Image by aymane jdidi from Pixabay 


In today’s time, privacy of an individual is like an ornament that a person keeps with him at a safe and secluded place to prevent it from being misused. The word ‘Privacy’ denotes about something that is of great utility to us and we don’t want to disclose it to others due to fear of it being distorted to our disadvantage. This is the reason why laws are formulated to protect our privacy because it is not possible to completely keep every bit of our information in a camouflage. Man being a social animal cannot survive on its own and for this very survival of a being, a little bit of information will be required to reveal. Let us take an example, if some government official on airport asks us to produce our identity card and we, in fear of losing our privacy, don’t show him those documents, then that will result in a lot of mess in the society and vigilance mechanism would collapse and filtering out non-genuine people would not be possible. Thus, there is a requirement of striking a balance between protection of our privacy and operation of society.

Is there any right to privacy?

The constitution of India is the supreme rulebook of the country and regulates the conduct of society. There is no particular mention of right to privacy as a fundamental right but in the Aadhar Judgement of 2017, the bench comprising nine judges headed by Justice JS Khehar unanimously declared that right to privacy is a fundamental right under article 21 (Right to life and personal liberty) of the Indian Constitution and is part of basic structure. The name of this landmark case is K.S. Puttaswamy vs Union of India . The issue before the bench was whether right to privacy is a fundamental right and if yes, what is the authority or source for the same. The question, moving from one bench to another reached to the bench, which gave such celebrated judgement.

Personal Data Protection Law in India

With the advent of technology and internet, individual’s data in online space is not totally immune to any misuse and thus, data privacy and security is an essential concept. In order to safeguard all this essential information, data privacy bill was introduced to regulate and ensure a healthy legal system. On the recommendations given by the court in the case of puttaswamy, the government took an action in form of setting up of a experts committee under BN Sri Krishna to ponder over the issues of privacy and to come up with some legislation and solution. Thus, in furtherance to the report given by the committee, a Personal Data Protection Bill (PDP) was tabled in Lok Sabha in 2019. The bill went to joint parliamentary committee and was sent back to lok sabha after due deliberation. We can say that India is just few steps away to get it’s first legislation concerning protection of data.

Section 3(28) of the data protection bill defines “personal data” as data about or relating to a natural person who is directly or indirectly identifiable, having regard to any characteristic, trait, attribute or any other feature of the identity of such natural person, whether online or offline, or any combination of such features with any other information, and shall include any inference drawn from such data for the purpose of profiling."  The bill defines data fiduciary as a service provider for example, google or yahoo, etc. With coming of this legislation in power, the service providers will be required to tell the need of data being collected and its usage and will require authorisation and consent from the customer. The PDP bill introduces a concept called data localisation where certain type of data would be required to be stored only in the country and not abroad. There is a three staged structural division of data that consists of Personal, Sensitive and Critical data. Let us understand them in brief:

  • Personal Data There is no such restrictions of the storage of this data and thus, can be stored either completely or partly outside the country. Restrictions of transfer won’t apply under this category of data.
  • Sensitive Data The data under this category can be stored outside, but simultaneously, it would be required to be stored inside the country also. Data related to sex, caste, biometric details, health related information, etc is all included here. Passwords are notably not included here.
  • Critical Data If a data is marked as critical, it cannot be transferred further to any country abroad and will be stored entirely in the country. However, there are some exceptions in name of countries where a similar or even higher level of protection will be assured, then it can be shared.

The bill has given expanded powers to the central government to exempt any agency to follow these rules and this is a reason for outrage by people and opposition too. The bill also imposes high penalties to those not complying with the rules laid down under this bill and maximum that can be imposed is Rs 150 million ($2.1 million) or 4% of the global turnover of the per in the preceding financial year , which ever is higher.

Right to be forgotten

This is fairly a new concept under which, if a person wants to restrict the continuous disclosure of his/ her personal data by the data fiduciary, then he can exercise his right to be forgotten when:

  • The information has served the purpose for which it was collected
  • Is no longer of utility and required
  • The consent with which it was displayed has been withdrawn by the concerned person
  • Is in contravention to any law in force at the time.

Criticism of the Bill

The Personal Data Protection Bill being discussed has quite a few loop holes if not addressed could result in a legislation, which is counterproductive. The bill lays much responsibility on the user by making ‘consent’ an important part of the framework. Such consent must be free from any duress and influence and should allow user to withdraw it at any point they feel their data being tainted to a disadvantage. The committee set up under BN Sri Krishna right said that the consent of the people on the internet is broken and often not meaningful:

“A preponderance of evidence points to the fact that the operation of notice and consent on the internet today is broken. Consent forms are complex and often boilerplate. . . . Any enumeration of a consent framework must be based on this salient realisation: on the internet today, consent does not work”

A survey was conducted by IBM where it observed that “though users think companies should be more heavily regulated for data management, 71 percent of them were still willing to give up privacy to get access to the technology they sought, and only 16 percent had ever walked away from a company because of data misuse” . There are also limitations concerning the processing of data over the digital arena by social media intermediary. It is also being noticed the bill, at some points, dilutes the right to privacy given to us. This is evident from various provisions of the bill:

  • The power given to central government to exempt any agency of the government from the requirement of the bill on some specific grounds.
  • More power to Central government when compared with Data Protection Authority.
  • The observation by the committee that exemptions can be made in certain cases of national interest “to ensure that the pillars of the data protection framework are not shaken by a vague and nebulous national security exception.”
  • The bill states that rules for surveillance and “procedure, safeguards”, etc will be made by central government but there are no guidelines that stress upon explaining as to how to exercise these powers.


The PDP bill of 2019 is the initial step by the country towards safeguarding the right to privacy of its people. With advent of digitalisation, there are innumerable threats to the data of the individual and this bill is formed with all positive intention to protect privacy of the people .Although it is a productive step, there are some intricacies and issues that are left open by the legislatures and if these are not addressed, can result in countering the very foundation of the motive with which it made. This can result in deleterious effects. The bill has much in good, but due to some of the issues, it should not become a dead letter and instead, should be carefully studied and with all the suggestions incorporated, it should be brough to power because

“Privacy is not something that I am merely entitled to, It’s an absolute prerequisite” - Marlon Brando

.    .    .


  • 2017 10 SCC 1
  • Section 57, Personal Data Protection Bill, 2019
  • Section 57(2), Personal Data Protection Bill, 2019
  • Committee of Experts under the Chairmanship of Justice B. N. Srikrishna, “Report of the Committee of Experts under the Chairmanship of Justice B N Srikrishna,” 32
  • Erik Sherman, “People Are Concerned About Their Privacy in Theory, Not Practice, Says New Study,” Fortune, February 25, 2019,
  • Section 35, The Personal Data Protection Bill, 2019
  • Anirudh Burman & Suyash Rai, What Is in India’s Sweeping Personal Data Protection Bill? available at