An Insight Into the Data Protection Bill 2019

Must Read

Ed-Tech Companies and the Consumer Protection Act

In the present time when the whole country is getting back to normal after the wrath of the Coronavirus,...

The Right to Information and its Working of 15 years

On 12th October 2020, RTI finished fifteen years since its commencement. The question remains whether the legislation stands up to...

An Insight into Custodial Death in India

“The occurrence of Custodial deaths in the world’s greatest democracy has raised the eyebrows of every citizen and shaken...

Implications in Travel Insurance in Light of the COVID-19 Crisis

As the world, today is crippled by this once in a century pandemic and as of date more than...

Second-Round Effects of Rent Control Laws: The Argentine Case

Introduction In colonial India, a city had an issue with its cobra population, which was a problem clearly in need...

Why Are the Big Techs of Silicon Valley Accused of Anti-Competitive Behaviours?

The big tech giants of the Silicon Valley are facing major challenges with relation to their monopolistic powers after...
Somnath Iyer
I am Somnath Iyer (Legal Associate, M. Tripathi & Co., Mumbai) practising at Bombay High Court, specialising in Commercial, Criminal and Cyber-Tech Law.

Follow us

In the matter between Puttaswamy v India, the Hon’ble Apex Court vide its order dated 24/07/2017 declared “Right to Privacy” as a fundamental right under the Constitution of India on the basis of which the Hon’ble Supreme Court asked for the formation of strong Data Protection Rules. As such a committee was formed by the Supreme Court Judge, Mr B. N. Srikrishna and the  Draft Personal Data Protection Bill, 2018 was first introduced and then subsequently on December 11, 2019, the Personal Data Protection Bill, 2019 (“PDPB”) was introduced in Lok Sabha by the Minister of Electronics and Information Technology.

Aim of the Bill

The aim of this Bill is to provide for the protection of privacy of individuals relating to their Personal Data, creation of framework, guidelines and accountability measures for processing personal data by data fiduciaries and lastly to establish a Data Protection Authority of India.

Study of the 2019 Bill in comparison to the 2018 Bill

The extent to which the 2018 Bill was applicable extended to the whole of India while the 2019 Bill does not contain any such provision and means that the Bill applies to the processing of any personal data by entities located outside India if such personal data is processed that involves offering goods or services to individuals located in India albeit provided outside India. 

Section 43A and Section 87 of the Information Technology Act, 2000 shall be repealed.

The definition of ‘Aadhaar number’ has been removed from the 2019 Bill. Unlike the 2018 Bill, the 2019 Bill contains a definition of a ‘Data Auditor’. Under the 2019 Bill, Data Localization requirements for personal data have been relaxed. However, storage and transfer of sensitive personal data and critical personal data are still restricted. 

The 2018 Bill required the data fiduciary to take reasonable steps to ensure that personal data processed is complete, accurate, not misleading and updated, having regard to the purposes for which it is processed. In the 2019 Bill, the word “reasonable” has been replaced with “necessary”. 

Under the 2018 Bill, personal data could be retained for a longer period if explicitly mandated, or necessary to comply with any obligation, under a law. Under the 2019 Bill, personal data may be retained for a longer period if explicitly consented to by the data principal, or necessary to comply with any obligation under any law for the time being in force. 

Further, the 2018 Bill states that: “The data fiduciary shall retain personal data only as long as may be reasonably necessary to satisfy the purpose for which it is processed”. On the other hand, Clause 9 the 2019 Bill states that “The data fiduciary shall not retain any personal data beyond the period necessary to satisfy the purpose for which it is processed and shall delete the personal data at the end of the processing.”

The Definition of Personal Data as per the 2018 Bill has been widened in the 2019 Bill which now includes “such characteristics or traits will also include any inference drawn from such data for the purpose of profiling apart from everything else in the 2018 Bill.

Under the 2018 Bill, the Data Protection Authority consisted of a chairperson and six whole-time members, while under the 2019 Bill the DPA may consist lesser than six members. The Selection Committee under the 2019 Bill does not include a judicial member and will be comprised of (i) Cabinet Secretary as the chairperson, (ii) Secretary, Department of Legal Affairs, and (iii) Secretary, Ministry of Electronics and Information Technology. as different to the 2018 Bill where it consisted of the Chief Justice of India (“CJI”) or a Supreme Court judge nominated by him and an expert in the field of data protection, information technology and related subjects.

The term Social Media Intermediaries was not defined under the 2018 Bill. Under the 2019 Bill, a definition of Social media intermediaries is provided which is “an intermediary which enables online interaction between users and allows for sharing of information”. 

Additionally, the 2019 Bill removes the provision for mandatory storage of all personal data in the country. The Bill provides that all sensitive personal data must continue to be stored in India. Such data can be transferred outside India if explicitly consented by the individual, and subject to certain additional conditions. 

Further, the 2018 Bill allowed personal data, including sensitive personal data, to be processed without the data principal’s consent, for purposes related to employment. On the other hand in Clause 12 of the 2019 Bill, only personal data which is not sensitive personal data can be processed without the data principal’s consent, for purposes related to employment. The word “password” has been deleted under the 2019 Bill under the definition of “Sensitive Personal Data”.

The data principal whose data is being processed derives a right under Clause 18 of the 2019 Bill to seek the removal of the user’s personal data which is no longer necessary for the purpose for which it was processed. Such right of deletion was lacking in the 2018 Bill.

The concept of “Consent Manager” is introduced vide Clause 23 of the 2019 Bill. The 2019 Bill allows Data Principals to make requests through consent managers and also allows them to withdraw their consent through such Consent Managers. Clause 26 of the 2019 Bill uses the phrase ‘Significant Data Fiduciary’ while its parallel Clause 34 in the 2018 Bill used the phrase ‘Data Fiduciary’.

Every significant data fiduciary shall appoint a Data Protection Officer possessing such qualifications and experience, for carrying out certain functions under Clause 40 of the 2019 Bill. In the 2018 Bill, a DPO was required to be appointed by all data fiduciaries. The same is required in the Draft Bill to be appointed only by a significant data fiduciary.

The 2019 Bill requires Social Media Intermediaries which have been notified as significant DFs to allow users to voluntarily verify their accounts. There was no such requirement under the 2018 Bill. The 2019 Bill allows for wider exemptions from its application for government agencies, as compared to the 2018 Bill. The 2018 Bill allowed the government such exemptions only in the interests of the security of the State based on the principles of necessity and proportionality.

The 2019 Bill gives the Central Government the power to exempt any government agency from the purview of the 2019 Bill, subject to such procedure, safeguards and oversight mechanism as may be prescribed by the central government. The 2019 Bill also allows for exemptions in the interest of the sovereignty, integrity, friendly relations with foreign states and public order, which were not present in the 2018 Bill.

Under the 2019 Bill, the Investigating Officer can exercise powers of search and seizure only after getting a Court Order. In contrast under the 2018 Bill, the DPA could authorize an officer to exercise powers of search and seizure directly. The 2019 Bill allows the Investigating Officer to retain the material seized until the inquiry is concluded. Conversely, under the 2018 Bill, the Investigating Officer could not retain the material seized for a period of more than six months subject to certain exception.

Further, the 2019 Bill after taking into consideration the emerging technologies such as Artificial Intelligence and Machine Learning has incorporated and a new provision under Clause 40 for creating a Sandbox for encouraging innovation.


The Government of India through the invention of the Personal Data Protection Bill aims to protect the privacy of individuals with respect to their personal data and governs the relationship between individuals and entities processing their personal data.


1. The Draft Personal Data Protection Bill, 2018; The Personal Data Protection Bill, 2019.

2. Clause_Comparison_27122019.pdf. is now on Telegram. Follow us for regular legal updates and judgments from the court. Follow us on Google News, InstagramLinkedInFacebook & Twitter. You can also subscribe to our Weekly Email Updates. You can also contribute stories like this and help us spread awareness for a better society. Submit Your Post Now.


Please enter your comment!
Please enter your name here

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Latest News

Bombay High Court Passes Order To Clarify and Modify Previous Order When State of Maharashtra Moved Praecipe

Division Bench of Bombay High Court consisting of Justice S. V. Gangapurwala and Justice Shrikant D. Kulkarni had passed an Order on 25th October...

The European Court of Human Rights Orders Germany To Pay Non-Pecuniary Damages for Prison Strip-Searches 

A serving German prisoner was repeatedly stripped searched for non-legitimate purposes. The European Court of Human Rights (ECHR) found that Germany had violated the...

Lack of Independent Witness Doesn’t Vitiate Conviction: Supreme Court

A three-judge Bench of the Supreme Court in Rajesh Dhiman v State of Himachal Pradesh clarified the law in case of lack of independent...

Madras High Court Observes Unexplained Delay in Procedural Safeguards, Quashes Detention Through Writ Petition

A Writ Petition was filed under Article 226 to issue a writ of Habeas Corpus. The petitioner P. Lakshmi, called for records of the...

UK Court of Appeal Rules Home Department’s Deportation Policy of Immigrants Unlawful

Britain’s Court of Appeal quashed the Home Department’s deportation policy, declaring it unlawful; criticizing it for being too stringent on immigrants to comply with. Background The...

Supreme Court Stays Order Restraining Physical Campaigns in the Madhya Pradesh Bye-Elections

On the 26th of October, a Bench was set up which comprised Justice AM Khanwilkar, Justice Dinesh Maheshwari, and Justice Sanjiv Khanna. They heard...

Inordinate and Unexplained Delay in Considering Representation by Government Renders Detention Order Illegal: Madras High Court

A Petition under Article 226 of the Constitution was filed in the Madras High Court to declare the detention order of the husband of...

Supreme Court Asks Petitioner to Approach Bombay High Court in PIL for CBI Probe in Disha Salian Case

On the 26th of October 2020, the Apex Court heard the PIL praying for a CBI probe into the death of Disha Salian. The...

Privy Council Clarifies Approach To Winding up in “Deadlock” Cases in the Case of Chu v. Lau

The Judicial Committee of the Privy Council clarified several aspects of the law concerning just and equitable winding-up petitions, as well as shareholder disputes...

Madras High Court Directs Hospital To Submit Necessary Medical Reports to Authorization Committee for Approval of Kidney Transplant

A Writ Petition was filed under Article 226 to issue a Writ of Mandamus to K.G. Hospital, Coimbatore by P. Sankar & V. Sobana....

More Articles Like This

- Advertisement -