Simran Kaur, final year law student from University Institute of Legal Studies, Punjab University Chandigarh analyzes the Digital Privacy Law in India.

Digital Citizenship is exercising citizenship through the galaxy of technology while having the right to affix liability of entities in it. Data holds the power to ascertain modalities of varied attributes of humans in all possible walks of life. Its accumulation enables a mode of governance on the basis of profiling and segmenting populations in ever-proliferating ways.[1]

The Indian Government drafted two bills named Personal Data Protection Bill, 2018 and Personal Data Protection Bill, 2019 consecutively having application across several industries and sectors within the country for codifying principles of data localization, control of the government over processing of data and surveillance reform. It was broadly formulated for citizens to enforce their privacy rights against both private parties and the state to secure their fundamental informational privacy in pursuance of the case, Justice K.S Puttaswamy vs. Union of India[2] (herein referred to as the Privacy Judgment), which had infused privacy into the right to life and liberty under Article 21 of the Indian Constitution. It bears a close resemblance to the European Union’s Guidelines on Data Protection, which deals with virtually all attributes of data and its associated functions; however, it differs on several counts pertaining to the location of storing data and power of government over non personal data controlled by firms.[3]

The governance of technology and the ecosystem of data processors are considered to have a tinge of political inference, which needs strategic autonomy in carving out and forging a data sovereign vision. As the Personal Data Protection Bill 2019 stands for review before the Parliamentary Committee, it is important to examine by which measure and the extent to which it dilutes, tampers or solidifies the tenor of privacy.The objects and purpose of the proposed law falls short on account of not addressing the original patent irregularities.

Section 26 of the 2019 Bill conspicuously enabled the Government to categorize certain social media intermediaries as significant data fiduciaries, further as laid down in section 28 requiring, which are notified as significant data fiduciaries, to voluntarily verify the accounts of their users. These provisions ostensibly purport to clamp down on information asymmetry and perpetuates flow of fake news in the country because the verification of the social media accounts of the users instills in them a certain degree of deterrence,- of being traced and held accountable for their actions of spreading fake news. As a necessary implication, the availability of information with a data fiduciary will significantly increase, which is fundamentally antithetical to the core intentions of any data protection law. There is an obligation of data minimization and storage limitation on data fiduciaries to prevent misuse of personal data. However, this newfound power of the data fiduciaries could potentially equip them with a legal mandate requiring their users to link their social media accounts with a government identity, thus charting out creation of a surveillance state. Hence a more microscopic engagement into the ambiguous mechanism operative around such fiduciaries from the perspective of interests of beneficiary, implied grant of power to the service provider needs to be made.[4]

It comes down on the right of anonymity of the citizens, which is enmeshed within the fabric of all the fundamental rights. By requiring its users to disclose their identity, the state is setting the stage for a scenario where unpopular sentiments will have a huge risk of being retaliated against at the hands of the State as the proposed law also did not incorporate a prohibition against retaliation provision. While, – section 35 of the 2019 Bill plunges into giving unabated power to the government, imploring that when necessary in the interest of the sovereignty and integrity, security of state, friendly relations with foreign state, public order or to prevent incitement to the commission of an offence relating to these criteria, the government can proceed with the same regardless of any democratic measure. The 2018 Bill only granted the exemption for national security reasons on the basis of four-fold proportionality standard. However, under the 2019 Bill, the three new grounds, namely sovereignty, integrity, and public order, have unexplainably widened the ambit of the provision. To lend credence, in Virendra v. State of Punjab[5], the Apex Court held that the phrase “in interests of” would defer to the government’s determination of when “public order” could be jeopardized by speech and expression. The threshold of public order standard is dominated solely by the state. Thus, the safeguards that existed prior shall restore, so that blanket power is not given to the government under the new act.[6]

On the commercial cooperation front, the government has amassed the right to acquire this data, which is essentially a company’s intellectual property, to “promote framing of policies for the digital economy. It means that government agencies may be exempt from any scrutiny by Data Protection Authority (DPA), and can even collect data from third parties, which can be fin-tech companies or health-tech startups without the user even knowing. Far from initiating criminal prosecution for mass surveillance, India’s DPA is devoid of the power to penalize a government agency for such a violation of the fundamental right to privacy. The government also has vast exceptions for data processing: “for the performance of any function of the state authorized by law”. It is also a layout to regulate cross border data transfer. Furthermore, the Bill has designed a mechanism to deal with cases of a data breach, which entails all legal entities responsible for storing and processing data to disclose any instance to the DPA.

The lines of state surveillance become blurred by the fact that the central government, in the interest of “national security, sovereignty, international relations and public order, can issue directions to DPA.” It shall which be bound by for its power has been hugely reduced. As previously, it had the sole power to categorize data as sensitive personal data, but in the current version, the power rests with the central government, albeit in nominal consultation with it.

India’s position on governance over the flow of personal and non-personal data remains vague as pervasive and ubiquitous collection of personal data rages on creating frictions between the critical functions of the state and a market-driven economy.  The country must have a narrow definition of what can be made public and what should remain confidential. Taking a cue from the European Union’s Regulation on the Free Flow of Non-Personal Data, which puts non-personal data into two distinct buckets, – and considers the free- flow of non-personal data as a prerequisite of a competitive economy. The regulation also ensures the free movement of data across borders, prohibiting data localization: -the 2019 Bill certainly falters upon such a balance.[7]

The international spectrum responded to the legal tussle between the mammoth of mass surveillance and data privacy rights of people globally by ruling against the EU-US Privacy shield agreement setting a precedent for transparency and safety valves in data retention reservoirs.[8]

In India, the deal which unities India’s biggest platforms in internet service and telecommunication sectors, compromising net neutrality by potently monopolizing exclusive access to massive transaction data and controlling search paradigms, can be accentuated by the unfilled gaps in the Bill.Disproportionate unfettered control and incomplete channels have resultant ramifications for the underpinnings of digital citizenship through stunting the thread in the golden triangle.[9]

Simran Kaur is a final year law student from University Institute of Legal Studies, Punjab University Chandigarh

[1]Arne Hintz, LinaDenick Karin &Wahil-Jorgensen,Digital Citizenship and Surveillance, 11, 731, (733-4), International Journal of Communication, (2017).

[2] Justice K.S. Puttaswamy v. 10, SCC,. 1. (2017).

[3] Anirudh Burman & Suyash Rai, What is in India’s Sweeping Personal Data Protection Bill, Carnegie India, (March. 9, 2020),

[4]Smitha Krishna Prasad, Information Fiduciaries and India’s Data Protection Law, Data Catalyst, (September. 2019),

[5] Virendra v. State of Punjab AIR,.  896.  (1957).

[6] Nikhil Pahwa, Power over privacy: New Personal Data Protection Bill fails to really protect the citizen’s right to privacy, The Centre For Internet and Society, (Dec. 12, 2019),

[7]AayushSoni&AditiChaturvedi, India has to toe a fine line in defining non personal data –between public interest and IPR, The Print, (March. 17, 2020), ipr/382149/?fbclid=IwAR35bjPKJz2doiDctKx_ykD4W1ePmsW6fHPvPrPGp3Jq1WqWtGScxOtofwk.

[8]ArnabChakraborty, Schemes III: Data Privacy Triumphs Over Mass Surveillance, Oxford Human Rights Hub, (August. 13, 2020),

[9]Anupriya Dhonchak, Facebook – Jio Deal: Big Data, Competition and Privacy, India Corp Law, (May. 8, 2020),

IMPORTANT – Opinions expressed in this article are the sole responsibility of the author and do not necessarily reflect the views of IJOSLCA.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s