Data Protection Laws in India: Analysis of the Personal Data Protection Bill, 2019 in line with the IT Act, 2000

Just dial, Yahoo[2], Microsoft[3], Google, Whatsapp, Adobe[4], LexisNexis[5], Catha way, LinkedIn, Grindr, Uber[6], Twitter and Sony[7]

These are the names of some tech giants globally who collect and store loads of data on their servers. But did you know that the data on their servers has been prey to data breach numerable times making vulnerable the personal data and records of almost a billion people every day?

The famous Facebook Cambridge Analytica[8] Scandal cannot be forgotten led to many people not trusting their government anymore to protect their personal data as they got to know the dark face of their personal data being stolen and misused.

According to Article 4(12) of General Data Protection Regulation (GDPR), “Personal data breach” has been defined as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed” which means the data a normal person stores on the web in the form of banking records, social networking profiles and sensitive personal data such as their caste, sex, political orientation, location are always vulnerable to disastrous cyber forces. This brings us to a significant question – Is our data on all applications and social networking websites is secured? Is our privacy is maintained by all these entities and is our consent on these applications is misused?

This article will scrutinize data breaches, probable security risks, and the laws which protect the privacy and personal data of people in India, in particular the recently drafted “The Personal Data Protection Bill, 2019”. The research would be based on whether this law would be able to able to stand up to the People of India as a better Data Protection legislation. It would also try to provide an overview of General Data Protection Regulation (GDPR) adopted by all European Union countries as their Data privacy and protection legislation.

India is moving rapidly towards becoming the data Capital of the world with a growth of 40 percent in the Internet traffic by March 2020[9] and is likely to increase trifold by 2025[10], thanks to the evolution of 4G contributing 92 percent of this increase[11].

According to a report by Statista[12], the number of smartphone users is to increase by 442 million by 2022 which would bring the figures of total smartphones users in India to Approximately 809 million, which would be more than equivalent to the combined population of Russia[13], United States of America[14], and Indonesia[15].

These figures not only portray the rapid economic growth of the country but also pose a threat to India’s growing database. The most important challenge is the protection of personal data of individuals. With the advent of an era of information, the privacy of individuals is at stake[16].

India lacks a comprehensive law for the protection and regulation of personal data stored by several entities. Presently the Information Technology Act, 2000[17] (as amended in 2008) contains provisions which pertain to the protection of privacy[18], compensation in failure to protect data[19], penalty for breach of confidentiality and privacy[20] and punishment for disclosure of information in breach of lawful contract[21].

After the Landmark judgement of K.S Puttaswamy, Justice BN Krishna committee was entrusted with preparing a report on Data Protection framework and the same was presented as the First Data Protection law of India as The Personal Data Protection Bill, 2019. (hereinafter to be called as “The Bill”[22])

The law lays down provisions for establishing a Data Protection Authority of India, a proper procedure to collect, process, use, disclose, store or transfer of personal data[23].

The Bill proposes to protect “Personal Data” relating to the identity, characteristic traits, attributes of a natural person and “Sensitive Personal Data such as financial data, health data, official identifier, sex life, sexual orientation, biometric data, genetic data, transgender status, intersex status, caste or tribe, religious or political beliefs[24].

The Bill provides that without the consent of Data Principle, the Data cannot be collected nor processed. Chapter II of the Bill, however, talks about “Grounds for processing personal data without consent” Under which section 12 says that:

  • For the performance of any function of the State authorised by law,
  • To respond to any medical emergency involving a threat to the life or a severe threat To the health of the data principal or any other individual,
  • To undertake any measure to provide medical treatment or health services to any individual during an epidemic, outbreak of disease or any other threat to public health and
  • Also to undertake measures in any breakdown of public order, Personal data can be processed.

An individual’s private data is equal to his dignity, and any data breach which takes away his dignity is infringing upon his/her “Right to Privacy”

The global positioning system is a superpower and boon in the hands of mankind but if misused, it could lead to disaster. In this era of information, every branch of the government has to evolve itself but not at the cost of citizen’s privacy.

Justice Sonia Sotomayor in the Case of K.S Puttaswamy[25] Observed that even surveillance by the government under the law can be harmful in a way which could alter the relationship between citizen and government in a way that is inimical to a democratic society:

“GPS monitoring generates a precise, comprehensive record of a person’s public movements that reflects a wealth of detail about her familial, political, professional, religious, and sexual associations. Disclosed in [GPS] data… will be trips the indisputably private nature of which takes little imagination to conjure: trips to the psychiatrist, the plastic surgeon, the abortion clinic, the AIDS treatment centre, the strip club, the criminal defense attorney, the by-the-hour motel, the union meeting, the mosque, synagogue or church, the gay bar and on and on… The Government can store such records and efficiently mine them for information years into the future… And because GPS monitoring is cheap in comparison to conventional surveillance techniques and, by design, proceeds surreptitiously, it evades the ordinary checks that constrain abusive law enforcement practices: “limited police resources and community hostility”…

The net result is that GPS monitoring—by making available at a relatively low cost such a substantial quantum of intimate information about any person whom the Government, in its unfettered discretion, chooses to track—may “alter the relationship between citizen and government in a way that is inimical to a democratic society.”

The Bill also poses great threats in the form of surveillance as it provides that without consent, personal data of an individual can be collected in the interests of the security of the state. It also provides the state with the power to extract data for the prevention, detection, investigation, and prosecution of any offence or any other contravention of the law. This access to all personal data by the state poses an enormous threat to the right to privacy given the weak safeguards that exist in India against state surveillance.

The Landmark judgement of K.S Puttaswamy and Anr. v. Union of India and Ors.[26] highlighted several points which are lacking on behalf of the Government to protect online data of the people. Data protection is an inherent fundamental right of a citizen covered under the shed of Article 21 – which encompasses the Right to privacy and it’s a responsibility of the government to take measures in order to protect individuals’ privacy and their data.

The Bill in its present shape has to be reformed in many ways, one of the major loopholes covering the bill is the arbitrary and exceptional powers provided to the government under the law[27]. Under the Head of “Grounds for processing of personal data without consent”, the bill provides certain conditions wherein the data can be collected and processed without consent[28]. When the government has all the powers to extract personal data in one way or the other then the law nowhere stands to its objective.

The logic is clear as to expanding restriction powers under Article 19(2) on the Right to privacy by the legislature would only act as a bane in tackling personal data. The provisions relaxing powers are strict. Restrictions are necessary and should be balanced in line with the privacy of individuals.

Another area where the Bill needs consideration is with the concept of consent. Whatever jurisdiction it be, criminal or civil, consent is of utmost importance. According to the BN Krishna committee report, consent needs to be informed, clear, specific and should meet all conditions mentioned under section 14 of the Indian contract act. But consent is just a formality on papers because the state can extract almost all data from individuals without it.

Section 16 of the Bill says that the age of children has to be verified initially to be able to take their personal data, according to section 2(8) of the bill, the majority age of a child is 18.

The point which comes up is the children below the majority age use internet in huge numbers in India, therefore the age limit should be lowered down. Framers can take an example from GDPR which lays down majority age at 16[29].

This area can also be tackled efficiently through digital awareness to the children of the country failing which many of them would provide the wrong age to the data fiduciary.

The version of the lawsuits well to the point of Data localisation. According to Technopedia[30], Data localization means “the act of storing data on any device that is physically present within the borders of a specific country where the data was generated”. It protects well the data originated in India to be transmitted to any other country. Various countries such as Australia, China, Russia, etc. have already enacted such laws[31]. But if the provisions are not reformed, it would lead to various de-investments in the digital sector. Several international companies such as Facebook, Google, and Yahoo would be de-incentivize to invest in India which would make a huge impact on the foreign data reserve of India.

In the view of the author, the Data protection regime in India which includes the IT Act, 2000[32], Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 has not been able to efficiently protect the personal data and privacy of people of India owing to various Data breach incidents in India which include SBI Data leaks, Aadhaar UIN being exposed and Facebook data leak of 419 million users[33].

Owing to the short span of time, the drafters have given to formulating it, proper review and reform could make this law a big success in protecting the rights of individuals relating to personal data.

The Bill has been brought with lots of expectations and citizens are waiting with optimism that this law would protect their privacy and punish those entities and tech giants who commit data breaches on a frequent basis.


[2] Yahoo data breach casts ‘cloud’ over Verizon deal, The Washington Post, https://www.washingtonpost.com/news/the-switch/wp/2016/09/22/report-yahoo-to-confirm-data-breach-affecting-hundreds-of-millions-of-accounts/

[3] Igor Bonifacic, Microsoft accidentally exposed 250 million customer service records, Engadget, January 22, 2020, https://www.engadget.com/2020-01-22-microsoft-database-exposure.html

[4] PAUL BISCHOFF, 7 million Adobe Creative Cloud accounts exposed to the public, 25 October 2019, https://www.comparitech.com/blog/information-security/7-million-adobe-creative-cloud-accounts-exposed-to-the-public/

[5] Byron Acohido, LexisNexis, Dunn & Bradstreet, Kroll hacked USA TODAY, 26 Sep. 2013, https://www.usatoday.com/story/cybertruth/2013/09/26/lexisnexis-dunn–bradstreet-altegrity-hacked/2878769/

[6] Dave Lewis, Uber Suffers Data Breach Affecting 50,000, Feb 28, 2015, https://www.forbes.com/sites/davelewis/2015/02/28/uber-suffers-data-breach-affecting-50000/#1e96d392db14

[7] Julianne Pepitone, Massive hack blows crater in Sony brand, May 10, 2011, https://money.cnn.com/2011/05/10/technology/sony_hack_fallout/

[8] The Cambridge Analytica Story, Explained, WIRED, https://www.wired.com/amp-stories/cambridge-analytica-explainer/

[9] India witnesses 40% increase in peak Internet traffic: Report, 09 MAY 2020, Last Updated at 11:57 AM, https://www.outlookindia.com/newsscroll/india-witnesses-40-increase-in-peak-internet-traffic-report/1828867

[10] Mobile data traffic to triple in India by 2025: Report, Updated: 25 Nov 2019, 04:09 PM IST

IANS, https://www.livemint.com/technology/tech-news/mobile-data-traffic-to-triple-in-india-by-2025-report-11574677813062.html

[11] 4G contributed 92% of mobile data traffic in India in 2018: Report, IANS, New Delhi

Last Updated on February 21, 2019, 14:11 IST, https://www.business-standard.com/article/news-ians/4g-contributed-92-of-mobile-data-traffic-in-india-in-2018-report-119022100526_1.html

[12] Number of smartphone users across India from 2017 and 2022, Statista https://www.statista.com/statistics/874495/india-number-of-smartphones-users/

[13] Russia Population 2020, Worldometer, https://www.worldometers.info/world-population/russia-population/

[14] U.S. and World Population Clock, United States Census Bureau, https://www.census.gov/popclock/

[15] Total Population 2018 – Indonesia, https://data.worldbank.org/indicator/SP.POP.TOTL

[16] Id, K.S Puttaswamy

[17] ACT NO. 21 OF 2000

[18] Supra note 9, Section 66F

[19] Id, Section 43A

[20] Id, Section 72

[21] Id, Section 72A

[22] Bill No. 373 of 2019

[23] Scope and Objective of The Data Protection Bill, 2019

[24] Section 3(36), id

[25] id

[26] id

[27] Yuthika Bhargava, Experts pick holes in data protection Bill, The Hindu, JULY 28, 2018 21:45 IST, https://www.thehindu.com/news/national/experts-pick-holes-in-data-protection-bill/article24542431.ece

[28] Section 12(b) mandates that personal data can be processed under any law for the time being in force made by the Parliament or any State Legislature.

[29] Article 8, clause 1 of General data protection regulation, 2016

[30] Data Localization, May 8, 2017, https://www.techopedia.com/definition/32506/data-localization

[31] Data localisation guide, April 2019

[32] MINISTRY OF COMMUNICATIONS AND INFORMATION TECHNOLOGY, GSR 313(E)

[33] Web Desk, A look at data breaches, cyber-attacks India saw in 2019, Bengaluru, DEC 16 2019, 14:34, https://www.deccanherald.com/national/a-look-at-data-breaches-cyberattacks-india-saw-in-2019-785987.html

Abhishant Kumar from School of Law, UPES Dehradun

Abhishant is a passionate law student thriving for knowledge and understanding the intricacies of society in relation to law.

Editor: Sanskriti Sood

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: