Data PrivacyPDP BillTracing the History of the Personal Data Protection Bill, 2019

March 2, 20220


The fundamental Right to Privacy is not explicitly granted under the Indian Constitution, however, when interpreted with the other fundamental rights like Right to Life and Personal Liberty, and the Freedom of Speech and Expression, the Supreme Court recognised the Right to Privacy as a fundamental right in the recent past.

There has been a lot of debate surrounding data privacy by many policy makers, civil rights activists, BigTech and digital entrepreneurs and so on. As the world rapidly transforms into a digital one, in order to serve people better, companies and administrations need to collect data for the same.

The problem that arises here is that the personal data can be misused and therefore, the key issue surrounding the collection and processing of data is how much of this data can be collected and how and where will this data be stored and used.

This article will trace the history of the Personal Data Protection Bill, 2019 (PDP Bill) along with suggestions and the way forward.


On 24.08.2017, the nine-judge bench in Justice KS Puttaswamy v. Union of India (2017) 10 SCC 1, [Puttaswamy Judgment] delivered the historical judgment affirming the Right to Privacy as a fundamental right.  This case discussed a number of conflicting decisions on the status of the Right to Privacy in the Indian Constitution, most notably M.P. Sharma v. Satish Chandra (1954) SCR 1077 and, Kharak Singh v. Uttar Pradesh (1964) 1 SCR 332.

 The initiation of this concern surrounding Right to Privacy came afloat two years earlier, on 11.08.2015; before the Supreme Court when the Aadhaar mandate for access to Government services and benefits was challenged. This paved the way for the decision in Puttaswamy Judgment.

In the Puttaswamy Judgment, the bench unanimously affirmed that the Right to Privacy is constitutionally guaranteed to every individual under Article 21. While it was argued that the Right to Privacy was not independently protected under the Constitution, the Supreme Court reasoned that privacy is an intrinsic part of life, personal liberty and of the freedoms guaranteed by Part III of the Constitution, which entitles privacy to protection as a core constitutional doctrine. Throughout the judgment, the Court also noted the need for a comprehensive data protection law to effectively protect the Right to Privacy.


During the course of the hearing in the Puttaswamy case, the Committee of Experts on a Data Protection Framework for India i.e., the ‘Srikrishna Committee’ was constituted to review data protection norms in India and make appropriate recommendations for the regulation. The Committee which was headed by Justice B.N. Srikrishna,  submitted its final report titled, A Free and Fair Digital Economy: Protecting Privacy, Empowering Indians along with a draft law, ‘The Personal Data Protection Bill, 2018’.

The Draft Bill set out data protection obligations to respect the privacy of the Data Principal, i.e., the person to whom the data is related to. These obligations include purpose and collection limitation, fair and reasonable processing of data, notice requirements and accountability, inter alia.

It also provided for the establishment of a Data Protection Authority to protect the interests of Data Principals, prevent the misuse of personal data, ensure compliance with the PDP Bill and promote awareness of data protection. Many of these provisions have been carried forward to later versions of the PDP Bill, albeit with considerable modifications.


On 11 December, 2019, the PDP Bill was introduced in the Lok Sabha. The PDP Bill took into consideration the recommendations of the Srikrishna Committee Report and has also largely drawn references from the General Data Protection Regulation (GDPR), which is the most comprehensive regulation for data protection across the globe.

Among other things, the PDP Bill empowers the Central Government to exempt Government agencies under a wide range of circumstances, thereby drawing heavy criticism.

In 2021, a Joint Parliamentary Committee (JPC) was formed to scrutinize the provisions of the PDP Bill and the report of the JPC was tabled before the Parliament.

This report captured the recommendations of the JPC on the PDP Bill and suggested general recommendations regarding data protection and privacy. There are broadly two sets of recommendations drawn out by the JPC- the first being specific changes with regards to the wording of the law that needs to be reflected in the PDP Bill before enacting the same, and the second being general recommendations that may be implemented in due course of time.


Following are some of the key recommendations and changes suggested by the JPC in the latest report:

  • Initially the PDP Bill was supposed to include personal data, however since the process of collecting and compiling and differentiating personal and non-personal data is a tedious task, the JPC suggested that the new legislation would include both personal and non-personal data. Therefore, with respect to this, non-personal data has been explained as any data apart from personal data”. It is also the recommendation of the JPC that a single Data Protection Authority be established in order to take care of the issues arising out of personal and non-personal data.
  • The JPC has recommended the Government to follow a specific timeline in order to implement the PDP Bill, once it is enacted. The JPC has recommended that a timeline of 24 months be given in order to implement the provisions of the then PDP Act and this period will help address any changes that may be necessary.
  • The JPC has asked the Government to mandatorily bring a mirror copy of sensitive and personal data that is in possession of foreign bodies in a specific time period.
  • An extensive policy on data localization covering aspects such “a development of adequate infrastructure for the safe storage of data of Indians which may generate employment; introduction of alternative payment systems to cover higher operational costs, inclusion of the system that can support local business entities and start-ups to comply with the data localisation provisions laid down under this legislation; promote investment, innovations and fair economic practices; proper taxation of data flow and creation of local Artificial Intelligence ecosystem to attract investment and to generate capital gains”, must be prepared by the Central Government in close consultation with the sectoral regulators.
  • The JPC has also recommended that social media platforms that do not act as intermediaries must be held accountable for the content they host and should be treated as publishers.
  • With regards to criminal penalties, offences shall be categorized into cognizable and non-bailable, and shall include imprisonment up to 3 years and a fine of 2 lakh rupees. The PDP Bill also mentions that an independent director and a non-executive director of a company shall be held liable only if it is shown that the acts of omission or commission by the company had occurred with his knowledge or with his consent attributable to him or where he had not acted diligently“.

The JPC is of the view that in the context of the PDP Bill, privacy should be viewed with regards to the context of information that is available specifically in the digital domain. Therefore, non- digitised data does not directly and distinctly come under the scope of the PDP Bill.


Taking into account the Lok Sabha Rules, the Government has the option of returning the PDP Bill to the JPC, or a different committee or, seek further consultation about the PDP Bill or the Government can directly introduce the PDP Bill in the Parliament after incorporating the suggestions stated by the JPC.

Based on the JPC’s recommendations, the PDP Bill is to be reviewed and re-worked on by the Government. There is a possibility that many of the Committee’s recommendations may be brought back due to the fact that it was mostly a bipartisan effort that has taken place. However, the PDP Bill can be expected to be enacted in the near future amidst the rising concerns pertaining to data privacy in the country.


 The PDP Bill and the several reports concerning the PDP Bill have been making headlines since the past couple of years. In the age of big data and Digital India, the Data Principals are concerned about the safeguarding their personal and sensitive personal data. The corporate bodies are also processing personal data of their users and consumers with utmost safety and protection.

In the recent past, several multinational conglomerates and well-known companies have been a victim to data breaches which has led to exposure of personal data or several users over the dark web or the Internet in general.

In the backdrop of the same, the implementation of the PDP Bill is extremely crucial. Once enacted, the PDP Bill shall regulate the process of collection, storage and transfer of data of Data Principals to a huge extent.

Team AMLEGALS, assisted by Ms. Harini Raman (Intern)

For any query or feedback, please feel free to get in touch with or

Leave a Reply

Your email address will not be published. Required fields are marked *

Current day month ye@r *

© 2020-21 AMLEGALS Law Firm in Ahmedabad, Mumbai, Kolkata, New Delhi, Bengaluru for IBC, GST, Arbitration, Contract, Due Diligence, Corporate Laws, IPR, White Collar Crime, Litigation & Startup Advisory, Legal Advisory.


Disclaimer & Confirmation As per the rules of the Bar Council of India, law firms are not permitted to solicit work and advertise. By clicking on the “I AGREE” button below, user acknowledges the following:
    • there has been no advertisements, personal communication, solicitation, invitation or inducement of any sort whatsoever from us or any of our members to solicit any work through this website;
    • user wishes to gain more information about AMLEGALS and its attorneys for his/her own information and use;
  • the information about us is provided to the user on his/her specific request and any information obtained or materials downloaded from this website is completely at their own volition and any transmission, receipt or use of this site does not create any lawyer-client relationship; and that
  • We are not responsible for any reliance that a user places on such information and shall not be liable for any loss or damage caused due to any inaccuracy in or exclusion of any information, or its interpretation thereof.
However, the user is advised to confirm the veracity of the same from independent and expert sources.