Personal Data Protection Act

What is Personal Data Protection Bill (PDP) – 2019 India?

All about Personal Data Protection Bill (PDP) – 2019, India

Monday, May 11, 2020

Personal Data Protection refers to securing one’s privacy during the collection, storage and dissemination of personal data, and a privacy law or Personal data protection law is all about protecting that personal information from being leaked or misused. The world’s largest democracy – the Republic of India, has Constitutional privacy protection under several sectoral laws and acts (i.e. under “THE INFORMATION TECHNOLOGY ACT, 2000”, Section 66 & 72); but no omnibus single privacy law as on date.

In July 2017, the Ministry of Electronics and Information Technology (MeitY), an entity of Government of India, constituted a committee of experts under the chairmanship of the retired Supreme Court judge Justice B. N. Srikrishna, to study the issues related to data protection in the country. After working for a year, the committee submitted the first draft The Personal Data Protection Bill (PDPB), 2018 in July 2018 and suggestions was solicited from ministers, stakeholders, consultants and industry experts. Based on received suggestions, a revised draft of the bill – The Personal Data Protection Bill (PDP) Bill, 2019 was submitted in the Lok Sabha, the lower house of parliament, on December 11, 2019, and has been sent to a Joint Parliamentary Committee for further deliberations before being taken up for passing.

Personal Data Protection Bill India

Key Highlights of PDP Bill 2019:

    • Personal Data Protection Bill 2019 is a bill to provide for protection of the privacy of individuals relating to their personal data, laying down norms for social media intermediary, cross-border transfer of data, accountability of entities processing personal data, remedies for unauthorised and harmful processing, and to establish a Data Protection Authority of India for the said purposes. This Act may be called Personal Data Protection Act, 2019 (PDPA).


    • Definitions for different engagement bodies are defined in bill. Few of important ones are:
      1. “data fiduciary” means any person, including the State, a company, any juristic entity, or any individual who alone or in conjunction with others determines the purpose and means of processing of personal data. (e.g. Data owners like banks who collect records).
      2. “data principal” means the natural person to whom the personal data relates (Person/Identity)
      3. “data processor” means any person, including the State, a company, any juristic entity or any individual, who processes personal data on behalf of a data fiduciary (e.g. IT company or cloud service providers)


    • As per section 2(36) of PDP Bill, Sensitive personal data is now defined as such personal data which may, reveal, be related to, or constitute:
      1. Financial data
      2. Health data
      3. Official identifier
      4. Sex life
      5. Sexual orientation
      6. Biometric data
      7. Genetic data
      8. Transgender status
      9. Intersex status
      10. Caste or tribe
      11. Religious or political belief or affiliation or
      12. Any other data categorised as sensitive personal data by Central Government, in consultation with the authority and the sectoral regulator concerned


    • To regulate the handling of personal data during the creation, possession, deletion, and processing of “sensitive” and “critical” personal data, PDPB recommends establishing a Data Protection Authority of India (DPAI) for enforcement and regulations.


    • Similar to General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA), PDPB works around consent-based data sharing and processing. As per bill, the personal data shall be collected only to the extent that is necessary and a notice to be given by data fiduciary to data principal (whose data is collected) beforehand for:
      1. Purpose: the purposes for which the personal data is to be processed.
      2. Data type: the nature and categories of personal data being collected.
      3. Data Fiduciary details: the identity and contact details of the data fiduciary and the contact details of the data protection officer, if applicable.
      4. Right to withdraw: the right of the data principal to withdraw his consent.
      5. Base: the basis for such processing.
      6. Source: the source of such collection, if the personal data is not collected from the data principal.
      7. Further sharing: the individuals or entities including other data fiduciaries or data processors, with whom such personal data may be shared.
      8. Data movement information: information regarding any cross-border transfer.
      9. Time: the period for which the personal data shall be retained.
      10. Trust Score: where applicable, any rating in the form of a data trust score that may be assigned to the data fiduciary


    • Not just during data procurement/collection, PDPB has defined several Rights of Data Principal during the whole lifecycle of data:
      1. confirmation whether the data fiduciary is processing or has processed personal data of the data principal.
      2. the personal data of the data principal being processed (a copy of same)
      3. a brief summary of processing activities
      4. the identities of the data fiduciaries with whom his personal data has been shared by any data fiduciary
      5. Right to correction, completion of incomplete personal data, updation, and erasure.
      6. Right to be forgotten: The data principal shall have the right to restrict or prevent the continuing disclosure of his personal data by a data fiduciary


    • Prohibitions:

      1. Unwanted Processing under clause 4 – “No personal data shall be processed by any person, except for any specific, clear and lawful purpose.”.
      2. Clause 9 of the Draft Bill Restrict on retention of personal data beyond the period necessary.
      3. Grounds for processing of personal data without consent in certain cases: Clause 12 of the PDP Bill lists out certain cases which provides for processing of personal data without consent. Like, recruitment and termination of employment have been brought under categories of processing personal data. Similarly, if your data is publicly available, then too same can be processes without consent. Other such examples are operation of search engines, credit scoring, whistle blowing, fraud detections, recovery of debts etc. However, if such data meets the criteria of being sensitive data, then such processing cannot be done without prior consent.
      4. Prohibition on processing of sensitive personal data and critical personal data outside India: Clause 33 seeks to prohibit processing of sensitive personal data and critical personal data outside India.

      The provisions state that:

      1. Sensitive personal data may only be transferred outside India for the purpose of processing, when explicit consent is given by the data principal for such transfer, and where such transfer is made pursuant to a contract or intra-group scheme approved by the authority. Sensitive personal data may be transferred outside India, subject to conditions for transfer of sensitive personal data and critical personal data, but shall continue to be stored within India.
      2. Critical personal data (Definition not yet defined by the Government) can only be processed in India.


    • Privacy by design policy: Clause 22 seeks to list out the constituents of privacy by design policy. Every data fiduciary shall prepare a privacy by design policy. As per PDP Bill it is a mandatory requirement now for a certification of the privacy by design policy by the data protection authority. Such a policy is required to be published on the organisation and the authority’s website. PDB also ensured that every data fiduciary shall take necessary steps to maintain transparency in processing personal data.


    • Classification of data fiduciaries and Data protection officer (DPO): Clause 26 seeks to provide for the classification of certain data fiduciaries as significant data fiduciaries, including certain social media intermediaries. Clause 40 of the Draft Bill states that every significant data fiduciary shall appoint a data protection officer possessing such qualifications and experience as may be specified by the regulations, for carrying out certain functions. Earlier a DPO was required to be appointed by all data fiduciaries. The same is required in the Draft Bill to be appointed only by a significant data fiduciary.


    • Exemptions: Clauses 35-38 of the bill, refers to the Power of Central Government to exempt any agency of Government from application of Act, Exemption of certain provisions for certain processing of personal data, Power of Central Government to exempt certain data processors and Exemption for research, archiving or statistical purposes. The Central Government may, by notification, exempt from the application of this Act, the processing of personal data of data principals not within the territory of India, pursuant to any contract entered into with any person outside the territory of India, including any company incorporated outside the territory of India, by any data processor or any class of data processors incorporated under Indian law. However, such processing under exemptions must be for a specific, clear, and lawful purpose, with certain security safeguards.


    • Data Protection Authority of India: The PDP Bill sets up a Data Protection Authority which may: (i) take steps to protect interests of individuals, (ii) prevent misuse of personal data, and (iii) ensure compliance with the Bill. DPA will also work to promote awareness about data protection. It will consist of a chairperson and six members, with at least 10 years’ expertise in the field of data protection and information technology. Orders of the Authority can be appealed to an Appellate Tribunal. Appeals from the Tribunal will go to the Supreme Court.


    • Penalties: PDP Bill also incorporates multiple stringent penalties clauses for the effectiveness of law. Offences under the Bill include: (i) processing or transferring personal data in violation of the Bill, punishable with a fine of Rs 15 crore or 4% of the annual worldwide turnover of the fiduciary, whichever is higher, and (ii) failure to conduct a data audit, punishable with a fine of five crore rupees or 2% of the annual worldwide turnover of the fiduciary, whichever is higher. Re-identification and processing of de-identified personal data without consent is punishable with imprisonment of up to three years, or fine, or both. Few other penalty terms are hereunder:
      1. Penalty for failure to comply with data principal requests – INR 5000/- each day up to maximum 10 Lakh Rupees.
      2. Penalty for failure to furnish report, returns, information – INR 10,000/- each day up to maximum 20 Lakh Rupees.
      3. Penalty for failure to comply with direction or order issued by Authority – INR 20,000/- each day up to maximum 2 Crore Rupees.
      4. Penalty for contravention where no separate penalty has been provided – Maximum of 1 Crore Rupees.

      Not only this, the amount of any penalty imposed, or compensation awarded under this Act, if not paid, may be recovered as if it were an arrear of land revenue.


    • PDP Bill also talked about Security safeguards for security methods and tools like encryption, reporting of personal data breach, Maintenance of records, Audit of policies and conduct of processing, and Grievance redressal.


    • Amendments to other laws: The Bill amends the Information Technology Act, 2000 to delete the provisions related to compensation payable by companies for failure to protect personal data.




The Bill governs the processing of personal data by: (i) government, (ii) companies incorporated in India, and (iii) foreign companies dealing with personal data of individuals in India.

Advantages to Civilians

The proposed Bill gives excessive priority for individual rights on data protection. As per the PDP Bill, citizens’ personal information can’t be collected, processed, and shared without their consent. Only the necessary data will be collected, and same can be used for pre-defined purposes only.

With this Citizens will have a peace of mind about the misuse of their personal data and will also get freedom from unwanted marketing and sales calls and Identity frauds.

The companies are required to be clear and concise on what data is collected, its purpose, how it’s used, where it’ll be stored and for how long the data will be retained. The Bill also permits customers to move their data from one provider to another and allows users to know the number of companies with whom the data is shared.

Criticism on the PDP 2019 Bill

The PDP Bill 2019 landed in controversy for being altered from what was proposed by the expert group in its first draft PDP Bill 2018. The Indian government wants to allow law enforcement agencies and authorized third parties to have access to citizen personal data. In other words, it will exempt any government agency from legal obligations. Industry experts have opinion that this may lead to data misuse. So, the controversy has led to a resistance, and delayed the passing of the bill.

PDP Impact on Businesses

This bill is a revolutionary step for India towards building the significant base of ‘trusted’ digital India services. It’ll change the way of business for all SMB companies, due to restriction on Data localization, establishment of Data Protection Authority, stringent penalty clauses and un-accounted Government agencies access of data. Considering the Stringent compliance & policies, and requirement of dedicated Data Protection Officers, most global firms will face challenges in-terms of increased compliance costs and boundation.


Currently the bill is pending for consultation under the Joint committee – with 20 members from the Lok Sabha or lower house, and 10 from the Rajya Sabha (upper house) and awaited to submit its report on same.

We look forward to the Draft Bill being recognised as a law in the forthcoming Monsoon session 2020.

You can download the PDP bill 2019, from below given link:

Data Classification:

This Website/document does not constitute any professional advice. The information in this document has been obtained or derived from different sources believed by to be reliable but does not represent that this information is accurate or complete. Any opinions or estimates contained in this document represent the judgment of at this time and are subject to change without notice. Readers of this publication are advised to seek their own professional advice before taking any course of action or decision, for which they are entirely responsible, based on the contents of this publication. neither accepts or assumes any responsibility or liability to any reader of this publication in respect of the information contained within it or for any decisions readers may take or decide not to or fail to take.

3 thoughts on “What is Personal Data Protection Bill (PDP) – 2019 India?”

  1. Pingback: Personal Data Protection Act-Latest Frequent Questions PDPA

  2. Pingback: The Brazilian Data Protection Law — LGPD Brazil - Data Privacy Acts

  3. Pingback: Proxy Server meaning and its Definitions, with amazing top 10 free Proxy server list - Data Privacy Acts

Leave a Comment

Your email address will not be published. Required fields are marked *