हिंदी समाचार पढ़े
O.P. Jindal Global University
Home / Corporate Law News / European Union flags concerns on certain provisions of Data Protection Bill, Read Bill Text

European Union flags concerns on certain provisions of Data Protection Bill, Read Bill Text

November 21, 2018:

The Union also asserted that the proposed Data Protection Authority (DPA) needs to be allowed to function independently & impartially.

Draft Personal Data Protection Bill, 2018
Draft Personal Data Protection Bill, 2018

The European Union has expressed concerns over data localisation stipulations certain other provisions of India’s draft Personal Data Protection Bill, 2018.

The union also asserted that the proposed Data Protection Authority (DPA) needs to be allowed to function independently & impartially.

In its submission to the Indian IT Ministry, the delegation of the European Union to India & Bhutan said the law, if adopted, will contribute to facilitating data flows between the EU & India, & could open the way for a possible adequacy dialogue between the two sides.

However, it also made certain observations across various aspects of the Bill that was drafted by the committee led by Justice BN Srikrishna to develop a framework on data protection norms in India.

“In general, the draft law in a number of places leaves discretion to decide key matters in the hands of the Central Government or the DPA rather than dealing with them in the draft itself. This could create some uncertainties which could perhaps be avoided by providing further clarifications,” it noted.

The submission pointed out that having a data protection authority is important for both — citizens & businesses.

It emphasised that to effectively play its role, it is essential that the authority “acts with complete independence & impartiality in performing its duties & exercising its powers, free from any external influence”.
Source Link

Key Features

The Data Protection Bill identifies three parties who are the stakeholders in data protection. Firstly, Data Principal is the person whose data is being collected.

Secondly, Data Fiduciary is the one who determines how & why the data shall be collected.

Thirdly, Data Processor is the one which processes the data.

These roles are akin to those of Data Subject, Data Controller & Data Processor as given under GDPR. Inter alia, the Bill casts the following key obligations:

Ø Obtain consent of the data principal before collecting or processing data

Ø Provide access to the data principal of the data collected

Ø If the data breach is likely to harm the data principal, then the data fiduciary is required to notify such breach to the authorities.

Ø Conduct data impact assessment

Ø Locally store copy of data if data is being shared across borders.

Ø To obtain explicit consent where the data concerned is sensitive personal data

Ø Appoint a data protection officer

Ø Conduct a fair & reasonable processing of personal data only for the clear & specific purpose for which the data is collected.

Ø The right to be forgotten has been introduced by the Bill. However, the Bill does not talk about deleting the data once the purpose is fulfilled, however the data principal may ask the fiduciary to restrict its usage once the purpose of the data is fulfilled.

Ø To prevent any kind of misuse or allow any unauthorised access to personal data.

Personal Data Protection Bill, 2018 (Downloadable PDF)

Analysis of the Personal Data Protection Bill, 2018

Prima facie, there are the following loopholes extant in the Bill:

Ø Localisation of Data

The Data Protection Bill while outlining the provision for transfer of personal data outside India has provided for localisation of such data. Localisation of data embodies two elements:

· Firstly, it mandates that at least one copy of the personal data so collected shall be saved on the local servers within the country.

· Secondly, it calls for classification of data into critical data. This critical data is permitted to be processed only in India & no transfer outside India of such data is permissible.

On the face of it, this provision appears to provide a stringent protection mechanism. However, in reality, the setting up of a local server to store a copy of the personal data so collected locally, would prove to be too expensive for companies. This step would prove detrimental for companies, especially start-ups, as any data shared across borders would be required to be stored locally.

Moreover, the second element of localisation which mandates that critical data be processed only in India is at best a vague provision. No definition of what constitutes critical data or what might constitute critical data is provided for in the Bill.

In the absence of any explicit definition or indicators, how are companies supposed to identify this critical data. To add to this confusion, the term sensitive data is used under section 40 in addition to critical data. This clearly leads to the conclusion that the two are different. Hence, the portion of the Bill pertaining to cross border sharing of personal data is vague, ambiguous & confusing.

Ø Difference between consent & explicit consent

The Data Protection Bill has given utmost importance to the principle of consent. It reiterates time & again that the consent so given should be free, informed & specific. However, it distinguishes between the degree of consent required for personal data & that required for sensitive personal data. It states that the consent required for the collection & processing of sensitive personal data should be explicit.

The definition of explicit consent again is not very clearly laid out. It touches upon the same elements which are included in the definition of consent. Moreover, sensitive personal data is a species of the broad genre of personal data & hence, the degree of consent required should not vary.

Ø Exceptions under the Data Protection Bill

Unlike its counterpart, the Data Protection Bill has carved out several exceptions to the obligations outlined under it. Various exceptions have been carved out for the State. Chapter IX of the Bill lays down a number of exceptions to the therein mentioned obligations.

Moreover, section 17 of the Data Protection Bill lays down a number of purposes classified as `reasonable purposes for which data processing may be undertaken. So many escape routes & exemptions, make the data protection bill a weak law.

Ø Data Breach Notification

Under the GDPR, the data controller is required to notify the authorities within a stipulated time period of data breach occurs. However, under the Indian data protection Bill, the data breach notification is required only when the data fiduciary thinks that the breach is likely to harm the data principal. Leaving such discretion in the hands of the data fiduciary is erroneous. Such provision has the effect of translating data breach notification into a hollow requirement devoid of any real consequences.


The Data Protection Bill despite being a shoddily drafted piece of legislation, at least shows the commitment of the government towards introducing data privacy in the country. It is heavily based after the EU GDPR Regulations. However, despite its shortcomings, as discussed above, it also has certain merits which should not be overlooked. It has introduced steep penalties for violation, hence, making data protection a priority in companies collecting such data’s list. It has laid down a framework which for data protection in the country.

The principles of `no means no’ & free & informed consent go a long way in establishing the supremacy of the data principal. Similarly the obligations introduced for data protection in cross-border sharing of personal data also show the commitment towards data privacy. With a little tweaking & amendments, the data protection Bill has the potential of becoming a phenomenal piece of legislation. Its drafting & implementation, if done properly, can help perpetuate efficient data protection standards in India.

However, in order to remain compliant with the Bill in its current form, the following practices may be adopted:

Ø Collect/process data only after obtaining consent from the data principal. If the data being collected is sensitive data then explicit consent needs to be collected.

Ø The data so collected should only be used for the purpose for which it is collected.

Ø The purpose of data collection should be lawful & in accordance with the Bill.

Ø Draft & maintain a Data Privacy policy in consonance with the Bill.

Ø Provide access to data principal of the personal data collected by them.

Personal Data Protection Bill, 2018: Right in Direction, Less in Efficacy By: Bhumesh Verma

Personal Data Protection Bill, 2018 by Latest Laws Team on Scribd

Facebook Comments

Related tags :



...as an eminent lawyer you ought to know that your action tantamount to, under Section B, sub-section G.VIX, read along with I.P.C. (A) XI (B), notwithstanding...                                        TOI

Missing the Point Missing the Point pic by english blog If India takes One Step, we will take Two by Satish If India takes One Step, we will take Two ...................by Satish


[caption id="attachment_97474" align="alignleft" width="621"]Donald Trump’s immigration ban Donald Trump’s immigration ban[/caption] Alligator vs Litigator Alligator vs Litigator



Demonitisation Diaries 2 Demonitisation Diaries 2  pic by sify Soaring of Oil Prices pic by indiaone


Time to straighten up Time to straighten up                pic by TOI Lawyers Bearing the Burden Literally Lawyers Bearing the Burden Literally pic by OMG


[caption id="attachment_97462" align="alignleft" width="524"]Painting India Saffron Painting India Saffron[/caption] Hindu Hindu Auto Driver thrashed for no fault Auto Driver thrashed for no fault,                  source oneindia Let Justice Be Let Justice Be


TOI Tax Reforms    by Hindu Tax Reforms by Hindu Delivery Boy Delivery Boy                    by Satish TOI Hindu Hindu Demonitisation Diaries Demonitisation Diaries                                                       by sify


Job Hazards


Acheche DIn Acheche Din     pic by sify 150425_-_farmers_a_2384764f




Hindu Hindu

TOI [caption id="attachment_97477" align="alignleft" width="621"]UIDAI Leaks UIDAI Leaks[/caption] America First Walk Your own Talk TOI Hindu [caption id="attachment_97467" align="alignleft" width="621"]Humour with Latest Laws Humour with Latest Laws[/caption]


State of JudiciaryState of Judiciary by Sandeep Adhwaryu of TOI Hindu


State of Affairs Women Safety: State of Affairs             pic by mangal Hindu Belts are for Dogs Belts are for Dogs TOI


Hindu Hindu


Pic by Hindu Women Empowerment and Sports Women Empowerment and Sports


TOI Cartoon Humour @ Latest Laws Achhey Din Humour @ Latest Laws: Achhey Din Demonitisation Diaries 1 Demonitisation Diaries 1                                  pic by sify   State of Two Nations State of Two Nations               pic by sandeep Hindu Four Pillars of Democracy Four Pillars of Democracy             by Satish Hindu Hindu




Check Also

Fawad Khan Booked After Wife Refuses Anti-Polio Drops for Daughter

Lahore Police booked actor Fawad Khan after his wife refuses anti-polio drops for daughter

February 21, 2019: On Thursday, a FIR has been registered against Pakistani actor Fawad Khan after his wife refused to administer anti-polio drops to their daughter. The Lahore Police took the action on a written complaint of the polio team, ...

Leave a Reply

Your email address will not be published. Required fields are marked *