Sanchita Bera


The arrival of internet services in India goes back to 1995 when Videsh Sanchar Nigam Limited for the first time launched internet services on August 15, 1995. Later in November 1998, the Government allowed private operators for providing internet services to the public. The late 20th Century did not see much growth in the use of internet services, they were mostly restricted to office use. The hike in colossal usage of internet service started in the early 21st Century. This massive usage of internet services has led India towards ‘Digital Evolution’, thanks to our present Prime Minister Narendra Modi, who launched several schemes and policies supporting and encouraging the ‘Digital India’ movement. From the past 2014, the usage of the internet has skyrocketed and another significant player that helped the common citizen to enjoy this ‘internet service’ for free at 4G speed was Reliance Jio. The public can candidly use internet services right from e-commerce activities, social media platforms, banking transactions, and whatnot. Internet services have made the life of the public much easier, especially during this pandemic era, where many individuals are working from home. But the main question that arises here is whether the data of the individuals are safe? Whether the data service providers are keeping the personal and non-personal data of the individuals safe? Whether there are chances of data breach and data theft? The Government brought out the Personal Data Protection Bill, 2019 to answer the questions. Primarily, the Bill was designed with the following objectives ‘to ensure the growth of the digital economy while keeping personal data of the citizens secure and protected’[1]. But the million-dollar question is, whether the Personal Data Protection Bill, 2019 is picture-perfect?

Historical Perspective

 The Personal Data Protection Bill, 2019 is said to have taken the example of two renowned Models of Data Protection:

  1. The European Union Model provides a comprehensive data protection law for the processing of personal data.
  2. The United States Model which provides that privacy protection is essentially a ‘liberal protection’ i.e., protection of the personal space from Government[2].

But, a detailed analysis of the Bill indicates that the Indian Data Protection Bill is a replica of the European Union Model with a lot of fleece. Before the Bill, India had no legislation to regulate personal data and provide protection for the same. There was the Information Technology Act, 2000, but its objectives were:

  1. to grant legal recognition to the e-transactions and digital signatures and
  2. to facilitate e-filing and e-storage of information

There was no scope of regulation and protection of personal data. But the main idea behind the Personal Data Protection Bill, 2019 came from Section 43 of the IT Act, 2008 which provides penalties and compensation for damage to computers, computer systems, etc.

Issues about the Personal Data Protection Bill, 2019

The three main issues of the Bill are: Firstly, the Bill compromises with the privacy of the individuals by allowing exemptions to the Government or its agencies. The following chapters highlight this point: Chapter III (GROUNDS FOR PROCESSING OF PERSONAL DATA WITHOUT CONSENT) and Chapter VIII (EXEMPTIONS). Chapter III provides grounds for processing personal data without consent in certain cases, including matters related to employment and reasonable purposes[3]. These sections harken to the very objective of the Bill, i.e., protection of the data privacy of individuals. Instead of protecting the personal data of the individuals, the data service providers may process the personal data without following the consent mechanism designed by the Bill under Chapter 2. The Bill is contradicting its own objectives and confusing to the public. The most interesting part of the Bill is Chapter VIII. Chapter VIII provides powers to the Central Government to exempt any of its agencies from all or any of the provisions of the Bill for certain processing of personal data of the individuals. This chapter has given unlimited exemptions to the Government or its agencies on the following grounds:

  1. in the interest of the sovereignty and integrity of India,
  2. the security of the State,
  3. friendly relations with foreign States, public order[4];

This chapter has provided blanket provisions to the Government casting the whims and fancies of the same and encouraging their actions which could either be for the benefit of the individuals or their surveillance for the Government’s own interest.

Secondly, the Bill has embraced protective policies which will negatively affect the companies engaged in data services. This can be seen through Chapter VII (RESTRICTION ON TRANSFER OF PERSONAL DATA OUTSIDE INDIA). The Bill through the above chapter has imbibed a ‘two-edged sword’ policy. Primarily, the provisions under the chapter seem to be protective in nature towards the protection of personal data of the individuals, but in the true sense, the provisions compel the data service provider companies to revamp new data storage centers in India, to store at least one copy of the personal data of every customer of such data service. The Bill requires the companies to take the license from the Data Protection Authority (DPA) if they want to transfer the data out of India i.e., the Bill has put restrictions upon the cross border transfer of data. This feature of the Bill has put the economy of India under greater pressure, looking into the current economic conditions, it is almost impossible for the companies to survive through this pandemic. Now, if the Bill demands the data service provider companies to pull out the separate budget to meet the Personal Data Protection Bill, 2019 compliance costs, such companies would have to close down their businesses. The impact of such closures would be huge upon the customers of the data service providers because the closure would result in less or no availability of internet services of specific services. Also, the Bill has thwacked the global data service providers, because India adopting the Bill would mean that the LPG (Liberalization, Privatization, and Globalization) scheme of 1991 has been put at stake, as Bill desiring the companies to keep copies of personal data and restricting the transfer will affect the same.

Lastly, the Bill has provided a Data Protection Authority which teams up the secretaries of the Cabinet, Department of Legal Affairs, and MeitY. The can be seen through Section 42 of the Bill which provides the Composition and Qualifications of the Members of DPA. Including secretaries of various departments of the Government means that the independence of the DPA has been taken away, it is not a hidden fact that after the enactment of the Bill, the DPA would be formed and the same would work following the instructions of the Government. The Bill has given powers to the DPA to frame rules, regulations, notifications, etc. for the proper implementation of the Bill, which means that such drafts would not be presented upon the floors of the parliament for discussions. The DPA has been given complete authority to deal with the same and this DPA is the direct predecessor of the Government working under the fingertips of the same.

Advantages of the Personal Data Protection Bill, 2019

The two main advantages of the Bill are: Firstly, the Bill under Chapter II has in clear and conspicuous words defined the obligations of the data fiduciaries (data service providers). Before the Bill, there were no such regulations that would restrict the actions of the data fiduciaries, they at their own covet handled and processed the personal data of the individuals. There were no penalties and compensation in case the personal data of their customer were breached or thieved. But in the presence of the Bill, the data fiduciaries have come under the scanner of the Government and DPA, whose actions can be questioned by the same. Also, they are obliged to prepare a consent mechanism for their customers which has to be clear, concise, simple, and understandable before they can process, collect, gather and anonymize the data of their customers.

Secondly, the Bill under Chapter V has laid down rights of the data principal (individuals), wherein the data principals will have the following rights:

  1. Right to confirmation and access
  2. Right to correction and erasure
  3. Right to data portability and
  4. Right to be forgotten[5]


No legislation can be faultless, the Personal Data Protection Bill, 2019 does have many issues, but the Bill has also given the scope of protecting the personal data of the individuals, penalizing the data service providers who mishandle the data of their customers and institutionalizing the Data Protection Authority. If the flaws in the Bill can be removed by the Parliamentary Committee, then the Bill can become an instrument for better protection and securing the personal data of the individuals of India.

[1] Data Protection in India, Ministry of Electronics and Information Technology (MeitY), Pg. 6, (Last Visited on April 19, 2021)

[2] Data Protection in India, Ministry of Electronics and Information , Pg. 8, (Last Visited on April 19, 2021)

[3] Personal Data Protection Bill, 2019, (Last Visited on April 19, 2021)

[4] Personal Data Protection Bill, 2019, (Last Visited on April 19, 2021)

[5] Personal Data Protection Bill, 2019, (Last Visited on April 19, 2021)

 This article is authored by Sanchita Bera, pursuing Masters in Law at The Maharaja Sayajirao University of Baroda. She is currently working as a Contributing Author at The Blue Letters.

Leave a Reply

Your email address will not be published. Required fields are marked *

Latest Articles
error: Copyright Protected