Personal Data Protection Bill – Answering what, how & other aspects

Share & spread the love


Every Indian citizen is guaranteed fundamental rights under Part III of the Indian Constitution. Citizens have the right to equality, the right to liberty, the right to freedom of religion, and other rights. With the passing of time and the occurrence of events, another citizen’s right – the ‘Right to Privacy’— emerged and came to the forefront.

According to a Supreme Court ruling, the citizens of India have the right to privacy. This ruling came concerning privacy related to personal information. The personal information of an individual is an extremely critical part of life.

Such information can be used for various wrongful purposes such as fraud, cybercrimes, harassment, etc. To enforce the right of the citizen and to protect them from exploitation, the Government of India issued The Personal Data Protection Bill.

The goal of this article is to provide a thorough understanding of the Data Protection Bill. Its background, important components, and events that occurred concerning the law throughout time.

What happened with the bill

The bill was withdrawn from the Lok Sabha on August 3, 2022, by the Government of Electronics and Information Technology. The proposed bill was subject to 12 recommendations and 18 amendments. The government promised that they will introduce a new act in the budget session of 2023 that would include substantial reform in its entirety.

About the bill

Before understanding the Data Protection Bill, let us understand what “Personal Data” is.

According to GDPR (General Data Protection Regulation), Personal Data is any information relating to an identified or identifiable natural person.

Personal information is data that can be used to identify an individual. Personal information distinguishes one person from another and gives each person their own identity. Each person’s biometric information is distinctive. Personal data also includes names, surnames, phone numbers, and addresses.

The bill categorizes Data into 3 types

  1. Personal Data
  2. Sensitive Personal Data: Financial Data, Biometric Data, Health Data, Caste, Religious /Political Belief.
  3. Critical Personal Data: The bill provides Any data that will be notified as critical by Central Government will be Critical Personal Data

The bill’s primary goal is to uphold citizens’ rights to privacy. Additionally, it strives to safeguard individuals’ data. The government wants to build trust between people and organizations through this bill so that there will not be any conflicts and the organizations may continue operating effectively. The bill specifies regulations for businesses to follow to prevent the exploitation and abuse of citizens’ data.

Important aspects of the Data Protection bill

The Bill specifies that before processing data, the person’s consent must be obtained.

After providing consent, the citizen has rights regarding information processing:

  1. The citizen can check out if their data has been processed.
  2. They can make corrections to personal data
  3. personal information could be given to another data fiduciary.
  4. Data processing should be restricted if consent is withdrawn.

The Bill applies to the Indian government, Indian businesses, and foreign companies that interact with the personal information of Indian citizens.

Data fiduciaries should only process personal information for specific, clear & lawful purposes. Such data processing should be legitimate and have a defined objective.

The legislation also calls for the creation of a data protection authority. The authority will assess whether the bill is being followed. Its goal is to safeguard both personal information and individual rights.

In addition to these, the bill outlined the guidelines for processing children’s data, social media intermediaries, data transfers outside of India, sharing non-personal data with the government, and the circumstances in which data processing is permitted without consent. Etc.

History of the bill

The landmark case that established the right to privacy is Justice K.S. Puttuswamy v. Union of India. A significant ruling by the Supreme Court declared privacy to be a basic right.

Justice K.S. Puttuswamy, a retired judge from the High Court, filed a petition in Supreme Court 2012 to declare the Aadhaar Scheme unconstitutional. The Aadhaar Scheme, he claimed, is infringing people’s right to privacy. Subsequently, A Constitutional Bench of Nine Judges was established on July 18, 2017, to decide whether the right to privacy is a fundamental right under the Constitution.

The nine-judge bench unanimously declared on August 24, 2017, that the right to privacy is a basic right protected by Part III of the constitution, The Supreme Court reversed its earlier decision in the cases of Kharak Singh v. the State of UP and MP Sharma v. Satish Chandra because it did not recognize the right to privacy as a fundamental right.

Journey of the bill

July 2017- The IT ministry set up a committee to assess the issues related to data privacy and come up with solutions. Justice B.N. Srikrishna, a retired SC judge, headed over the committee.

July 2018A report titled “A Free & Fair Digital Economy – Protecting Privacy, Empowering Indians” was released by the Srikrishna Committee. A draft of the Data Protection Bill was also presented by the committee along with the report.

4th December 2019- The draft bill was approved by the Cabinet Ministry of India.

11th December 2019The bill was introduced in the Lok Sabha by Minister of Electronics & IT Ravi Shankar Prasad. A Joint Parliamentary Committee (JPC) was established to review the Bill and provide recommendations. The Committee was chaired by Meenakshi Lekhi, a BJP Member of Parliament.

16th December 2021 The Joint Parliamentary Committee released the report.

3rd August 2022 IT Minister Ashwini Vaishnaw withdraws the bill from Lok Sabha

Data laws in other countries

  1. The General Data Protection Regulation (GDPR) is the data privacy law of the European Union. The GDPR replaces the 1955 EU Data Protection Directive. According to GDPR Article 5, the processing of personal data must be fair, transparent, and legitimate. It must be gathered for a clear and legal purpose. Art. 84 – It also imposes severe penalties for violating the laws.
  1. PIPEDA: Personal Information Protection and Electronic Documents Act It is a Canadian federal privacy law that applies to businesses in the private sector. To respect people’s fundamental right to privacy, the PIPEDA restricts how businesses may collect, use, and disclose their customers’ personal information while engaging in business activities.

Ten Fair Information Principles were also provided by the PIPEDA statute. These guidelines set forth what private entities must do and how they must treat personal data. These are the main guidelines outlining the obligations that private entities must follow.

  1. Brazilian data privacy law is known as the General Data Protection Law. EU GDPR has a significant influence on it. The law went into force on September 18, 2020. According to Article 7, data may only be processed in the following situations:
    1. When consent has been obtained;
    2. When a legal or regulatory requirement is being fulfilled; and
    3. By public administration. Law also grants data subjects several rights.

Other nations with data protection laws include Argentina, France, Germany, Ireland, the Philippines, Singapore, and others.

Current legislation

There are some provisions in other legislations to protect the data:

Information Technology Act, 2000: According to Section 43A, A body corporate that works with, possesses, or handles sensitive personal data is responsible to pay damages to the injured party if they are careless in ensuring reasonable security and result in a wrongful gain or loss to any person.

According to Section 72A, a person who reveals personal information without the subject’s consent, acting under a valid contract while providing service faces a penalty.

Information Technology Rules, 2011: By subsection (2) of section 87 read with section 43A of the Information Technology Act, 2000, the government issued the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011. The law serves as a general set of guidelines that businesses must comply with while handling sensitive personal data.

Body Corporate is required under Rule 4 to provide a privacy policy for handling or dealing with personal information, and the policy must be made available on the Body Corporate’s website.

Prior Permission from the information provider is required under Rule 6 before sharing information with another party. However, prior approval is not necessary when exchanging information with government organizations to verify identification or for the investigation, prosecution, and punishment of crimes.


The government’s Data Protection Bill was a commendable effort. However, there were issues with the bill that drew criticism from several parties. The bill was not as per the rapidly changing technology & developing society. The recommendation and amendments were presented to ensure that the law is appropriate for the current situation and that there are no opportunities for data fraud or vulnerabilities.

A data protection law is now very necessary. In the absence of such regulation, commercial entities may abuse data, making citizens their victims. Despite the existence of provisions in other laws, citizens will not have a reliable means of enforcing their rights without a straightforward statute. It seems that India’s population will have to wait a little longer to obtain its data protection legislation.



This article has been authored by Mohammed Adnan Khan, a student at Nirma University, Ahmedabad.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.