Disclaimer

By clicking, "I Accept" below, you accept and acknowledge the following:

The purpose of this website is to provide general information and insights about TLH, Advocates & Solicitors, and not to advertise or solicit work in any manner whatsoever.

Please note that as per the Bar Council of India Rules, advocates in India are prohibited from advertising or soliciting work in any form or manner. You acknowledge that you are visiting this website at your discretion and that there has been no solicitation, invitation, or inducement of any sort whatsoever from TLH, Advocates & Solicitors or any of its professionals in relation to this website.

The content available on this website does not constitute legal or other professional advice and should not be substituted for advice relevant to particular circumstances.

The access and use of this website does not establish any fiduciary or other relationship between you and TLH, Advocates & Solicitors or any of its advocates.

Please read the ‘Terms of Use’ and our ‘Privacy Policy’ before accessing this website.

I Accept
Blog default background
Blog
Corporate Law

Why India Needs to Care About Privacy and the PDP Bill

Authors:
Siddartha Koneru
January 9, 2020
5 min read
Share this post
Copied!

A revised version of the Personal Data Protection Bill, 2019 (the “PDP Bill”) was recently tabled in the Lok Sabha on December 11, 2019. Its first draft was submitted by Justice B.N. Sri Krishna Committee pursuant to the Hon’ble Supreme Court of India’s judgment in Justice K.S. Puttaswamy v Union of India[1] (the “Right to Privacy Judgment”), which directed the Government of India to formulate a law on data protection.

Why India Needs the PDP Bill Quickly

The digital economy in India has grown rapidly with proliferation of e-commerce, over the top content providers and other digital services.

The European Union and several countries have enacted comprehensive legislations like the General Data Protection Regulation (“GDPR”) to specify obligations of data fiduciaries and rights of individuals whose data is being collected and handled (the “Data Principals”). In India, the PDP Bill seeks to change the way various players in the digital eco-system (the “Data Fiduciaries”), handle user data and bring in a comprehensive mechanism to replace the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (the “SPDI Rules”).

Differences Between the SPDI Rules and the PDP Bill  

S.No.Point of distinctionSPDI RulesPDP Bill 1. Nomenclature of parties Body corporate or any person who collects, receives, possess, stores, deals or handles information of provider of information. Data Fiduciary: person determining purpose and means of processing of personal data. Data Principal: natural person to whom personal data relates. 2. Data Fiduciaries classification No classification 3 types of Data Fiduciaries: a) Data Fiduciary; b) Significant Data Fiduciary; and c) Guardian Data Fiduciary. 3. Obligations of Data Fiduciary Person collecting, receiving, possessing, storing, handling or dealing in personal data must provide on its website: a) privacy policy; b) clear statement of practices and policies; c) types of personal and sensitive personal data collected; d) purpose of collection; e) grievance redressal; and f) reasonable security practices followed. PDP Bill provides for much higher obligations including: a) privacy by design; b) data protection impact assessment; c) data audit and trust score; d) data protection officer; e) purpose limitation, notice and quality of personal data; f) security safeguards like de-identification and encryption; and g) reporting of personal data breach. 4. Special safeguards for children No special safeguards for children Chapter IV provides special safeguards for children: a) Age verification and parental control mechanisms; b) Data Fiduciaries operating websites processing large volume of personal data of children classified as Guardian Data Fiduciaries; c) Bar on profiling, tracking, behavioural monitoring and targeted advertising. 5. Categories of Personal Data 2 categories a) personal data; and b) sensitive personal data. 3 categories a) personal data; a) sensitive personal data; and a) critical personal data. 6. Sensitive Personal Data Narrow definition Wider definition. It also includes: b) official identifier; c) sex life; d) transgender status; e) intersex status; and f) religious or political belief or affiliation. 7. Rights of Data Principals Providers of information may: a) review information and correct inaccurate or deficient data; b) opt not to provide data and withdraw consent. Data Principals have the right to: a) confirmation and access; b) correction and erasure; c) data portability; and d) right to be forgotten. 8. Restrictions on cross border transfers Transfer permitted if same level of data protection as mandated by SPDI Rules is ensured by transferee. a) Bar on transfer of critical personal data except to health and emergency services providers; b) Sensitive personal data may be transferred only under a contract or intra-group scheme approved by the Authority; and c) Critical and sensitive personal data may be transferred to countries or international organizations permitted by Central Government. 9. Exemption for Government Agencies Sensitive Personal Data may be shared with Government agencies upon their written request. Central Government may exempt any agency of the Government from all or any provisions, if it is in the interest of sovereignty, integrity of India, security of state, friendly relations with foreign states, public order and prevention of cognizable offences. 10. Other exemptions Disclosure of sensitive personal information requires prior consent unless: a) provided under or disclosure agreed in lawful contract; and b) compliance of legal obligation. a) Legal proceedings; b) Personal/domestic purpose; c) Journalistic purpose; d) Research, archiving or statistical purposes; e) Manual processing by small entities; and f) Sandbox for encouraging innovation in artificial intelligence, machine learning and other emerging technology. 11. Enforcing Body Central Government Data Protection Authority of India (the “Authority”) 12. Penalties Fine of upto Rs. 5 Lakhs or 3 years imprisonment Much stiffer penalties depending on gravity of offence: a) higher of Rs. 5 Crores or 2% of global turnover; or b) higher of Rs. 15 Crores or 4% of global turnover.

 

Consent under the PDP Bill

The PDP Bill stipulates that Data Principal’s consent must be obtained before obtaining and processing their data and such consent must be free, informed, specific, clear and capable of being withdrawn as easily as it was given. Data Fiduciaries must draw attention of Data Principal to purposes that may have significant consequences and consent must be meaningfully sought without relying on conduct in context and be sought separately for each purpose, operation and for different types of sensitive personal data. The PDP Bill permits processing personal data without consent if processing is undertaken in any of the following situations:

  1. performance of State functions;
  2. under any law in force made by Parliament or State Legislature;
  3. compliance of any order or judgment of any court or tribunal;
  4. responding to medical emergency involving Data Principal or any other individual;
  5. providing treatment during an epidemic, disease outbreak or other threat to public health;
  6. ensuring safety or provide assistance during any disaster or breakdown of public order;
  7. employment purposes; or
  8. other reasonable purposes including prevention of fraud, whistle blowing, mergers and acquisitions and debt recovery.

New Measures under the PDP Bill

The PDP Bill introduces several new measures such as:

  1. Privacy by Design which involves reviewing and suitably amending organizational practices to ensure privacy is maintained from collection to deletion of data;
  2. Data Protection Impact Assessment is a mandatory requirement when a Data Fiduciary seeks to undertake processing involving new technologies or large-scale profiling or use of sensitive personal data or any other processing that is likely to cause significant harm to the Data Principal. It contains a description of the processing operations, purpose and data being processed, assessment of potential harm to Data Principals and the measures proposed to mitigate such risks;
  3. Sandbox for fostering innovation in artificial intelligence, machine learning and other emerging technologies for inclusion of Data Fiduciaries, which shall be exempt from application of the PDP Bill for a maximum of 3 (three) terms of 12 (twelve) months each. The Authority may specify clear and specific purposes of processing personal data, limitations on collection and restriction on retention of personal data.

The Way Ahead for Privacy

The PDP Bill is the first serious effort to protect user privacy in India. However, the blanket power to exempt agencies of the Government from application of all or any provisions of the PDP Bill has attracted widespread criticism, as it requires only a written order by the executive specifying safeguards and does not involve any judicial oversight. Due to concerns raised from various quarters, the PDP Bill has been referred to a joint select committee of the Parliament. T

he views and opinions expressed in this article belong solely to the author and do not reflect the position of Tatva Legal Hyderabad.

[1]AIR20174161

No items found.
Consent, Data protection, PDP Bill, Privacy, Privacy by Design, Sandbox, SPDI Rules

Footnotes

Share this post
Copied!

Latest posts

July 10, 2025
From PSUs To Private Companies: Enforceability of Employment Bonds in India
This article explores the enforceability of employment bonds in India, focusing on their legal standing, key court decisions, and what makes such agreements valid or void in both public and private sectors.
Read more
Arrow Right
Corporate Law
July 9, 2025
SEBI’s New Disclosure Norms for Related Party Transactions: Redefining Corporate Governance in Listed Companies
The article revolves around corporate governance reforms introduced by SEBI related to Related Party Transactions (RPTs).
Read more
Arrow Right
Dispute Resolution
July 8, 2025
Revisiting the IBC-RERA Interplay in light of Umang Realtech
The article examines the evolving jurisprudence around the interface of the Insolvency and Bankruptcy Code (IBC) and the Real Estate (Regulation and Development) Act (RERA), with particular focus on the recent Umang Realtech decision.
Read more
Arrow Right
Corporate Law
June 14, 2025
The Finfluencer Effect: Unravelling Market Manipulation
Recently, the Indian stock market regulator, Securities and Exchange Board of India (SEBI) published a discussion paper addressing the growing concern pertaining to financial influencers, or finfluencers, providing financial advice. These influencers often lack the requisite qualifications and accountability for their recommendations.
Read more
Arrow Right
Employment Law
June 14, 2025
Contract Labour Deployment in India - Demystifying the Future Conceived by the Code on Occupational Safety, Health & Working Conditions, 2020
The business of human resource deployment by contractors for their clients has grown and evolved globally. In India, the contractor-sourced industrial workforce grew by about 293% between 2002-03 and 2021-22.[1] Recently, India has unfurled four labour codes that revamp its existing labour laws to meet the needs of the Indian workforce such as contract labour deployment.
Read more
Arrow Right
Corporate Law
June 14, 2025
Exploring Unchartered Territory? Laws for the Void
What can the Indian space sector learn from the Avengers? Besides, the incredible budget and scale, the key takeaway would be - bringing experts together to achieve phenomenal results. We all remember the fascinating back stories, the strength of and the role each member plays to fill an essential need under the able guidance of a strong leader.
Read more
Arrow Right
View All Blogs
Arrow Right