(This is the first part of a two-part article series which analyses and explores the various facets of the proposed Personal Data Protection Bill in the pipeline. The first part explores the backdrop in which the Bill was proposed, and the second part analyses the specific provisions of the Bill to assess whether it is an effective legislation.)

Since the beginning of time, human growth has been driven by technological progress. From the invention of the wheel to the creation of the internet, humans would have been unable to accomplish the heights they have achieved today without technology. Every generation has seen the staggering growth of technology and its far-reaching consequences on societies. The advent of the 21st century saw the markets being flooded with cellular devices coupled with the internet. This resulted in more and more people entering the "cyberspace". As internet and cellular devices got cheaper, the exodus of people into the "cyberspace" only increased. Today, we are at a point where these technologies are omnipresent. Gmail, Google Maps, WhatsApp, YouTube, our numerous shopping and food delivery apps, life would be unimaginable without them. The heavy reliance on these technologies has resulted in them knowing everything about us: tiny details which we do not share with anyone, behavioural tendencies which we are not even conscious of, things which the human eye usually misses out on, everything! These apps record it all, process it, and then use it to influence our behaviour a specific way (usually towards consuming more of what they have to offer). For example, the previews which you may see for any given movie on Netflix would be different from the preview we would see.1 This is because Netflix uses a complicated algorithm to determine what each individual user is most likely to click on and then depending on that, sources person-specific images from any given movie to create its preview.

The availability of such excruciating amounts of "personal data" about everyone, therefore, also makes these technologies omniscient. Because personal data is data which relates to characteristics, traits, or attributes of identity, which can be used to identify an individual, it can be used in several different ways to influence millions of people, as we have just seen with the Netflix example. Elections can be swung by focusing on pressure points of individuals based on their behavioural tendencies; Governments and organisations can influence people to act a certain way, this could involve being inclined towards buying specific products, or believing in the existence of a certain narrative, etc. All of these are rather bleak scenarios, but that is precisely the amount of power which our data can put in the hands of any individual or organisation. For these reasons, countries around the globe are moving towards stringent data protection laws.

In 2018, the European Union ["EU"] adopted the EU General Data Protection Regulation ["EU GDPR"] which replaced its Data Protective Directive of 1995. It is a comprehensive legislation covering all kinds of processing of personal data. As of 2018, 67 out of 120 countries outside the EU had a framework similar to the EU GDPR or its predecessor. The United States, on the other hand, does not have an overarching legislation but has specific legislations like the Privacy Act, 1974, the Electronic Communications Privacy Act, 1986, and the Right to Financial Privacy Act, 1978 which protect citizens' personal data against the Federal Government. The private sector has sector-specific laws tailored for the use of specific types of personal data.2 India, too, has certain regulations which apply to the usage and transfer of the personal data of its citizens. These regulations are stipulated in the Informational Technology Rules, 2011 ["IT Rules"]. Rule 3 defines what "sensitive personal data or information" is, and inter-alia includes information relating to passwords, personal finances, health records, biometric information, and sexual orientation. Further rules stipulate the publication of a privacy policy by a body corporate collecting personal information,3 method for collection of information,4 procedure for disclosure5 & transfer of information,6 and the institution of reasonable security practices and procedures.7 While the IT Rules are a novel attempt towards regulation of personal data, it falls significantly short of doing the job. They are sparse and are limited in their approach, therefore failing to meet the needs of safeguarding the complicated data collection, processing, transfer, and usage taking place in the world today.

The shortcomings of the framework prompted the Ministry of Electronics and Information Technology to set up a Committee of Experts in July, 2018. This Committee, chaired by Justice B.N. Srikrishna, was tasked with the job of examining the various issues related to data protection in India. Their job became all the more relevant and important a month later when in August, 2017 the Supreme Court declared privacy to be a fundamental right guaranteed under Article 21 of the Indian Constitution.8 The Justice Srikrishna Committee submitted its report, along with a Draft Personal Data Protection Bill, 2018 ["PDP Bill 2018"] to the Ministry in July 2018. In December, 2019 the Government introduced in parliament the Personal Data Protection Bill, 2019 ["PDP Bill 2019"]. The Bill seeks to put in place a comprehensive data protection framework, governing the processing, transfer, and usage of data by both, Government and other organizations. It further seeks to put in place the Data Protection Authority of India ["DPAI"] entrusted with the job of making sure that the regulations are being adhered to, and to provide further rules and regulations pertaining to personal data.

(The second part of this article discussed the intricacies of the Bill and the pros & cons of the same.)


1. https://www.vox.com/2018/11/21/18106394/why-your-netflix-thumbnail-coverart-changes#:~:text=Netflix%20doesn't%20just%20use,most%20likely%20to%20click%20

2. Justice Srikrishna Committee Report, available at:

3. Rule 4, IT Rules 2011.

4. Rule 5, IT Rules 2011.

5. Rule 6, IT Rules 2011.

6. Rule 7, IT Rules 2011.

7. Rule 8, IT Rules 2011.

8. K.S. Puttaswamy v. Union of India, (2017) 10 SCC 1.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.