top of page

An overview of the Personal Data Protection Bill, 2018

Author of this article – Mr. SandeepG , Vth Year,LL.B(Hons.), Sastra Deemed to be University.

In recognition of Right to Privacy as a fundamental right under Article 21 of the Indian Constitution, the union cabinet has approved the Personal Data Protection Bill. The bill protects personal data processed by the Data Fiduciary—an individual, state or any juristic entity that determines the purpose and means of processing the data of the Data Principal—and the Data Processor (who processes and possesses personal data on behalf of the Data Fiduciary). The Bill covers Aadhar Data, Biometric data, Anonymisation, Financial Data, Genetic Data, Personal Data including Sensitive Personal Data, Health Data. Processing implies operations such as collection, storage, alteration, retrieval, use, organisation, transmission, disclosure, erasure of the Data.

Chapter II of the bill specifies the Data Protection Obligations which are the processing of personal data fairly and reasonably, limiting the processing of data to the purposes specified. The Data Fiduciary is also required to notify the data principal about the purposes for which the data may be processed, the rights of the Data Principal—which are right to withdraw consent, right to be forgotten, right to obtain summary from the Data Fiduciary on the activities performed by him using the information of the Data Principal, right to have the provided or processed information received or transferred to himself or to any other entity, right to file complaint before the authority—as specified in the bill. Further, the Data Fiduciary should notify the basis of such processing and the consequence in the event of failure to provide such personal data, sources of personal data, information regarding cross border transfer of the personal data, sharing of personal data with other entities, procedural aspects concerning grievance redressal mechanism. (Section 8 and Section 24 – 28)

The Data Fiduciary shall have to take all the reasonable steps to maintain the accuracy of the Personal Data, and the same shall be stored only so long as necessary except in the circumstances required by the law. (Section 9 and 10)

The Personal Data may be processed on these grounds—Consent of the Data Principal, requirement for the state functions authorised by the parliament or state legislature, mandate of the judicial institution, circumstances wherein there is a need to protect life, public order or public health, purposes related to employment under the Data Fiduciary. Further, the personal data may be processed for the purposes pertinent to whistleblowing, mergers and acquisition, prevention and detection of unlawful activities, network and information security, credit scoring, recovery of debt; processing of publicly available personal data may also be carried out. In addition to the need for explicit consent, the grounds for processing the sensitive personal data are similar to the aforementioned grounds. (Section 12 to 22)

The bill provides for the appropriate mechanisms such as age verification, parental consent to protect the personal data of children. (Section 23) The Data Fiduciary shall implement necessary policies and measures to ensure transparency and security for the data processed. (Section 29-32)

The bill provides for the Data Protection Officer who monitors the activities of Data Fiduciary and carries out the purposes of the act. (Section 36) Cross-border transfer of personal data is permissible subject to certain conditions specified in the bill. (Section 40-41) The exemption from the applicability of certain provisions of the bill extends to processing of personal data for the security interests of the State, prevention, investigation, detection or prosecution of contraventions of law unless such processing is backed by the law of the parliament or state legislature; it also extends to legal proceedings, research, archiving or statistical purposes, journalistic purposes, personal or domestic purposes, processing done manually by small entities. (Section 42 – 48)

The Bill provides for the establishment of Data Protection Authority of India; the composition and qualification for the appointment of members thereof; terms and conditions of the appointment and removal of members; powers of the chairperson; meetings of the authority; officers and employees of the authority; grants by central government; accounts and audit; furnishing returns to the central government; powers and functions of the authority; codes of practice; power to issue directions; power to call for information; power to conduct inquiry and take action pursuant thereto; power to search and seizure; comity between the authority and other regulators; appointment of adjudicating officer. (Section 49 – 68)

Further, the bill provides for the penalties and remedies including compensation. (Section 69 – 76) The bill enables the constitution of Data Protection Funds, Appellate Tribunals, and procedures pertaining thereto. (Section 77 – 89) Obtaining, transferring or selling of personal data or sensitive personal data contrary to the act; re-identification and processing of de-identified personal data are cognisable offences as per the bill. (Section 90-93)



bottom of page