Here’s All You Need to Know About the Draft Personal Data Protection Bill, 2018

For those of you who didn’t know, over the last 24 months alone, the amount of data we have generated is close to 90% of the overall data generated. With tons of different gadgets and devices around us – from smartwatches and smartphones to smart refrigerators and fitbits – we generate data of around 2.5 quintillion bytes every single day.

Though on one side this is the best time to be alive, this also the time our identities are at stake. While we are not going to that aspect, we want to shed light on one of the most revolutionary steps taken in terms of data protection. Recently in India, a data draft protection bill was passed by the special Committee of Experts on Data Protection Framework for India. Justice B.N. Srikrishna – on the chair – presented the report and bill to the Ministry of Electronics and Information Technology on the 27th of July 2018 and here’s everything you should know about the Bill.

Individual Rights with respect to data

The bill gives an individual with three distinct rights on data. These include the right to

  • Know whether the provided data has been processed
  • Get incorrect, incomplete or outdated data corrected
  • And transfer the data to another fiduciary under circumstances

Fiduciary refers to the relationship between the individual and a service provider, where there is a dependency on the submission of data to obtain specific services from the provider.

Duties of the Fiduciary

The service provider, on the other hand, is obligated with several responsibilities such as the following:

  • Implement proper and airtight data processing policies
  • Maintain transparency in terms of data usage and processing
  • Take security measures in terms of data maintenance and transactions (encryption)
  • Establish grievance redressal channels and communications to resolve data-related user complaints

An Authority for Data Protection

The bill also emphasizes the set up of a standalone authority to protect data. The powers vested with the authority are:

  • To protect individuals’ interests
  • To prevent abuse or misuse of personal data
  • To ensure proper compliance with the Bill at all times

Personal Data Processing

The Bill points out the requirement of consent for processing of personal data. In certain situations however, the Bill identifies consent may not be fetched for processing. In such cases, the ground rules for data processing would be the following:

  • If it’s necessary by the parliament, state legislature or government to provide benefits to individuals
  • If it’s required under law or compliance of a court judgement
  • At times of medical emergencies, threat to public order or health
  • During specific purposes identified by the authority (cases like whistleblowing, debt recovery and more)

Sensitive Personal Data

The Bill identifies that any sensitive personal data such as biometrics, passwords, genetic data, caste, orientation, religious/political beliefs and more would be processed only with explicit consent from the individual. Besides, the processing of sensitive personal data can also be carried out if it’s required by law, court judgement or during times of emergencies and threat to public order or health.

More importantly, the fiduciary is also required to bring in ideal mechanisms or strategies to verify age of users and work on parental consent when collecting details of children.

Personal Data Transfer to Other Countries

The transfer of personal data (and not sensitive data) to foreign countries is allowed only under the permissible orders of the central government or when the Authority approves of such transfers.


The Bill also points out exemptions from policy and rules compliance for reasons that include

  • State security
  • Investigation, prosecution and prevention of offence
  • Personal, domestic or journalistic purposes


If the fiduciary is found to fail in performing its duties, adhering to the compliances or violate data processing ground rules, the Authority has the right to penalize from over Rs. 5 crore to even 2% of the global turnover of the fiduciary.

Law Amendments

The Bill makes consequential amendments to the IT Act of 2000, the Right to Information Act of 2005 and to the non-disclosure of personal data where any harm to individual outweighs public welfare or good.

The pointers mentioned are brought to you by PRS Legislative Research. If you intend to know more about the Bill and have a better understanding of its consequences, your role and that of a fiduciary, click here.

Related Articles

Please wait while your application is being created.
Request Callback