Data Protection Bill, 2019

The personal data protection bill was introduced in the Lok Sabha by the Ministry of Electronics and Information Technology on 11th December 2019. The main intent of the bill is primarily for the protection of privacy of individuals with regards to their personal data. With the introduction of the bill the “Data Protection Authority of India” has been formed. The bill establishes a framework for the collection, usage, storage, sharing and protection of personal private data of an individual.

Classification of data into personal, sensitive personal and non-personal data  

Data can be broadly classified to two types as personal data and non-personal data relating to the identity, characteristics trait, attribute of a natural person etc. whereas non-personal data is any data which does not pertain to a particular individual but creates an aggregate data such as monthly internet usage of a particular locality, average electricity consumption of some city etc. 

Sensitive personal data includes 

  • financial data
  • health data
  • official identifier
  • sexual orientation
  • biometric data
  • genetic data
  • transgender status
  • intersex status
  • any other data as sensitive personal data by the authority and the sectoral regulator concerned

Why was the bill introduced?

The Ministry of Electronics and Information Technology and the Government of India  constituted a committee of experts headed by retired Supreme Court judge Justice B. N. Srikrishna in July 2017.

As data privacy issues have predominantly been rising over the years it became imminent to protect such breach of privacy, the core of this bill is derived from the Supreme Court judgment “K.S. Puttaswamy v Union of India And Ors''. delivered on August 24, 2017, Where the Apex Court held that privacy is a fundamental right emanating from right to life and personal liberty enshrined under Article 21 of the Constitution of India.  The judgment became a guiding principle for the government for enhanced and more robust data protection rules. 

What’s in the Bill

The bill mandates a new set of reporting requirements for businesses and individuals collecting data. Much of the personal data cannot be collected without the user’s consent. Many of the provisions in the current bill are said to be formed and similar to European Union’s General Data Protection. The legislation also contains provisions giving rights to “Data Principles”. With a formal request to data fiduciaries of what is being collected from them.

The bill enshrines that wherever personal information of an individual is collected without their permit it shall lead to breach of their fundamental right to privacy. The Bill regulates the processing of personal data by both the government and companies incorporated in India. It also provides guidelines for foreign companies using personal data of individuals of India. 


There is much ambiguity about the scope of non-personal data. There are existing loopholes in the current bill and the select committee has asked the users and citizens at large to propose for changes in the bill.  As the bill could potentially affect the significant overhaul of digital businesses and companies with regards to privacy of citizens. It becomes imperative and vital to make adequate provisions regarding data privacy at large leaving room for various organisations to comply with the regulations.