top of page


Written by Amirdha Varshini, III year, SASTRA Deemed to be University


There are two types of data according to law, one is the public data and the other one is private data. Public data refers to details which can be openly accessed, reused and redistributed by anybody, and have no existing local, regional or foreign access or usage limitations. Birth records, death records, population count, etc. are examples of public data. On the other hand, private data or personal data is confidential to an individual/organization and cannot be disseminated openly by others without prior authorization of the issue. Travel history, psychological characters, financial details, photographs, etc. are examples of personal data.

Article 21[1] of the Constitution guarantees the Right to Privacy for every individual. Initially, India's data protection and privacy regulation framework are the Information Technology Act, 2000 ('the IT Act') and its related Rules on Information Technology ('Reasonable Security Practices and Procedures and Sensitive Personal Data or Information'), 2011 ('the IT Rules'). In July 2017, the Ministry of Electronics and Information Technology formed a committee to research data privacy issues. On July 2018, the Committee tabled the draft Personal Data Protection Bill. After more consultations, the Bill was authorised as the Personal data protection Bill 2019 by the Indian cabinet ministry on 4 December 2019 and tabled in the Lok Sabha on 11 December 2019, and it being examined by the Joint-Parliamentary Committee.


  • The IT Act, 2000[2], was not really enacted with the main intention of providing data protection.

  • The scope and suitability of the provisions of the IT Act on Data Protection are very limited.

  • The IT Act regulations do not define any single government body that will regulate data security in India.

  • No provisions are laid down in the IT Act for data misuse except Section 72 A.

  • The scope of IT Rules is limited with respect to sensitive personal data.

  • The IT Rules apply only to data derived and transmitted electronically.

  • The IT laws do not apply to the government/state and extend only to corporate entities when a contractual agreement was not already in place, which means that it can potentially be bypassed when signing a contract.

The Act aims in preserving individuals' informational privacy by establishing a protective mechanism that governs how companies obtain and handle sensitive data, as opposed to protecting user privacy with a view to the consequent damage incurred by infringement of privacy.


Article 21 states that no citizen shall be deprived of right to life and personal liberty except according to procedure established by law. The Indian Constitution includes the right to privacy under Article 21. In the case of the Unique Identification Authority of India v. Central Bureau of Investigation[3], CBI obtained entry to the Unique Identification Authority of India database for the prosecution of an accused for a criminal offence. In an interim order, the Supreme Court held that the Indian Unique Identification Authority could not pass the biometric details of any individual who has been issued an Aadhaar number to any other organisation without the written permission of that individual.

The most popular judgment was K.S. Puttuswamy v. Union of India[4], where the concept of privacy was debated in light of the Unique Identity Scheme. The question before the Court was whether the constitution guarantees the right to privacy, and if so, what would be the source of that right, given that there is no specific provision in the Indian Constitution for privacy. The Court left the question to be dealt with by a larger bench, and the Supreme Court bench comprising nine judges decided on the matter. Information privacy was held to be a facet of the right to privacy. In that judgment, the Union Government was further ordered to examine the need for a robust data protection regime, balancing individual interests and legitimate state concerns. The Government responded by establishing a Committee of Experts led by justice B.N. Sri Krishna to analyze different issues related to data protection in India and to propose a Draft Data Protection Bill. According to the report released by the Committee, the Personal Data Protection Bill, 2019 was passed.


According to Section 3(28)[5] of Personal Data Protection Bill, 2019, personal data is “data about or relating to a person or relating to a natural person who is explicitly or implicitly recognizable, having regard to any qualities, habits, attributes or other qualities of the identification of that natural person, whether online or offline or some mixture of these features with some other details, which shall include any inferences drawn from such data for the purposes of profiling”. The Bill also divides it into sensitive personal data and critical personal data. Sensitive data includes sexual orientation, biometric data, genetic data, transgender status, intersex status, caste or tribe, etc. These data can be transferred outside India, but continued to be stored in India. Whereas the critical personal data cannot be transferred outside India unless reasonable protection is provided.


  • According to Section 14[6], there are exemptions for processing data without the consent of the individual for a reasonable purpose which includes prevention and detection of any unlawful activity including fraud, whistleblowing, mergers and acquisitions, network and information security, credit scoring, recovery of debt, processing of publicly available personal data and the operation of search engines.

  • Every company will have a Data Protection Officer as per Section 30[7]. The Officer will provide information, assistance and advice in consonance with the provisions of the Bill.

  • Section 41[8] guides the Central Government to form a Data Protection Authority of India.

  • Section 49[9] states that this Authority has obligation to secure the interests of data principles, prevent the misuse of personal data, assure compliance and spread awareness about data protection.

  • Other functions are to monitor the enforceability of the provisions, to take appropriate action in case of any personal data breach, maintaining a database of the fiduciaries with the trust scores, examine the data audit reports, issue certificate of registration, classification of data fiduciaries, monitoring the cross-border transfer of personal data, specifying codes of practice, etc.

  • This Bill also includes 'Purpose limitation' and 'Collection limitation' clauses, which restrict the gathering of data to what is required for 'simple, precise and lawful' purposes.

  • Part V of the Bill provides rights such as,

Right to confirmation and access (Section 17[10])

Right to correction and erasure (Section18[11])

Right to data portability (Section 19[12])

Right to be forgotten (Section 20[13])

  • According to Section 57[14], minor violations attracts penalty of Rs 5 crore or 2 percent of worldwide turnover and penalty of Rs 15 crore or 4 percent of total worldwide turnover for more serious violations.

The implementation of these Sections would improve data protection, thereby right to privacy is protected.


Justice B. N. Srikrishna, the drafter of the first bill, claimed that the Bill had the power to transform India into an "Orwellian State" which indicates destruction to a welfare State. In an interview with Economic Times, Srikrishna stated, "The government may at any time connect directly to private data or government agency data on grounds of liberty or public order. It has serious effects. The Bill grants the Central Government of India the right to issue reasoned orders exempting the statutory authorities from the relevant data protection rules on grounds of national protection and supremacy and public order. Section 14[15] of this Bill, the Government may process personal data without consent for certain "reasonable purposes" including whistleblowing. The section, moreover, enables the government to determine, means of a regulation, whether or not the requirement for notification to the Data Principle is required. It may lead to the systemic abuse of whistleblowers who may be defrauded.


Despite all criticisms the aforesaid bill through data localization helps the law enforcement agencies to access data for investigations. Cyber attacks and surveillance will be instantly checked. Social media was being used to distribute false news leading to crimes and national security risks, which can now be tracked, reviewed and stopped in time. Data localization would also improve the capacity of the Indian government to tax Internet giants. The right to privacy is a constitutional right and it is important to safeguard personal data as an integral aspect of informational privacy, whereas the advancement of the digital world is therefore vital to open up new viewpoints for socio-economic development.

[1] Article 21 of the Constitution of India, 1949 [2] Informational Technology Act, 2000 [3] Unique Identification Authority of India v. Central Bureau of Investigation, Special Leave to Appeal (Crl) No(s).2524/2014 [4] K.S. Puttuswamy v. Union of India, WRIT PETITION (CIVIL) NO. 494 OF 2012 [5] Section 3(28) of the Personal Data Protection Bill, 2019 [6] Section 14 of the Personal Data Protection Bill, 2019 [7] Section 30 of the Personal Data Protection Bill, 2019 [8] Section 41 of the Personal Data Protection Bill, 2019 [9] Section 49 of the Personal Data Protection Bill, 2019 [10] Section 17 of the Personal Data Protection Bill, 2019 [11] Section 18 of the Personal Data Protection Bill, 2019 [12] Section 19 of the Personal Data Protection Bill, 2019 [13] Section 20 of the Personal Data Protection Bill, 2019 [14] Section 57 of the Personal Data Protection Bill, 2019 [15] Section 14 of the Personal Data Protection Bill, 2019