Mains Article

Data Protection Bill, 2019[Mains Article]

The Personal Data Protection (PDP) Bill, 2019 has been approved by the Cabinet and is scheduled to be placed in the ongoing winter session of Parliament.
By IT's Mains Articles Team
March 09, 2020


  • Introduction
  • What is data?
  • Importance of data
  • Who handles our data and how that is done?
  • How does the PDP Bill propose to regulate data transfer?
  • Three new key aspects in the PDP Bill, 2019
  • Other key features of the PDP Bill
  • Two sides of the debate over PDP bill, 2019
  • Conclusion
  • IT’s Input

Data Protection Bill, 2019

For IASToppers Mains Articles Archive, Click Here


The Personal Data Protection (PDP) Bill, 2019 has three new key aspects that were not previously included in its draft version. The Draft version of the bill was prepared by committee headed by retired Justice B N Srikrishna.

What is data?

  • Data is any collection of information that is stored in a way so computers can easily read them i.e. in 0 and 1 format.

Importance of data

  • The large collection of information about us and our online habits has become an important source of profits for the companies but it also has become a potential avenue for invasion of privacy because it can reveal our extremely personal aspects.
  • Companies, governments, and political parties find it valuable because they can use this data to find the most convincing ways to advertise to us online.
  • From the above points it is clear that all the future’s economy and law enforcement will be predicated on the regulation of data which will give arise the issues of national sovereignty.

Who handles our data and how that is done?

  • Data is stored in a physical space similar to a file cabinet of documents, and transported across country borders in underwater cables that run as deep as Mount Everest and as long as four times the Indian Ocean.
  • To be considered useful, the data has to be processed which means it needs to be analysed by computers.
  • Data is collected and handled by entities called data fiduciaries. While the fiduciary controls how and why data is processed, the processing itself may be done by a third party i.e. data processor.
  • This distinction is important to specify responsibility as data moves from entity to entity. For example, in the US, Facebook (the data controller/fiduciary) fell into controversy for the actions of the data processor — Cambridge Analytica.
  • The physical attributes of data i.e. where data is stored, where it is sent and where it is turned into something useful are called data flows.
  • The Data localization arguments are theorized on the idea that data flows determine who has access to the data, who makes profits out of it and who taxes and who “owns” it. However, many contend that the physical location of the data is not relevant in the cyber world.

How does the PDP Bill propose to regulate data transfer?

  • To legislate on the topic, the Bill trifurcates personal data.
  • The umbrella group is all personal datadata from which an individual can be identified.
  • Some types of personal data are considered sensitive personal data (SPD), which the Bill defines as financial, health, sexual orientation, biometric, genetic, transgender status, caste, religious belief and more.
  • Another subset of personal data is critical personal data. The government at any time can comprehend something critical and has given examples as military or national security data.

Three new key aspects in the PDP Bill, 2019

There are three significant changes from the version drafted by a committee headed by the Justice B N Srikrishna Committee.

Individual consent for data transfer abroad:  

  • A provision of draft which said that all fiduciaries must store a copy of all personal data in India was criticised by foreign technology companies that store most of Indians’ data abroad and even some domestic startups that were worried about a foreign backlash.
  • The approved Bill removes this stipulation, only requiring individual consent for data transfer abroad.
  • Similar to the draft, the Bill still requires sensitive personal data to be stored only in India. It can be processed abroad only under certain conditions including approval of a Data Protection Agency (DPA).
  • The final category of critical personal data must be stored and processed in India.

Fiduciaries should mandatorily give the government any non-personal data when demanded:

  • The Bill mandates fiduciaries to give the government any non-personal data when demanded.
  • Non-personal data refers to anonymised data such as traffic patterns or demographic data.
  • The previous draft did not apply to this type of data which many companies use to fund their business model.

Social media companies develop their own user verification mechanism:

  • The Bill requires social media companies which are deemed significant data fiduciaries based on factors such as volume and sensitivity of data as well as their turnover, to develop their own user verification mechanism.
  • While the process can be voluntary for users and can be completely designed by the company, it will decrease the anonymity of users and “prevent trolling”.

Other key features of the PDP Bill

  • The Bill includes exemptions for processing data without an individual’s consent for “reasonable purposes”, including security of the state, detection of any unlawful activity or fraud, whistleblowing, medical emergencies, credit scoring, operation of search engines and processing of publicly available data.
  • The Bill calls for the creation of an independent regulator Data Protection Agency (DPA), which will oversee assessments and audits and definition making.
  • Each company will have a Data Protection Officer (DPO) who will liaison with the DPA for auditing, grievance redressal, recording maintenance and more. The committee’s draft had required the DPO to be based in India.
  • The committee’s draft had several other significant keywords that are expected to be in the Bill. “Purpose limitation” and “collection limitation” limit the collection of data to what is needed for “clear, specific, and lawful” purposes or for reasons that the data principal would “reasonably expect”.
  • It also grants individuals the right to data portability and the ability to access and transfer one’s own data.
  • It legislates on the right to be forgotten. This provision has its historical roots in European Union law. This right allows an individual to remove consent for data collection and disclosure. After the Cabinet approval of the bill, this concept is still “evolving” and has not been “concretised” yet.

Two sides of the debate over PDP bill, 2019

In favor of data localization

  • A common argument from government officials has been that data localisation will help law-enforcement access data for investigations and enforcement.
  • Much of cross-border data transfer is now governed by individual bilateral “mutual legal assistance treaties”. It is cumbersome process and almost all stakeholders agree upon that.
  • The supporters of data localisation highlight security against foreign attacks and surveillance notions of data sovereignty. The government doubled down on this argument after news broke that 121 Indian citizens’ WhatsApp accounts were hacked by an Israeli software called Pegasus.
  • Even before that, the argument was used prominently against WhatsApp when a spate of lynchings across the country linked to rumours that spread on the platform in the summer of 2018.
  • WhatsApp’s firm stance on encrypted content have frustrated government officials around the world.
  • Many domestic-born technology companies, which store most of their data exclusively in India, support localisation. PayTM has consistently supported localisation (without mirroring), and Reliance Jio has strongly argued that data regulation for privacy and security will have little teeth without localisation, calling upon models in China and Russia.
  • Many economy stakeholders say localisation will also increase the ability of the Indian government to tax Internet giants.

Against the data localisation and this bill

  • Civil society groups have criticised the open-ended exceptions given to the government which allow the surveillance by the government.
  • Some lawyers contend that security and government access are not achieved by localisation. Even if the data is stored in the country, the encryption keys may still be out of reach of national agencies.
  • Technology giants like Facebook and Google and their industry bodies, especially those with significant ties to the US, have slung heavy backlash.
  • Many are concerned with a fractured Internet (or a “splinternet”), where the domino effect of protectionist policy will lead to other countries following suit. Much of this sentiment constrains the values of a globalised, competitive internet marketplace, where costs and speeds determine information flows rather than nationalistic borders.
  • Opponents of data localisation say protectionism may backfire on India’s own young startups that are attempting global growth.
  • It can also backfire on larger firms that process foreign data in India, such as Tata Consulting Services and Wipro.


  • The Personal Data Protection Bill, 2019 aims to protect the privacy of individuals with respect to their personal data and governs the relationship between individuals and entities processing their personal data.
  • It simultaneously strives to create a robust digital economy by ensuring innovation through digital governance.
  • On the one hand, certain changes made to the Bill may prove to business friendly by providing for increased certainty, on the other hand, other changes (e.g. requirement to share anonymized and non-personal data with the Government, obligations relating to social media verification47, etc.) may prove to be a source of concern.

IT’s Input

What is Splinternet?

  • The Splinternet is also referred to as Cyber Balkanization or Internet Balkanization.
  • This term was first used in the year 2001 to describe the concept of ‘parallel internets that would run as distinct, private and autonomous universe.
  • It is a phenomenon that involves the existence of various local internet networks, divided by the geographical frontiers of different countries and regulated by national laws. It results in the fragmentation of the World Wide Web and becomes a series of internets which are administered as parallel universes and each one will be autonomous, separate, and private.
  • Examples of the splinternet phenomenon are the control of content by the authorities in China, or the blocking of certain U.S. media outlets to users located in Europe as a result of the new data-protection law i.e. General Data Protection Regulation, GDPR approved by the European Union.
  • The internet is splitting into various versions that offer something different which depends on the location of a person.
Mains 2020 Mains Articles

IT on Facebook

Facebook Pagelike Widget


Calendar Archive

October 2020
« Sep