EXECUTIVE SUMMARY: PERSONAL DATA PROTECTION BILL, 2019

The Personal Data Protection Bill (‘PDP Bill’) shall replace the existing legal framework for
data protection contemplated under the Information Technology (Reasonable Security
Practices and Procedures and Sensitive Personal Data or Information) Rules (‘SPD Rules’)
2011. The major shortcomings of the existing framework include a narrow definition of the
term ‘personal data’, non-applicability of the provisions of data protection to the government
or its agencies and lack of effective judicial oversight. These shortcomings prompted the need
to introduce a comprehensive regime of data protection. The bill is modelled upon the
recommendations made by the Expert committee on Data Protection, chaired by Justice
(Retd.) Srikrishna. 1

The chief objectives of the PDP bill are two-fold, firstly to provide a legal mechanism to
enforce protections of the Right to Privacy established by precedent2 and secondly, to address
the needs of India’s rapidly expanding digital economy which is pervasive in every aspect. At
the outset, the PDP Bill establishes the rights of the data principal, who exercises autonomy
over the data that is being collected, processed and transferred. For data processing based on
consent to be lawful, the bill requires the fiduciaries to provide a notice to the principal which
inter alia other details, outlines the rights of the principal and available grievance redressal
mechanisms in a manner and form that is comprehensible.

Under the scheme of PDP bill, no data processing can be permitted except for clear, specific
and lawful purposes, barring exemptions from application provided under the act itself for
reasons of security, compliance with orders of a court/tribunal or such reasonable purposes.
Data Fiduciaries are classified (based on the nature of data they collect and their purposes)
into Data Fiduciaries and Significant Data Fiduciaries which are subjected to differential
compliance obligations. These measures, inter alia include the requirements to incorporate
privacy by design, security measures against breach, data protection impact assessment, data
auditing, appointment of data protection officer who is tasked with grievance redressal and
acts as a nodal authority between the fiduciary and the DPA to monitor compliance.

The PDP Bill establishes the Data Protection Authority of India (‘DPA’) which is vested with
enforcement and supervisory functions to monitor the collection, processing, storage and
1
Expert Committee Report on Free and Fair Digital Economy,
https://www.meity.gov.in/writereaddata/files/Data_Protection_Committee_Report.pdf, last accessed on 11
March 2021
2
Justice K.S Puttaswamy (Retd.) v. Union of India, 2017 (10) SCALE 1
dissemination of the data collected by fiduciaries (including the Central and State
Governments). To this extent, the DPA is armed with the power to impose penalties and
order compensation for contravention of the provisions of the bill.