top of page


In this post, the author has critically analysed the Personal Data Protection Bill, 2019 in the light of the excessive discretionary powers given to the Centre and the State which shall lead to the infringement of the right to privacy of individuals.

Personal Data Protection Bill, 2019 is a piece of legislation introduced on 11th December 2019 in the lower house of the Parliament[1]. This bill basically talks about the mechanism and process for the assessment of the personal data of an individual. It indicates that while an organisation (among other institutions) deals with the data of a person which is of inherent private nature, it needs to follow certain guidelines so that there is no harm to the parties engaged and their private information in the process. One of the significant problems and the criticism that this bill has drawn is the discretionary power given to the state and government so as to violate the privacy of an individual in certain situations and circumstances.

It is necessary that the personal data is used in a fair manner which is definitely given under Section 5 of the Bill. When the data is unfairly used, it leads to the breach of the rights of the person who has given his private and/or sensitive information. Thus, the data needs to be processed “lawfully, fairly and in a transparent manner”[2]. Chapter III of the Bill and particularly Section 12 highlights that the personal data can be accessed without gaining any permission from the concerned party. The grounds are listed under six categories whereby, if it is necessary under any law by Parliament or State; or in relation to any judgement or order; among other criteria. Further, under Section 35, it can also put under exception any government agency under this Act. For that purpose, the right to privacy of an individual comes into question.

International and Indian Overview

Under the ICCPR[3] which India had ratified[4], the specific and explicit mention exists of the protection of the right to privacy. It is implemented by way of the Human Rights Committee (HRC) accessible at the international level. The right to privacy is considered an important human right, and that is why it cannot be arbitrarily and without any due procedure be taken away from any individual. Since India has ratified this treaty, it becomes all the more obligatory to follow its procedures except for the reservation laid down. The HRC had clearly highlighted the importance of privacy. Even under UDHR[5], Article 12 talks about privacy being a fundamental element of the human rights principle.

The Supreme Court had in the recent and landmark judgement in 2018 of Justice K. S. Puttaswamy Case[6], held that the right to privacy is a fundamental right which is guaranteed to everyone under Article 21, 14 and 19 of the Constitution. It had explained that one has a basic human right to life and liberty and to ensure its consistency and harmony, the privacy of an individual is an essential element of it that cannot be separated. Thereby, the court had pronounced that every person has autonomy over his private affairs, his beliefs, decisions, and any other data that is construed as of personal nature to not to be disclosed to the public. But the court had said that this right is not absolute in nature similar to the other rights of fundamental nature enlisted in the Indian Constitution.

Is Privacy of an Individual Protected?

To understand the complexity of the issue of privacy involved in this Bill, it is essential to look at it from all angles. Even with privacy, it cannot be denied that there exist both “positive and negative rights”[7]. This implies that the right to privacy is not without limitation or unrestricted. It can be curtailed under the procedure by law as mentioned under Article 21[8]. But the real question arises whether this due procedure of law criteria is upheld under the Personal Data Protection Bill, 2019?

The comparison is to be made to the European Union’s General Data Privacy Regulation (GDPR), 2016 that relates to a similar matter and focuses on the privacy law and data protection. A data principle is a person who gives his personal information. His rights are limited under the Bill when it comes to seeking remedies on the upfront when a breach happens. But the power given to the government is at a stronghold as it can undertake to use the information of the data principle under several criteria. It also provides them with the power to exempt their own offices in that matter. Moreover, the foreign data to be processed in India is also under exception[9].

Though, it cannot be denied that the bill had aimed at protecting the privacy of the individuals by way of effective mechanism on how certain organisation would utilize data. But the role of the government to encroach the rights with unlimited power given to them becomes an issue at hand. By way of coercing, through legal way (as in the Bill), the government can now get the data from the organisations. This data can be collected by the government through legal ways having control over the complete personal and/or sensitive data by the government which can when hacked into; may lead to vulnerable crime on a large scale.


To sum up, it can indeed be said that the government is given the upper-hand in handling personal data and more power. It is necessary to make sure that the data of an individual does not get into a vulnerable position and is handled with care. For that purpose, it becomes all the more significant to bring changes in the matter with relation to the privacy as it has been held to be constitutionally valid and fundamental along with it being a part of the human rights. The changes by the way of stronger and stringent mechanism and framework is necessary to make sure that the data or the information of the individual is protected and if infringed, he can seek remedy at an appropriate and faster rate.

References: [1] Introduced in Lok Sabha by Mr. Ravi Shankar, Minister of Electronics and Information Technology [2] Article 5 (1) (a) of the European General Data Protection Regulation (GDPR) [3] Article 17 of the International Covenant on Civil and Political Rights (ICCPR) [4] India ratified ICCPR in 10th April, 1979. [5] Universal Declaration on Human Rights, adopted by the United Nations General Assembly on 10th December, 1948 [6] Justice K. S. Puttaswamy (Retd.) & Anr. V. Union of India & ors., Writ Petition (Civil) No. 494 of 2012 [7] id. [8] People’s Union of Civil Liberties V. Union of India & Anr. AIR (1997) SC 568 [9] Section 86 and Clause 37 of Personal Data Protection Bill, 2019

Submitted by:

Arushi Anand,

Vivekananda Institute of Professional Study

(Images used for representative purpose only)


bottom of page