consumer data protection

This article is written by Parul Bhati and Aditya Gupta, students of law at Faculty of Law, University of Delhi.


More than 3 years ago on 24th August 2017, a 9 Judge Bench of the Supreme Court delivered a unanimous verdict in Justice K.S. Puttaswamy vs. Union of India, affirming that the Constitution of India guarantees to each individual a fundamental right to privacy. Fast forward to 2021, India has witnessed a deadly global pandemic, a plethora of privacy breach cases, marathon bans on popular mobile apps over data security, and some high-profile unauthorized data harvesting scandals like Cambridge Analytica and Pegasus Spyware. All this brings us to a rather fundamental question: Is the Right to Privacy a fundamental right in reality? Is Individual the real owner of his data?

Data is the New Oil

In the digital age where data is regarded as the new oil, it is quite tempting for corporates, political parties, or independent organizations to further their agenda through better targeting of users, voters, or the public in general. This involves extensive collection of data through various platforms and then processing and profiling the data to make it usable, just like fuel is refined to power machines.

GDPR and its Domino effect

India has always been prone to data theft and its unauthorized use; the reason being attributed to its weak data protection norms and absence of a regulatory authority. However, the recent General Data Protection Regulation (GDPR) norms defined by the European Union have triggered a domino effect on other countries in the world, reliant on digital services, and interested in keeping the data of its citizens safe from external threats. Even during the pandemic, many countries have introduced their own data protection and privacy laws including Brazil, New Zealand, South Africa, Singapore, and Dubai. It is also worth noting that according to UNCTAD, there are almost 10% of countries in the world currently have at least a draft legislation on the issue.

Need for the Legislation

India is currently regulated by Information Technology Act, 2000 and current regulations under the act does not provide an effective bulwark against unethical personal data processing, firstly due to no restriction placed on data fiduciaries, and secondly, even the cases with limitations placed, they can easily be breached through a contract.

The Personal Data Protection Bill, 2019

India is set to adopt the updated version of the Personal Data Protection Bill, which was formulated on the recommendation of SC in Puttaswamy judgment by a committee led by a retired judge of Supreme court, Justice B.N. Srikrishna. The bill was proposed in parliament on 11th December 2019 by Ravi Shankar Prasad (Minister of Electronics and Information) and was subsequently referred to a Joint Parliamentary Committee under MP Meenakshi Lekhi. The updated act set to debut in the budget session contains 89 amendments and the addition of a new clause to the bill.

Notable Provisions of the Bill

The bill is sought to secure the personal data of millions of Indian citizens using services of foreign-based companies through mandating Data Localization and ensuring proper checks on Data Fiduciaries (which includes government, companies including foreign company and social media platforms) for the protection of data of its users.

The proposed legislation trifurcates Data into 3 categories: Critical (includes data pertaining to defense and intelligence services as well as payments data from foreign banking services like Visa and Mastercard), Sensitive (pertaining to Health, Religion, Political orientation, Biometrics, Genetics, Sexual orientation and Financial data of individuals) and Personal.

While the legislation prohibits the sharing and processing of critical data outside India, it places limitations on data processing in case of sensitive data, requiring the consent of the user. 

The bill also proposes the establishment of Data Protection Authority under section 41(1) of the bill, a supreme regulatory body to be appointed by the government that will ensure the compliance of the law by data fiduciaries. The authority will also push for “Data Localization”, which mandates the data of Indians to be stored in India. It however can go outside India for processing (barring critical personal data) by Data processors. The bill gives an opportunity to the data principal to correct and erase any personal data.

It also mandates that personal data should be shared to the extent of purpose and surveillance should only be conducted for the specific purposes for which it is authorized.

Exceptions to Data Processing Clause

The legislation identifies instances where data can be accessed without restrictions:

  1. For delivering the benefit of state services to the individuals,
  2. For taking legal action against individuals, and
  3. In cases of medical emergency.

The provisions will also not be applicable to Investigation agencies of the state and to investigative journalists with necessary safeguards.

The government can seek Non-Personal data from data fiduciaries at any time (section 35) for national security and public order and to improve its services.

The bill also contains the idea of “Data Sovereignty” which empowers the government to access critical data when it is satisfied that it is in the interest of sovereignty and integrity of India or to prevent any cognizable offence laid out in section 2 of the Indian Penal Code.

Contentions about the Bill

The Act is set to put India’s Data protection Laws in line with the European regulations. However, it has not failed to draw several contentions against its working and the role of the Government in it.

Firstly, the Data Protection bill stands with much more stringency than EU laid GDPR norms, provides the Centre with wide powers with regards to the DPA and appointment of Adjudicating officers. It also has many grey areas and undefined words like “interest of sovereignty and integrity of India”, “public order” that can potentially be exploited to create an “Orwellian State” as warned by Justice B.N. Srikrishna.

Secondly, the Data Principal has to first complain to the Data Fiduciary and if the Data fiduciary is satisfied that such breach is likely to cause harm to the DP, it is required to inform the DPA. This Bill, therefore, gives much authority to the Data Fiduciaries and the Adjudicating officers.

Thirdly, the bill empowers the Data Principal with “Right to be forgotten” under section 20. However, the responsibility to prove that his right or interest in preventing or restricting the continued disclosure of his personal data overrides the right to freedom of speech and expression and the right to information of any other citizen. 


As rightly quoted by Justice J.S. Khehar in the famous Aadhar case “Informational Privacy is a facet of the right to privacy”.

Considering the instances of Data theft and its misuse by foreign elements and organizations, India is in dire need of reforms and legislations in the sector of Data Protection of its citizens. However, the Bill must equally balance the intervention of government in the process and maintain proper checks and balances to keep everyone accountable. It is also important to note that it is not the legislation but its implementation that guarantees that it serves its purpose.

As quoted by Satya Nadella in his speech at World Economic Forum on “Data Dignity”, Individuals should have greater control over their data and a larger share in value it creates. It is due time that the Data Principal is given the sole ownership of his data.


LawSikho has created a telegram group for exchanging legal knowledge, referrals and various opportunities. You can click on this link and join:

Follow us on Instagram and subscribe to our YouTube channel for more amazing legal content.



Please enter your comment!
Please enter your name here