The Personal Data Protection Bill 2019 - Implications on India

The Personal Data Protection Bill was introduced in the Indian Parliament on 11th December 2019 by Mr. Ravi Shankar Prasad, Minister of Electronics and Information Technology. It aims to provide a legal framework to protect an individual’s data with some strict guidelines for any entity in India, be it public or private. After the landmark Supreme Court judgement in the Puttaswamy case of 2017, where the court recognised the “Right of Privacy”; a committee under Chairmanship of Justice B.N. Srikrishna was formed in August 2017 to study and identify key data protection issues and recommend methods to address them. The Committee tabled its report and proposed Personal Data Protection Bill in July 2018. The bill is due to be presented in September 2020 and will become law once passed by the parliament followed by accent of Honourable President of India.

What is data privacy?

The awareness about data privacy in India has been growing from last few years; still many are unaware about it. For example, you meet someone in a family function about whom you don’t know much. You may casually talk to him, might even reveal your name and which company you work for but you might not be comfortable in revealing other details like your salary, property worth, loans, EMIs etc. But if you were to open a bank account you will most certainly have to reveal all such information. These critical details are important to individuals and can create a nuisance if leaked. Many of us receive unsolicited phone calls, SMS and even WhatsApp messages pitching “attractive offers” to buy a property or refer a doctor. We generally take these messages casually without thinking that the sending party must be having our phone number and financial details and thus can send offers we might be interested in.

Data once breached can reveal our email passwords, name, addresses, financial details, medical history etc. The list is endless and hence there must be a definitive framework that provides clear guidelines to any company we handover our details to safekeep.

What does the law provide for?

The bill lays the proposal to create a new regulatory authority called the Data Protection Authority (DPA). DPA will implement the data protection rules which will apply to public and private sector organisations including all businesses like Real Estate, Pharmaceuticals, e-commerce, social media companies, IT companies etc. Only those small businesses who do not have the necessary infrastructure and collect information manually will be exempted to comply but they still will have some “guidelines” to follow from DPA.

The Bill proposes the right for any Indian citizen to access, correct, and erase all their data given to any business. Hence, businesses will have to compulsorily provide for the necessary ways for their customers to do so and even including potential customers whose data in some form has been submitted to the business entity. The proposed law also mandates that personal data sensitive in nature must be stored in India.

Clause 36 of the Bill defines “Sensitive personal data” as financial data, health data, biometric data, genetic data, religious or political beliefs etc. Such data can be sent outside India for processing purposes after an explicit consent by authorities concerned. In any case, it must only be stored inside the country. Personal data critical cannot even be transferred out of India under any circumstances. The Government will notify the personal data which would be classified as “Critical Personal Data” later. The bill provides for an imprisonment of 3 years and a fine of two lakh rupees on any individual found guilty of non-compliance of the law. Also, the business found to have breached the proposed regulations will attract fines.

Global examples of such a Law

There are countries like Switzerland, Norway, Romania, Iceland, Panama and The Seychell as having tough Data protection and privacy rules. A comprehensive example of such a law is European Union’s “General Data Protection Regulation” (GDPR) which was put into effect in May 2018. The GDPR has its seven principles laid out for data handlers (Government & Private organizations) as lawfulness, fairness and transparency, purpose limitation, data minimization, accuracy, storage limitation, integrity and confidentiality (security) and accountability.

When we talk about an individual’s right GDPR lays them as (but not limited to) the right to access, right to inform, right to rectification, right to restrict processing, right to erasure, right to object, right to data portability, right around automated decision making and profiling. India’s Personal Data Protection Bill definitely takes a leaf out of GDPR. India will be among the handful of other countries to have such a stringent Data protection law in place.

Possible Economic implications of Personal Data Protection Bill

The world has changed a lot after Coronavirus broke out. It has not only revealed the world the economic consequences of concentrating all activities in China, but also has forced many multinational companies to plan shifting their businesses to other countries Also, the world, in general, is very sensitive and aware of the need for data privacy and protection. One can remember the public outcry after Cambridge Analytica data breach of 2018 in India or that of Edward Snowden’s whistleblowing against the National Security Agency (NSA) in the USA in 2013.

Corporate Data protection came into practice after the EU passed the GDPR in 2018 and a lot of companies had to remodel their functioning accordingly. Such legislation in India will place India in an internationally favourable position for data processing and can boost the service sector like IT services, BPO processes and as a reliable cloud storage destination. A lot of companies are switching to Cloud Servers after the Work from Home (WFH) arrangement was forced upon the world Post-COVID outbreak. India’s Personal Data Protection bill might give an unprecedented upswing to the country’s IT might worldwide. Also, China being an authoritarian dictatorship and its dismal past records of data transparency; can never pass any such law that can give the world the necessary confidence regarding data privacy and protection. India certainly has an advantage and practically a freehand up till now.

The legislation once approved, might lead to a temporary downtrend of companies in India while they make sense of the new law. Though, after the initial phase, the businesses will be able to bounce back and prosper. A similar trend was seen previously in India at the time of GST, and also in Europe after GDPR was put into function.

The Criticism of the Proposed Bill

Apart from becoming a small “speed breaker” for Indian businesses who will have to modify their function under the proposed law, another major issue is that the bill removes some safety checks for the government organisations. Plainly put, the government can look into individual data any which way they want to maintain public order and sovereignty. This criticism though is largely misunderstood and oversimplified. We live in a 24x7 connected world that comes with its unique challenges like cyber terrorism, fake news, hate content and cyber warfare to name a few. No country can ignore it including India. This “cyber-surveillance” is necessary, although temporarily until the internet matures to have automatic safety checks in place. With Artificial Intelligence stepping up, it might be possible for the Internet to respect individual privacy by authorizing algorithms to maintain order. Till that happens, humans will have to step in the shoes.

Also, even the GDPR of the European Union considers the national safety important and has proper procedures for any country to demand individual-level data to keep their country safe from cyber attacks and related criminal and terrorist activities. To say that Indian proposed law is “authoritarian” and paving way for an “Orwellian” world might be wrong and a bit too farfetched. 


Such a law is the need of the hour. India is home to the second largest population of the world and is already considered as a major market for businesses globally. Stringent data laws will ensure that India’s data remains in safe hands. The Prime Minister has repeatedly referred to “Data is the New Oil”. The economic significance of good data privacy and processing practices are undisputed. As the renowned American business executive, John Francis Welch Jr. once said “An organization’s ability to learn, and translate that learning into action rapidly, is the ultimate competitive advantage.” The Personal Data Protection Bill might give India a similar competitive advantage globally.

About the Author

Abhishek Ranjan is the Founder of Policy Matrix, a platform to connect policy enthusiasts with policy experts! He has worked with Members of Parliament across party lines and holds 6 years of experience in legislation and public policy.

About Co-author

Siddhartha Ghosh is a Ph.D. Research Scholar in the Department of Management Sciences, Mahatma Gandhi Central University. He has more than six years of corporate experience and has worked in various positions in Bank, Marketing Research, and Skill Development.

Add a comment & Rating

View Comments