Data Privacy Bill 2019: All you need to know

In July 2017, the Ministry of Electronics and Information Technology (MeitY), Government of India (GoI), constituted a committee of experts under the chairmanship of the retired Supreme Court judge Justice B. N. Srikrishna. The committee was entrusted with the responsibility of identifying lapses in the present data protection regulations and preparing more robust and comprehensive data protection laws. After working for nearly a year, the committee submitted the draft Personal Data Protection (PDP) Bill, 2018, in July 2018.

Since its introduction last year, MeitY has solicited comments and suggestions on the PDP Bill from the public, various stakeholders, ministers and consultants. Based on these suggestions, a revised Personal Data Protection Bill, 2019 (Draft Bill), was cleared by the Union Cabinet on December 4 2019.

The key changes/highlights of the Draft Bill are as follows:

Definitions: The definition of ‘sensitive personal data’, as laid out in section 2(36) of the Draft Bill, does not include the term ‘passwords’ any more.

Sensitive personal data is now defined as such personal data which may, reveal, be related to, or constitute:

  • financial data
  • health data
  • official identifier
  • sex life
  • sexual orientation
  • biometric data
  • genetic data
  • transgender status
  • intersex status
  • caste or tribe
  • religious or political belief or affiliation, or
  • any other data categorised as sensitive personal data by the authority and the sectoral regulator concerned.

Prohibition of processing of personal data

Clause 4 seeks to prohibit processing of personal data without any specific, clear and lawful purpose. Earlier, the concept of reasonable processing was categorically prescribed, which could have resulted in possible processing of data without consent. The amended draft does away with that provision.

View more

Restriction on retention of personal data

Clause 9 of the Draft Bill prescribes that the data fiduciary shall not retain any personal data beyond the period necessary to satisfy the purpose for which it was processed and shall delete the personal data at the end of processing. The personal data may be retained for a longer period only after the data fiduciary gets consent from the data principal.

View more

Grounds for processing of personal data without consent in certain cases

Clause 12 of the Draft Bill lists out certain cases which provides for processing of personal data without consent. Likewise, recruitment and termination of employment have also been brought under categories of processing personal data. However, if such data meets the criteria of being sensitive data, then such processing cannot be done without prior consent.

View more

Processing of personal data for other reasonable purposes

Clause 14 seeks to provide for other reasonable purposes for which personal data may be processed. One such newly introduced purpose is the operation of search engines. This is a new insertion and was not present in the previous bill.

View more

Right to correction and erasure

As part of chapter V on the Rights of Data Principal, under Clause 18, the data principal has been provided the right to erasure of personal data which is no longer necessary for the purpose for which it was processed. This has been added in the Draft Bill over and above the other data principal rights, such as the right to correction of inaccurate data, completion of incomplete personal data and right to updating of personal data that is out of date.

View more

Privacy by design policy

Clause 22 seeks to list out the constituents of privacy by design policy. Though the concept itself is not new (as it was already included in the previous bill), the mandatory requirement for a certification of the privacy by design policy by the data protection authority has been newly added. Such a policy is required to be published on the organisation and the authority’s website.

View more

Transparency in processing of personal data

Clause 23 seeks to bring in transparency in the processing of personal data by requiring the fiduciary to inform the data principal and make information available. This clause introduces a new term − ‘consent manager’ − which is defined as a data fiduciary through which a data principal can give, withdraw, review and manage his/her consent through an accessible platform.

View more

Classification of data fiduciaries as significant data fiduciaries

Clause 26 seeks to provide for the classification of certain data fiduciaries as significant data fiduciaries, including certain social media intermediaries.

  • Further, clause 26(3) of the Draft Bill details that if the authority is of the opinion that any processing accomplished by any data fiduciary or class of the same carries a significant risk, then it will apply the same obligations as those applicable to a significant data fiduciary.
  • The section further defines ‘social media intermediaries’ as all intermediaries who primarily enable online interaction between two or more users and allow them to create, upload, share, disseminate, modify or access information. This does not include commercially oriented transactions, providing access to the internet, search engines, online encyclopaedias, email services or online storage services. The concept of a social media intermediary is a new one and was not mentioned in the previous bill.

View more

Data protection officer (DPO)

Clause 40 of the Draft Bill states that Every significant data fiduciary shall appoint a data protection officer possessing such qualifications and experience as may be specified by the regulations, for carrying out certain functions. Earlier a DPO was required to be appointed by all data fiduciaries. The same is required in the Draft Bill to be appointed only by a significant data fiduciary.

View more

Prohibition on processing of sensitive personal data and critical personal data outside India

Clause 33 seeks to prohibit processing of sensitive personal data and critical personal data outside India. Though these concepts were included in the previous bill, the new provisions are clearer, and restrictions are imposed on transferring sensitive and critical data.

The new provisions state that:

  • sensitive personal data may be transferred outside India, subject to conditions for transfer of sensitive personal data and critical personal data, but shall continue to be stored within India
  • critical personal data (the definition of which is to be notified by the Central Government) can only be processed in India.

View more

Conditions for transfer of sensitive personal data and critical personal data

Clause 34 seeks to list out conditions under which sensitive personal data and critical personal data could be transferred outside India. Sensitive personal data may only be transferred outside India for the purpose of processing, when explicit consent is given by the data principal for such transfer, and where such transfer is made pursuant to a contract or intra-group scheme approved by the authority. Previously, intra-group scheme related approval was provided only for the categories of personal data, not being sensitive data. However, the Draft Bill extends this provision to sensitive data as well.

View more


Clause 66 in the Draft Billl adds a new mechanism of recovery based on arrears of land revenue. This clause seeks to lay down that penalties or compensation under this act may be recovered as arrears of land revenue. The concept of a ‘recovery officer’, as provided in the previous bill, has been done away with.

View more

Sandbox for encouraging innovation, etc.

Clause 40 states that the authority is entrusted with the responsibility of creating a sandbox for the purposes of encouraging innovation in artificial intelligence (AI), machine learning (ML) or any other emerging technology of public interest. In this regard, certain information is required to be furnished by the data fiduciary, if such fiduciary intends to apply for inclusion in the sandbox.

View more

Re-identification and processing of de-identified personal data

Clause 91 states that the Central Government may, in consultation with the authority, direct any data fiduciary or data processor to provide any anonymised personal data or other non-personal data to enable better targeting of delivery of services or formulation of evidence-based policies, in such manner as may be prescribed. For the purposes of this sub-section, the expression ‘non-personal data’ means data other than personal data. This categorisation was not provided in the previous bill.

View more

The Draft Bill is another step taken by GoI in its initiative towards implementing data privacy laws in India. The said Draft Bill has been referred to a joint selection committee of the Parliament for further review and is expected to be tabled in the forthcoming budget session.

Furthermore, the Draft Bill incorporates important aspects such as consent, reasonable purpose, processing of personal data only with consent. We may look forward to the Draft Bill being recognised as a law in the forthcoming budget session.

Acknowledgements: This article has been researched and authored by Ankit Virmani and Sonali Saraswat.

Contact us

Dhritimaan Shukla

Dhritimaan Shukla

Partner, Forensic Services , PwC India

Tel: +91 98 9903 8326