Personal Data Protection Bill,2019 withdrawn by the Government


When was the data protection bill introduced?

The data protection bill was introduced on December 11, 2019. It was referred to a standing committee on December 11,2019. The standing committee sent its recommendations in a report on December 16,2021.


What are the features of the bill?

The features of the bill are:

  • Applicability : The bill governs the processing of personal data by:
  1. Government
  2. Companies incorporated in India
  3. Foreign companies dealing with personal data of individuals in India
  • Obigations of data fiduciary : A data fiduciary is an entity or individual who decides the means and purpose of processing personal data. Such processing will be subject to certain purpose, collection and storage limitations. All data fiduciaries must undertake certain transparency and accountability measures
  • Grounds for processing personal data : The Bill allows processing of data by fiduciaries only if consent is provided by the individual. However, in certain circumstances, personal data can be processed without consent :
  1. If required by the state for providing benefits to the individual
  2. For legal proceedings
  3. To respond to a medical emergency
  • Social media intermediaries : The bill defines these to include intermediaries which enable online interaction between users and allow for sharing of information. All such intermediaries have users above a notified threshold and whose actions can impact electoral democracy or public order, have certain obligations, which include providing a voluntary user verification mechanism for users in India.
  • Transfer of data outside India: Sensitive personal data may be transferred outside India for processing if explicitly consented to by the individual. However, such sensitive data should continue to be stored in India
  • The bill also amends the Information technology act, 2000 to delete the related provisions to it.


What is the data protection authority mentioned in the bill?

The bill sets up a data protection authority which may

  1. Take steps to protect interests of individuals
  2. Prevent misuse of personal data
  3. Ensure compliance with the bill
  • Composition : It will consist of a chairperson and six members with at least 10 years expertise in the field of data protection and information technology.

Orders from the authority can be appealed to an appellate tribunal. Appeals from the tribunal will go to the supreme court


What was the most contentious feature of the bill?

The most contentious feature of the bill was:

  • Sharing of non-personal data with the government : The central government may direct data fiduciaries to provide it with any
  1. Non-personal data
  2. Anonymised personal data (where it is not possible to identify data principal) for better targeting of services.
  • Exemptions: The central government can exempt any of its agencies from the provisions of the Act
  1. In interest of security of state, public order, sovereignty and integrity of India and friendly relations with foreign states
  2. For preventing incitement to commission of any cognizable offense
  3. Processing of personal data is also exempted from provisions of the bill for certain other purposes such as:
    -Prevention, investigation or prosecution of any offense
    -Personal, domestic or journalistic purposes


What are the offenses under the bill?

Offenses under the bill include:

  • Processing or transferring personal data in the bill, punishable with a fine of Rs 15 crore or 4% of the annual turnover of the fiduciary, whichever is higher
  • Failure to conduct a data audit, punishable with a fine of Rs 5 crore or 2% of the annual turnover of the fiduciary, whichever is higher
  • Re-identification and processing of de-identified personal data without consent is punishable with imprisonment upto 3 years or fine or both


Why was the Personal Data Protection Bill,2019 bill withdrawn?

Data protection legislation had been in the works since 2018 based on Justice BN Srikrishna Committee recommendations.
Government announced the withdrawal of the personal data protection bill, 2019 in the Lok sabha suggesting that another refreshed bill will be brought soon for the following reasons:

  • Joint committee of Parliament on the personal data protection bill had submitted a 542 page report with overall 93 recommendations and 81 amendments to the bill in december, 2021
  • Another panel had also recommended about 97 corrections and improvements to the bill


What were the core recommendations of the joint committee?

The core recommendations of the committee were:

  • Need for a broader data protection : No need for segregation into personal and non personal data
  • Social media are not just intermediaries but they should be defined as content publishers.
  • They should be liable for content
  • Provisions relating to regulation of social media to be included
  • Use of only trusted hardware
  • Data localization norms for storage
  • Too many exemptions to the centre
  • Compensation for data compromise
  • Provisions for data relating to children and data of the deceased party
  • Data protection should be in line with right to privacy judgment


What will be the next step of the government?

According to IT ministry sources, the government is targeting the winter session 2022 of the Parliament to introduce the new data protection legislation.
The new bill will incorporate the broader ideas of data protection as recommended by the Joint committee of parliament and will be in line with the Supreme court’s landmark judgment in KS Puttaswamy case 2017 which held right to privacy as a fundamental right.