections for sensitive personal data, such as financial and health information. 
  • Data Protection Authority: While the GDPR already has a supervisory authority in place across the EU, the PDP Bill, 2019, proposes the creation of a Data Protection Authority to supervise and enforce data privacy laws in India. 

5. Conclusion 

The 2019 Personal Data Protection Bill sought to address the urgent need for privacy and personal data protection for Indian residents in the digital era. The bill included a number of crucial elements, such as the creation of a Data Protection Authority, stringent data protection requirements, personal freedoms, and harsh penalties for data protection infractions. Although the bill has undergone several updates and modifications, it continues to be an essential piece of legislation for safeguarding personal information in India. The PDP Bill, 2019, is a significant step in the right direction toward reaching this aim of establishing an effective data security framework and fostering confidence in digital technologies. 

Checkout Other Whitepapers

In an age defined by technological leaps, the convergence of Generative AI and Data Privacy emerges as a pivotal crossroads.As Generative AI …

This paper is an in-depth analysis of the newly introduced Digital Personal Data Protection Act 2023. The Act is a simple and …

The European Commission introduced a proposal in April 2021 to regulate artificial intelligence (AI) in a 108-page document, aiming to establish a …

As defined by the EU Council, the NIS 2 directive “will set the baseline for cybersecurity risk management measures and reporting obligations …