top of page


Privacy is one of the biggest problems in this new electronic age.” – Andy Grove

How does the data privacy legislative structure balance the need to protect the privacy and ensure innovation and productivity growth? This study explores the proposed legislation on data privacy in India from the standpoint of whether it retains this balance. In December 2019, the Government passed in Parliament the [1]Personal data protection Bill 2019, which will establish the first cross-sectoral data privacy regulatory system in India.

The system for the security of personal data must be structured to provide a more thorough view of the role of privacy in society and of the injuries incurred by infringement of individual privacy.

The notion of informational privacy has become popular in the last decade, however, as this paper indicates, India has a decades-long case law on privacy. Much of it reflects on privacy in the light of damage incurred by a breach of privacy. This jurisprudence evolved in 2017 when the SC of Justice in the case [2]K.S. Puttaswamy v. Union of India ruled that the Indian Constitution comprised a fundamental right to privacy.

The paper will briefly discuss the growth of privacy regulation and the bill further it will deal with the features and the controversy which surrounded the bill.


[3]The Information Technology Act, 2000 deals with problems relating to the provision of liability (Civil) and punishment (Criminal) in the event of wrongful exposure and abuse of personal data and breach of contractual provisions with respect to personal data.

The volume of data generated by the usage of different electronic equipment and apps has risen enormously in the last few years. By analyzing 'big data' and articulating their company strategy based on that analysis, now corporations gain enormous profits. Although the market productivity involved is not refuted, the burning issue is 'the way in which the information about people is obtained and handled by others' is governed by people who do it.

India does not have a comprehensive cybersecurity law. The Information Technology Act, 2000 (IT Act) reads the laws and legislation by which cybersecurity and cyber offences are dealt with[4]Section 65-71 holds relevance to cybercrime. The IT Act would not only allow the legal identification and protection of electronic data sharing and other means to carry out transactions but also electronic communications for the protection of electronic documents, information or documents and for the prohibition of illegal or improper use of a computer device. Any of the cyber security offences explicitly envisaged and prosecuted under the IT Act are hacking, denial of service attacks, phishing, attacks on ransomware, deception of identity or electronic theft are included under it.


The Personal data protection Bill, 2019, extends a long line of case law on privacy in India that has been influenced by international developments as well as the country's own constitutional jurisprudence. Although the Constitution does not expressly address the right to privacy, the Indian courts have ruled that there is a right to privacy under the right to life secured under Article 21. However, there has always been some doubt as to the precise essence of the constitutional security of privacy, as a result of the prolonged decision of the Supreme Court in [5]Kharak Singh v. State of Uttar Pradesh, wherein the court ruled that there was no constitutional right to privacy.

Two factors that become increasingly relevant to resolve this ambiguity were: strident allegations of lack of privacy following the launch of the government-unique biometric identity initiative (Aadhar) and parallel global developments.

It is a long-standing controversy, whether privacy has a right guaranteed under Part III of the Constitution. The Supreme Court denied the privacy protection to be enshrined in the Constitution both in [6]MP Sharma and Kharak Singh.

In M.P. Sharma, the Court held that "if the constitution-makers did not think it fits into the Constitution, there is no justification for importing such a right by strained construction" while in Kharak Singh the Court relied on the theory of the privacy established in the United States' decision in Wolf v. Colorado and denied as a constitutional right i.e. the right to privacy.

However, In the case of [7]K.S.Puttaswamy (Retd.) v. the Union of India, this question was again raised to the Hon'ble Supreme Court. In that case, the ‘Aadhaar Card System’ was challenged on the grounds that demographic details of the nationals of the country to be used for different purposes are obtained and processed which infringes [8]Article 21 as it enshrines the basic right to privacy. The Hon'ble Supreme Court referred the matter to the Constitutional Court of 9 (nine) judges on the complexity of the previous judicial precedents pertaining to the basic state of the right to privacy.

By its ruling on 24 August 2017, the Hon'ble Supreme Court held the following unanimously:-

· The MP Sharma decision that stated there is no fundamental right for the right to privacy is ruled over;

· Kharak Singh's decision insofar was overruled, as it finds that the security of privacy does not fall within the limits of the Constitution;

· The right to privacy is protected as an inherent aspect of the right to life and personal rights in line with Article 21 and in accordance with Part III of the Constitution;

· Decisions after Kharak Singh that set forth the position in (iii) above set the right legal position.

Accordingly, the jurisprudence on privacy has changed — from being valued as a right that covers other objectives to be an end in itself. In addition to upholding that privacy is a fundamental right, the decision further deemed informational privacy to be a subset of the right to privacy. This set the government in motion to take action to introduce new laws on data security to the nation.

After the judgement, the Union government notified the Supreme Court, that it has constituted a committee chaired by Retired Supreme Court Judge B.N. Srikrishna. The committee aimed to work on the “Data Protection Framework” and submit the report to the government. It was set up in July 2017 to address the data protection model.

The report has highlighted that the interests of the citizens and the responsibilities of the state have to be protected, but not at the cost of trade and industry. A draft of Personal Data Protection Bill was also proposed by the committee.


On 4 December, the Cabinet of the Union approved the implementation of the Personal Data Protection Bill in Parliament.

The proposed bill, the Personal data protection Bill 2018, was drawn up by a high-level advisory committee led by former Supreme Court Judge B.N. Srikrishna.

The SC guidelines led to the constitution of the [9]B.N. Srikrishna Committee

· Objectives Were:

• Legislation

• Comprehensive Surveillance Reform

• Prohibit Mass Surveillance

• Judicial Oversight

· Committee came out with a free and fair digital economy

• Protecting privacy, empowering Indians

• Made provisions of localized storage

• Ensure Consent

• Right to be forgotten

• Data Localisation

• Processing of sensitive personal data will require explicit consent.

The Bill deals with the general rules for the gathering, storing and handling of personal data, the consent of people, fines and payment, and the Code of Ethics.

The bill classifies 'Important Personal Data' as comprising passwords, financial details, health data, sex life, sexual orientation, biometric data, genetic data, transgender identity, intersex status, caste or tribe, intersex status, race or tribe, and social or political or religious views or affiliations. The bill specifies that any confidential personal data can only be accessed with the express consent of the individual involved and that such consent must be notified, explicit and precise as specified in the bill itself.

On 10th December 2019 the centre decided to refer the contentions of the Personal Data Protection Bill to a joint parliamentary committee instead of the already existing standing committee on information technology. It was supposed to be tabled in the winter session but the opposition parties criticized the bill as it enables snooping on citizens. So, then IT Minister Ravi Shankar Prasad stated that a joint select committee can examine it instead of referring it to the standing committee headed by opposition congress leader Shashi Tharoor. But that was a break from the standard practice.

Later Justice B.N. Shri Krishna said that the bill cleared by the cabinet is different from the original draft bill. He specifies that with the new version of the bill, the data could be misused by the government in several ways.


Shashi Tharoor discussed explicitly the [10]alternative data protection bill and stated that his bill is far better as compared to that of the government’s. He mentioned that as far as the government’s bill is concerned there are some deficiencies in it. He stated four points where he believes his bill will be an improvement from what they have come up with.

There are four major points that he addressed in his bill:

· Citizens own data- The proposed bill actually grants every citizen of India ownership of their own data which the government’s bill doesn’t provide.

· Applies to Aadhar- Th bill says that Aadhar has to be fully compliant with the data privacy provisions and Aadhaar.

· Tackles cyber snooping- The problem of monitoring, snooping, surveillance is the greatest ever threat in the cyber world.

· On the threat of surveillance to Indian Citizens- A body should be there which have the right to monitor even the government’s authorised or court authorised surveillance of your account.


It will not be a distinct department, just a few people, mostly representatives, selected by the government, to employ delegates from the DPA. Official reforms in the legislation, which require monitoring, have been protested by civil society groups.

A general authority is exercised over the government department to exempt from the rule of law (including access to personally identifiable records, citation for national security, inspection and enforcement of crimes, the public order).

A planned watchdog would mean that states are legally exempt from the charges for data mining. The chair of the committee that drew up the original bill, the Justice (Rtd) BN Srikrishna, supposedly referred to it as "a piece of legislation that could turn India into an Orwellian state."

Tech giants such as Facebook and Google and its business entities have been hit hard, especially those with direct ties to the USA. Much are concerned with the fragmented Internet, which would lead other countries to comply with the domino effect of the protectionist policies. The principle of a globalised, dynamic Internet economy in which data traffic is dictated by rates and speed, rather than by national borders, lies in much of this feeling.

The government's power to force firms to transfer non-personal information raises critical intellectual property issues and can also place customers at risk, especially even though they are not experienced directly.


According to its sweeping forces, K.S Puttaswamy vs. Union of India has little meaning in its case, probably making privacy an intrinsic part of life and democracy and therefore, a constitutional right- a fact. Certainly, the principle of privacy is not reflected in the draught legislation in its current form and the legislative committee is required to review it and to make necessary amendments.

[1]Personal data protection Bill, 2019

[2](2017) 10 SCC 1

[3]The Information Technology Act, 2000.

[4]Sec. 65-71, The Information Technology Act, 2000.

[5] (1964) 1 SCR 332.

[6](1954)SCR 1077.

[7](2017) 10 SCC 1.

[8]Indian Const. Art. 21.

[9]Surabhi Agarwal, Justice Srikrishna Committee submits report on data protection, The Economics Times, July 28, (2018)

[10]The Data Privacy and Protection Bill, 2017 by Dr Shashi Tharoor, M.P.

Navin Kumar Jaggi

Priyanshi Srivastava


Rated 0 out of 5 stars.
No ratings yet

Add a rating
bottom of page