Introduction of the Personal Data Protection Bill, 2019 As part of India’s broader journey culminating in the Digital Personal Data Protection Act, 2023, the Government introduced the Personal Data Protection Bill, 2019 in the Lok Sabha on 11 December 2019. The Bill was introduced by Ravi Shankar Prasad, then Union Minister for Electronics and Information Technology. The 2019 Bill was a revised version of the 2018 draft prepared by the Justice B.N. Srikrishna Committee. While it retained the foundational structure of rights and regulatory oversight, it incorporated several modifications reflecting the Government’s policy approach. Salient Features of the 2019 Bill The 2019 Bill continued the rights-based framework established in the 2018 draft. It preserved: Rights of data principals Obligations of data fiduciaries Oversight by a Data Protection Authority However, it introduced certain key features: Broad Exemptions to the StateThe Bill allowed the Central Government to exempt its agencies from certain provisions on grounds such as national security, sovereignty, public order, and integrity of India. These provisions became one of the most debated aspects of the Bill. Data Localisation RequirementsSensitive personal data was required to be stored in India, although transfers abroad were permitted under specified conditions. This reflected concerns about data sovereignty and regulatory control. Establishment of the Data Protection Authority of IndiaThe Bill proposed a statutory Data Protection Authority (DPA) to monitor compliance, issue regulations, and enforce penalties. Despite maintaining the overall structure of the earlier draft, the 2019 Bill attracted significant criticism from industry stakeholders and civil society groups, particularly regarding government exemptions and compliance burdens. Reference to the Joint Parliamentary Committee (JPC) Immediately after its introduction, the Bill was referred to a Joint Parliamentary Committee (JPC). The referral was prompted by: Significant public concern Industry opposition Civil society criticism regarding the scope of government exemptions The decision to refer the Bill indicated Parliament’s recognition of the need for deeper scrutiny and broader stakeholder engagement. Joint Parliamentary Committee (2019–2021) Constitution and Functioning of the JPC The JPC comprised members from both Houses of Parliament. Initial Chairperson: Meenakshi Lekhi Final Chairperson (at the time of tabling the report): P. P. Chaudhary The Committee conducted extensive stakeholder consultations, heard expert testimonies, and examined comparative global data protection frameworks. Its deliberations spanned nearly two years, reflecting the complexity and importance of the subject. JPC Report (December 2021) On 16 December 2021, the JPC submitted its report recommending substantial structural changes. The Committee concluded that the 2019 Bill required fundamental restructuring rather than minor amendments. Major Recommendations of the JPC Expansion of ScopeThe Committee recommended that the law regulate both personal and non-personal data and suggested renaming it the “Data Protection Act” to reflect a broader mandate. Stronger Definition of Harm“Harm” was expanded to include psychological manipulation and behavioural profiling, acknowledging emerging digital risks. Mandatory Data Breach ReportingAll data breaches were to be reported to the authority within 72 hours, without discretionary exemptions. Regulation of Government ExemptionsState exemptions were recommended to be subject to standards of legality, necessity, and proportionality, along with stronger procedural safeguards. Institutional ReformsThe appointment process of the Data Protection Authority was recommended to include independent experts to strengthen institutional autonomy. Children’s Data ProtectionStricter rules were proposed for processing children’s data, particularly concerning profiling and targeted advertising. Implementation TimelinesClear timelines were recommended for operationalising the authority and enforcing compliance obligations.  

I. Constitutional and Policy Background (Pre-2018) Justice K.S. Puttaswamy v. Union of India India’s journey toward a comprehensive data protection law began with a constitutional milestone. In 2017, a nine-judge Constitution Bench of the Supreme Court in Justice K.S. Puttaswamy v. Union of India unanimously declared that the right to privacy is a fundamental right under Articles 14, 19, and 21 of the Constitution. The Court held that privacy is intrinsic to life and personal liberty, and extends to informational self-determination. In doing so, it emphasized that any restriction on privacy must satisfy the tests of legality, necessity, and proportionality, along with procedural safeguards. This judgment came at a time when India was undergoing rapid digital transformation: Expansion of Aadhaar-linked welfare schemes Growth of digital governance platforms Rapid penetration of smartphones and internet usage Rise of e-commerce, fintech, and data-driven private enterprises The absence of a dedicated data protection framework created legal uncertainty. While the Information Technology Act, 2000 and related rules addressed certain aspects of data security, they lacked a rights-based architecture. Post-Puttaswamy, it became constitutionally imperative for the State to enact a comprehensive data protection regime that balanced innovation with civil liberties. II. Expert Committee and Draft Bill, 2018 Constitution of the Srikrishna Committee (2017) In response to the Supreme Court’s mandate, the Government of India constituted an Expert Committee in 2017 under the chairmanship of: Justice B. N. Srikrishna The Committee included senior policymakers, technologists, academics, and legal experts such as Aruna Sundararajan, Dr. Ajay Bhushan Pandey, Dr. Gulshan Rai, Prof. Rishikesha Krishnan, Prof. Rajat Moona, Arghya Sengupta, and Rama Vedashree. The Committee’s objective was to examine data protection issues and recommend a robust legislative framework suitable for India’s socio-economic realities. Draft Personal Data Protection Bill, 2018 In July 2018, the Committee submitted: Its landmark report titled “A Free and Fair Digital Economy: Protecting Privacy, Empowering Indians” The Draft Personal Data Protection Bill, 2018 The report emphasized that data protection is not merely a regulatory issue, but a constitutional necessity rooted in dignity and autonomy. Key Features of the 2018 Draft Data Principals’ RightsIndividuals (termed “data principals”) were granted rights such as: Right to confirmation and access Right to correction and erasure Right to data portability Right to be forgotten This marked a shift toward a rights-centric framework. Data Fiduciaries and Data ProcessorsBorrowing conceptually from global frameworks like the EU GDPR, the Bill introduced: Data Fiduciaries — entities determining purpose and means of processing Data Processors — entities processing data on behalf of fiduciaries The fiduciary relationship underscored a duty of care toward individuals. Data Protection Authority (DPA)The Bill proposed an independent regulator — the Data Protection Authority — with investigative, corrective, and adjudicatory powers. Sensitive Personal Data ClassificationThe Bill categorized certain data (health, biometric, financial, etc.) as “sensitive personal data,” requiring higher compliance standards. Cross-Border Data Transfer RestrictionsIt introduced localization mandates for sensitive personal data, reflecting concerns over sovereignty and enforcement. Emphasis on Consent and Purpose LimitationProcessing was required to be: Lawful Fair and reasonable Based on informed consent Limited to specified purposes Conclusion The 2018 Draft Bill laid the intellectual and structural foundation for India’s modern data protection regime. While the legislative journey witnessed multiple revisions and debates, the constitutional anchor remained constant: privacy as a fundamental right. Ultimately, this evolutionary process culminated in the enactment of the Digital Personal Data Protection Act, 2023, reflecting India’s attempt to harmonize digital innovation, state interests, and individual rights in a rapidly transforming technological landscape.