Indian PDPB 2019

Indian PDPB 2019: Grounds of processing personal data

In this Series IX, of The Personal Data Protection Bill, 2019 (Indian PDPB 2019), we shall look into Grounds of Processing Personal Data, Exemptions as allowed in the Bill and define the concept of Harm to the Data Principal

In the previous series, we have considered that the main idea of this Bill, besides defining and recognising Privacy as a Basic Right, is to provide for the protection of the privacy of individuals relating to their personal data, specify the flow and usage of personal data, create a relationship of trust between persons and entities processing the personal data, even granting a Right to erase and Delete data to protect the rights of individuals whose personal data are processed.

We will now look into the provisions to create a framework for organisational and technical measures in the processing of data, laying down norms for social media, intermediary, cross-border transfer, accountability of entities processing personal data, remedies for unauthorised and harmful processing, and to establish a DataProtection Authority of India for the said purposes and for matters connected therewith or incidental thereto.

Grounds for processing personal data: The Bill allows the processing of data by fiduciaries only if consent is provided by the individual. However, in certain circumstances, personal data can be processed without consent.

These include:

-if required by the State for providing benefits to the individual,

-legal proceedings,

-to respond to a medical emergency.

Grounds for processing personal data Grounds for processing sensitive personal data Draft Personal Data Protection Bill, 2019

-Explicit consent

-Prompt action

-Compliance with any law or any order of the court

-Functions of the state


-Functions of the State

-Performance of contract

-Compliance with law or any order of the court

-Compliance with legal obligation

-Purposes related to employment

-Vital interests of the data subject Prompt action

-Task in public interest or exercise of official authority of controller

-Reasonable purposes

Exemptions: Sharing of non-personal data with government: The central government may direct data fiduciaries to provide it with any:

-non-personal data and

-anonymised personal data (where it is not possible to identify data principal) for better targeting of services.

The central government can also exempt any of its agencies from the provisions of the Act:

-in the interest of the security of the state,

-public order,

-sovereignty and integrity of India and friendly relations with foreign states,

-for preventing incitement to commission of any cognisable offence (i.e. arrest without warrant) relating to the above matters.

Processing of personal data is also exempted from provisions of the Bill for certain other purposes such as:

(i) prevention, investigation, or prosecution of any offence, or

(ii) personal, domestic, or

(iii) journalistic purposes.

However, such processing must be for a specific, clear and lawful purpose, with certain security safeguard

Offences: The Data Fiduciary can be penalised as per the following terms. The quantum of penalty under any Offence under the Bill include any of the following non-compliance.

  1. Rs 5 Cr or 2% of the total worldwide turnover or which is higher.


-Register with the Data Protection Authority

-Appoint a Data Protection Officer

-Notify & to take prompt and appropriate action in response to a data security breach

-Undertake a Data Protection Impact Assessment

-Conduct the annual data audit

  1. Rs 15 Cr or 4% of the total worldwide turnover or which is higher.

-processing of personal data in violation of the provisions as prescribed

-failure to adhere to security safeguards as per section as defined

-transfer of personal data outside India in violation of relevant sections of this Act

-any violations on Privacy Principles

-any violations of Grounds of Processing

-any violation of Personal Data of Children

-any violation on transfer of Personal Data outside India

-not adhering to Safety & Security guidelines as defined

Amendments to other laws: The Bill amends the Information Technology Act, 2000 to delete the provisions related to compensation payable by companies for failure to protect personal data

The Indian PDPB2019 also stipulates, for any person who willingly,

-re-identifies personal data which has been de-identified by a data fiduciary or a data processor, as the case may be; or

-re-identifies and processes such personal data as mentioned above

without the consent of such data fiduciary or data processor, then, such person shall be punishable with imprisonment for a term not exceeding three years or with a fine which may extend to INR Two lakh or both.

Cross Border Transfers:

Personal data may be transferred outside the territory of India pursuant to either one of the following conditions

-Adequacy decision by the Central government after consultation with the Authority

-Standard contractual clauses or intra-group schemes approved by the Authority

-A situation of necessity as determined by the Authority

-Data subject’s consent in addition to adequacy decision or the standard contractual clauses.

Sensitive personal data may be transferred outside India for processing if explicitly consented to by the individual, and subject to certain additional conditions. However, such sensitive personal data should continue to be stored in India.  Certain personal data notified as critical personal data by the government can only be processed in India.

Criteria for Transfer:

-Explicit Consent by Data Principal
-Pursuant to a contract or intra-group scheme approved by the DPA
-Country or Entity/Group approved by the DPA
-Specific Sensitive Personal Data OR Class of Sensitive Personal Data approved for transfer by DPA for a specific purpose

Critical Personal Data cannot be transferred outside India except:

-for provision of health services or emergency services or

-Country or Entity/Group has been approved by the Central Government

Exemptions from this Act for

-processing for research, archiving, or statistical purposes

-manual processing done by small entities

The Bill also allows for creation of a Sandbox by the DPA for encouraging innovation emerging technology in public interest. This may be applicable for all research in Big/Data/AI/ML and so on.

Restriction on Cross Border Data Transfer

-Data fiduciaries transferring data outside the territory of India are required to maintain a serving copy of the data within the territory of India.

-Categories of personal data that are notified as critical personal data by the Central Government can be processed only within the territory of India.


Under normal circumstances, when an individual loses her Rights, she will come to know. One is aware of the circumstances in terms of detention, restrain, censor or even jail. With these one is also aware of the type of law, allegedly being broken,, and the identity of the person who is the arresting officer, the censor official or the concerned authority.

On the other hand, the individual is not even aware of the kind of monitoring and control we are being subjected to now. With the generation of huge data by each one of us, being constantly processed by the Social Media platforms, the definition of Harm has taken a new meaning.  We have taken surveillance as part of our daily routine now.

The PDPB 2019 also defines the term “Harm” as including

– (i) bodily or mental injury;

– (ii) loss, distortion or theft of identity;

– (iii) financial loss or loss of property;

– (iv) loss of reputation or humiliation;

– (v) loss of employment;

– (vi) any discriminatory treatment;

– (vii) any subjection to blackmail or extortion;

– (viii) any denial or withdrawal of a service, benefit or good resulting from an evaluative decision about the data principal;

– (ix) any restriction placed or suffered directly or indirectly on speech, movement or any other action arising out of a fear of being observed or under surveillance;

-(x) any observation or surveillance that is not reasonably expected by the data principal;

The term “Profiling” follows the GDPR definition as “Predicting” the aspects of the behaviour of a data principal.

“Profiling” means any form of processing of personal data that analyses or predicts aspects concerning the behaviour, attributes or interests of a data principal

Any “Harm” as per Privacy (Principles of) may be broadly subdivided into two categories. In the first category, of privacy harm, it is the perception of unwanted observation. This category describes uncomfortable mental states—threats (perceived or actual), anxiety, risks, paranoia, embarrassment, fear—that may arise from the genuine belief that one is being stalked, watched or monitored. Examples of this privacy harms include everything from an individual spying on his neighbour to unknown community or public surveillance.

The second category of privacy harm is the forceful and/or unanticipated use of private information concerning a person against the concerned person. These may be such actions which negatively limit the privacy of the person concerned. Issues such as identity theft, card skimming, spamming and the leaking of classified information all are examples of such harm.In other words, Privacy harm can (and does) occur in the absence of a visible and sometimes invisible human interface.

By Sameer Mathur, Founder & CEO, SM Consulting

President, Delhi-NCR Chapter of the Foundation of Data Protection Professionals in India

With inputs from Mr Vijayashankar Nagaraj Rao

Leave a Reply

Your email address will not be published. Required fields are marked *