Introduction of the Personal Data Protection Bill, 2019
As part of India’s broader journey culminating in the Digital Personal Data Protection Act, 2023, the Government introduced the Personal Data Protection Bill, 2019 in the Lok Sabha on 11 December 2019. The Bill was introduced by Ravi Shankar Prasad, then Union Minister for Electronics and Information Technology.
The 2019 Bill was a revised version of the 2018 draft prepared by the Justice B.N. Srikrishna Committee. While it retained the foundational structure of rights and regulatory oversight, it incorporated several modifications reflecting the Government’s policy approach.
Salient Features of the 2019 Bill
The 2019 Bill continued the rights-based framework established in the 2018 draft. It preserved:
- Rights of data principals
- Obligations of data fiduciaries
- Oversight by a Data Protection Authority
However, it introduced certain key features:
- Broad Exemptions to the State
The Bill allowed the Central Government to exempt its agencies from certain provisions on grounds such as national security, sovereignty, public order, and integrity of India. These provisions became one of the most debated aspects of the Bill. - Data Localisation Requirements
Sensitive personal data was required to be stored in India, although transfers abroad were permitted under specified conditions. This reflected concerns about data sovereignty and regulatory control. - Establishment of the Data Protection Authority of India
The Bill proposed a statutory Data Protection Authority (DPA) to monitor compliance, issue regulations, and enforce penalties.
Despite maintaining the overall structure of the earlier draft, the 2019 Bill attracted significant criticism from industry stakeholders and civil society groups, particularly regarding government exemptions and compliance burdens.
Reference to the Joint Parliamentary Committee (JPC)
Immediately after its introduction, the Bill was referred to a Joint Parliamentary Committee (JPC). The referral was prompted by:
- Significant public concern
- Industry opposition
- Civil society criticism regarding the scope of government exemptions
The decision to refer the Bill indicated Parliament’s recognition of the need for deeper scrutiny and broader stakeholder engagement.
Joint Parliamentary Committee (2019–2021)
- Constitution and Functioning of the JPC
The JPC comprised members from both Houses of Parliament.
- Initial Chairperson: Meenakshi Lekhi
- Final Chairperson (at the time of tabling the report): P. P. Chaudhary
The Committee conducted extensive stakeholder consultations, heard expert testimonies, and examined comparative global data protection frameworks. Its deliberations spanned nearly two years, reflecting the complexity and importance of the subject.
- JPC Report (December 2021)
On 16 December 2021, the JPC submitted its report recommending substantial structural changes. The Committee concluded that the 2019 Bill required fundamental restructuring rather than minor amendments.
Major Recommendations of the JPC
- Expansion of Scope
The Committee recommended that the law regulate both personal and non-personal data and suggested renaming it the “Data Protection Act” to reflect a broader mandate. - Stronger Definition of Harm
“Harm” was expanded to include psychological manipulation and behavioural profiling, acknowledging emerging digital risks. - Mandatory Data Breach Reporting
All data breaches were to be reported to the authority within 72 hours, without discretionary exemptions. - Regulation of Government Exemptions
State exemptions were recommended to be subject to standards of legality, necessity, and proportionality, along with stronger procedural safeguards. - Institutional Reforms
The appointment process of the Data Protection Authority was recommended to include independent experts to strengthen institutional autonomy. - Children’s Data Protection
Stricter rules were proposed for processing children’s data, particularly concerning profiling and targeted advertising. - Implementation Timelines
Clear timelines were recommended for operationalising the authority and enforcing compliance obligations.
Recent Posts
- Supreme Court on Prolonged Pre-Trial Detention: A Violation of Rights
- Section 13 of the Hindu Marriage Act, 1955: Grounds of Divorce
- Judicial Separation under Hindu Law: A Legal Perspective
- Sections 11 and 12 of the Hindu Marriage Act, 1955: Void and Voidable Marriages
- Digital Personal Data Protection Act, 2023-Key Compliance Requirements under the Legal Framework
- Digital Personal Data Protection Act, 2023Applicability of the Act to Companies and Organisations
- Digital Personal Data Protection Act, 2023,Implications and Consequences of Non-Compliance, including Relevant Penalties
- Digital Personal Data Protection Act, 2023, Legislative Evolution: Withdrawal of the 2019 Bill and Enactment of the DPDP Framework
- Digital Personal Data Protection Act, 2023- Legislative Evolution: The Personal Data Protection Bill, 2019 and the JPC Process
- The Digital Personal Data Protection (DPDP) Act, 2023,Constitutional Roots and Legislative Evolution