Overview
The Personal Data Protection Bill, 2019 (PDP Bill) was a proposed legislation in India aimed at establishing a comprehensive data protection framework for personal data. It was the result of a deliberative process that began after the Supreme Court of India’s landmark 2017 judgment declaring the Right to Privacy as a fundamental right (Puttaswamy case). The Bill was drafted by a committee headed by Justice B.N. Srikrishna, submitted in 2018, and then introduced in Parliament in December 2019. It sought to regulate how governments, companies, and other entities (termed “data fiduciaries”) collect, process, store, and transfer personal data of individuals (“data principals”), and to provide rights to individuals over their data.
The 2019 Bill, however, went through scrutiny by a Joint Parliamentary Committee (JPC) which suggested many amendments (including renaming it “Data Protection Bill, 2021”). Eventually, in August 2022, the government withdrew this Bill, with an intent to replace it with a new draft (which materialized as the Digital Personal Data Protection Bill, 2022, and further as an Act in 2023). Nevertheless, the PDP Bill, 2019 serves as the cornerstone for understanding India’s approach to data protection and many of its concepts carry into the new law.
Key Provisions of the Bill
• Data Fiduciaries and Data Principals: The Bill distinguished the roles of those who determine the purpose and means of processing (data fiduciaries, which could be companies, government, individuals processing data of others) and the individuals whose data is processed (data principals).
• Data Categories: It defined Personal Data as any data about or relating to a natural person who is identifiable from that data (either directly or indirectly). It also carved out Sensitive Personal Data (SPD) such as financial information, health data, official identifiers, sex life, sexual orientation, biometric, genetic, transgender status, caste, religious beliefs, etc. and Critical Personal Data (to be specified by government, intended to be a subset of SPD that must be stored only in India). Sensitive data had stricter rules (like requiring explicit consent and needing storage at least in India, though it could be transferred out under certain conditions), whereas Critical data was to be processed only in India (no transfer abroad at all) – a controversial data localization mandate.
• Legal Grounds for Processing: The Bill largely centered on consent as a lawful basis for processing personal data. Consent had to be free, informed, specific, clear, and capable of being withdrawn. For sensitive data, explicit consent was required. The Bill also allowed certain non-consent bases such as for state functions (e.g., if the government needs to issue a certificate), legal proceedings, or for “reasonable purposes” to be defined (such as fraud detection or credit scoring). There was also a provision for processing without consent for “prompt action” in emergencies (like disaster, public health crisis, etc.).
• Data Principal Rights: Individuals were to be given rights including:
• The right to confirm whether their data is being processed and to access it (similar to a subject access request).
• The right to correction and erasure of their data if it’s inaccurate, incomplete, or has served its purpose.
• The right to data portability (get their data in a machine-readable format from one service to port to another, with some exceptions).
• The right to be forgotten (which in this bill meant the ability to restrict or prevent continuing disclosure of their data by a fiduciary, sort of like removing public access; not absolute deletion as in the European sense; it required adjudication to approve such requests because it balanced free speech).
These rights had to be exercised by request to the data fiduciary and could be appealed if denied.
• Obligations on Data Fiduciaries: Entities processing data had a host of obligations:
• Purpose Limitation and Collection Limitation: They should collect data only for a clear, specific purpose and not use it for other purposes without fresh consent.
• Data Minimization: Only data necessary for the purpose should be collected.
• Transparency: They must have clear privacy policies and give information to individuals about how data is used.
• Data Security: They must implement security safeguards (encryption, etc.). If there is a data breach, they must report it to the Data Protection Authority and possibly to the affected individuals based on severity.
• Accountability Measures: Significant data fiduciaries (those above certain thresholds like dealing with large volumes of data) had enhanced obligations such as conducting Data Protection Impact Assessments for risky processing, having data audits, appointing a Data Protection Officer (DPO), and possibly local storage requirements.
• Data Retention: Data shouldn’t be retained beyond the needed period. Periodic deletion or review was mandated.
• Data Localization: The Bill mandated that a copy of all personal data must be stored on servers in India. Sensitive data could be transferred outside India for processing, but must still be kept in India and could only be transferred out if certain conditions are met (like consent, and to jurisdictions approved by the government or with specific safegaurds). Critical personal data was barred from leaving India (must be processed and stored only in India). This was one of the most debated aspects, as it imposed costs on global businesses and raised trade concerns.
• Data Protection Authority (DPA): A regulatory body was proposed to be set up to oversee and enforce the law. The DPA would consist of a chairperson and members, empowered to draft detailed regulations, monitor compliance, investigate complaints, and mete out penalties. The DPA could also classify certain fiduciaries as “significant data fiduciaries” based on criteria (volume of data, sensitivity, turnover, etc.) which then triggers extra compliance like mandatory audits and DPO appointment. There were concerns raised about the composition and independence of the DPA, given the appointment process involved the central government heavily.
• Penalties and Compensation: The Bill proposed hefty penalties for violations – e.g., up to ₹5 crores or 2% of global turnover (whichever higher) for certain lapses (like not implementing security safeguards or not reporting a breach), and up to ₹15 crores or 4% of global turnover for more serious violations (like unlawfully processing data, violating cross-border rules, etc.). It also had criminal penalties for mishandling sensitive personal data (like intentional re-identification of de-identified data without consent could lead to jail). Individuals could seek compensation for harms caused by data breaches or violations, through adjudication by the DPA or courts.
• Exemptions: The Bill provided some exemptions: for example, processing for “personal or domestic purposes” by an individual was exempt. Data processed for journalistic purposes or research/ statistical purposes had relaxed provisions. Most notably, the central government could exempt any of its agencies from most provisions of the law for reasons such as national security, public order, or for prevention/detection of crime, etc., via a order (this broad exemption for government agencies was a point of contention, as it could be sweeping and without much oversight). The JPC later recommended even more broader exemptions for government, which was criticized by privacy advocates.
Implications and Current Status
When introduced, the PDP Bill 2019 was seen as India’s equivalent of the European GDPR (though it had differences, e.g., data localization and some larger carve-outs for government). Companies started preparing for it, anticipating it would become law. Many began appointing internal data protection leads, doing gap analyses, and tweaking data collection practices (like seeking explicit consent for sensitive data, setting up processes for rights requests, etc.). It was also expected to significantly impact how global tech companies operate in India, due to localization and user rights mandates.
However, the Bill was heavily debated and got stuck in the committee stage for long. The Joint Parliamentary Committee gave its report in late 2021 with many recommended changes (including bringing non-personal data regulation into its ambit, which made it even more expansive, and renaming it). Perhaps due to this expansion and some contentious clauses, the government decided to scrap this draft and come with a simpler one.
As of 2025, the Personal Data Protection Bill, 2019 is not law. Instead, a new law titled the Digital Personal Data Protection Act, 2023 (DPDP Act) has been passed in August 2023, which simplifies the approach: it focuses only on digital personal data, eases data localization (no hard requirement, just that government can ensure access), reduces user rights to mostly consent, correction, erasure, and significantly cuts down the DPA’s independence (the new Data Protection Board is fully govt-appointed). The DPDP Act is industry-friendly in some ways but has drawn criticisms for not being as robust as the PDP Bill was in protecting privacy.
For HR and compliance officers, understanding PDP Bill’s framework is still useful because the DPDP Act inherited many terms like data fiduciary, data principal, consent requirements, etc., though in a lighter form. Also, organizations that had aligned to potential PDP Bill requirements are generally in a good position for the new law’s compliance.
In sum, the PDP Bill 2019 was a milestone in India’s journey to data privacy law, setting the vision and vocabulary for data protection in India, even if it didn’t become the final law. Companies had to monitor its progress closely, and now adapt to the enacted version. Privacy and data protection remain dynamic areas, and organizations must stay agile in compliance as rules evolve.
