The main aim of this article is to delineate privacy as an individual right with respect to the Indian scenario and to show how the Personal Data Protection Bill, 2019 is a divergence from that idea.

It took about 60 years for Indians to have their right to privacy cemented. The first time when the question of privacy as a right came to the supreme court was in MP Sharma v Shatish Chandra. The court in this case ruled that in the absence of a specific provision elucidating privacy as a right in the constitution, it cannot be considered as an enforceable right. In Kharak Singh v State of Uttar Pradesh the apex court reiterated this view while striking down an intrusive police regulation; the dissenting opinion of Justice Subbarao that privacy is an essential part of article 21 was a progressive take and became the basis for a revolution of individual privacy in India.

The advent of a new era of privacy

In the next 50 years after Kharak Singh the whole horizon of privacy expanded even more so with the advent of the information technology era; suddenly, the protection of data became a big concern for both individuals and companies. The Information Technology Act (hereinafter IT Act) passed in 2000 was probably one of the first steps by the Indian government towards deterring the misuse of personal data and wrongful disclosure thereof. In Shreya Singhal v Union of India the supreme court struck down section 66A of the IT Act which prohibited the dissemination of information intended to cause annoyance via any electronic device; the court held that this prohibition did not fall within the grounds of reasonable restrictions to freedom of speech and expression as provided in article 19(2) of the constitution. Though this case did not explicitly talk about the right to privacy of an individual, the intention was manifested in the case of Justice KS Puttaswamy (Retd) v Union of India in which the nine-judge bench of the apex court signed an order stating: ‘The right to privacy is protected as an intrinsic part of the right to life and personal liberty under Article 21 and as a part of the freedoms guaranteed by Part III of the Constitution.’ This judgement was given after a petition had been filed challenging the constitutional validity of Aadhar, the Indian biometric scheme which enabled the Indian government to store the biometric information of all the citizens. The rationale given behind the order ushered in a new era of right to privacy for people of India and overruled MP Sharma and Kharak Singh. Further, this order formed the basis for judgements upholding sexual privacy like Navtej Singh Johar v Union of India, which legalised homosexuality in India and Joseph Shine v Union of India, which abolished penal provisions regarding adultery.

The present scenario and the notion of the Personal Data Protection Bill, 2019

In the recent landmark judgement of Faheema Shirin v State of Kerala the High Court of Kerala held access to the internet as a fundamental right of an individual. The internet is so embedded in the lives of the people that an individual’s privacy comes into question. In the light of increasing number of the internet users and cybercrime rates, the Lok Sabha came up with the Personal Data Protection Bill, 2019 (hereinafter the Bill) to safeguard the personal data of the citizens from the corrupt hands of the technological giants.

The Bill is largely based on the footprints of the Data Protection Bill of 2018 but it comes up with the essential modifications to safeguard data identity and protection of the individuals. This Bill seeks to govern the processing of the personal data and keep a close eye on the foreign entities dealing with personal data of individuals in India. Under the purview of section 3 of the Bill, personal data means ‘data about or relating to a natural person who is directly or indirectly identifiable, having regard to any characteristic, trait, attribute or any other feature of the identity of such natural person, whether online or offline, or any combination of such features with any other information, and shall include any inference drawn from such data for the purpose of profiling.’ Furthermore, the Bill in section 3(36) delimits the ambit of sensitive personal data, ‘which includes financial data, biometric data, caste, religious or political beliefs, or any other category of data specified by the government, in consultation with the Authority and the regulator of the concerned sector.’

In the Bill, consent turns out to be a major cornerstone for the processing of personal data. It solitarily permits the processing of data by data fiduciaries a person-in-charge of determining the means and purpose of personal data processing with the valid consent of an individual. Section 11(2) provides five strict requirements free, informed, specific in purpose, clear and capable of being withdrawn for a consent to be valid.­ However, the Bill makes certain exceptions to seeking consent for processing data in chapter III; eg performance of state function authorised by law, compliance with any judgement or order by an Indian court or tribunal etc.

The Bill also works upon the duties of data fiduciaries. The provision of section 4 prohibits data fiduciaries from the use of personal data without ‘specific, clear and lawful purpose’. They must take certain accountability and transparency measures in processing personal information. The Bill in section 26(4) also seeks to keep a check on the social media intermediaries in order to protect the individual’s personal data and security of the nation.

The Bill provides for establishing a data protection authority in its preamble. According to section 49 its duty is to ‘protect the interests of data principals, prevent any misuse of personal data, ensure compliance with the provisions of this Act, and promote awareness about data protection.’   

Section 34 states that the sensitive data can only be transferred outside India where it is explicitly allowed by the individual or if it is based on adequate decision by the central government. Additionally, the transfer can be made pursuant to a contract or intra-group scheme approved by the authority or when the authority allows the transfer of any sensitive personal data or class of sensitive personal data necessary for any specific purpose. Certain personal data are also categorized as critical personal data. They can only be processed by the government in India and outside India under certain circumstances stated in section 33 of the Bill.  The Bill, however, delineates some exceptions under section 34(2), where the data can be shared to the relevant entity engaged in health or emergency services as well as to any country or entities in a country without affecting ‘the security and strategic interest of the State’.  

Further, the central government can exempt any of its agencies from the provisions of the proposed enactment. As mentioned in section 35 of the Bill, the exemptions are ‘in the interest of the security of the state, public order, sovereignty and integrity of India and friendly relations with foreign states, and for preventing incitement to the commission of any cognizable offence relating to the above matters.’ Moreover, section 91(2) states that the central government can ask for any personal data of the citizens from the respected data fiduciaries in order to enable better targeting of delivery of services or formulation of evidence-based policies by the central government. The Bill in chapter X also lays down some strict punishments in order to penalize the offenders.

Conclusions: The final takeaways

This Bill came out amidst the row over the Citizenship Amendment Bill; hence it did not gain as much traction among those who analyze government policies. Nonetheless, this Bill, if passed, can have serious consequences regarding the privacy of Indian citizens. The Bill empowers the Indian government to have a considerable amount of monopoly over the data of Indian citizens. Section 33 of the Bill provides for the centralization of data which can make it convenient for the government authorities to access individual data. Repercussions of this practise can be seen in the establishment of a state surveillance system, the likes of which can be seen in the Xinjiang region in China. 1 A very problematic provision is section 35 which gives the central government unmeasured authority to breach the privacy of any individual.

Despite arbitrary processing of data by the government, the step toward our data localisation also comes into question, where all the data copies of the citizens have to be stored in the servers located outside India as stated in section 34. This provision has raised concern about surveillance and could also hamper innovation in blockchain and AI technologies. In the present Bill, the government could hamper our privacy under the garb of so-called state function. This also raises concerns regarding the extent to which our personal data will be protected. Therefore, if this Bill is to be passed in the same manner, without modifications, it would be a regression to the old era where there was an absence of privacy laws. At a time when data mediates our relationship with the government as well as private companies, the existence of a law which ensures that the state acts as a neutral data controller to guarantee both data security and citizen’s privacy is vital.


  1. Chris Buckley and Paul Mozur, ‘How China Uses High-Tech Surveillance to Subdue Minorities’ The New York Times (New York, 22 May 2019) <> accessed 2 May 2020.
Comments to: The Personal Data Protection Bill, 2019 of India: Navigating Murky Waters for the Future of Individual Privacy

Your email address will not be published. Required fields are marked *