The Joint Parliamentary Committee on the Personal Data Protection Bill, 2019 has adopted its final report. What now? #SaveOurPrivacy

The JPC on the Personal Data Protection Bill, 2019 has adopted the final version of its report and is expected to table it in Parliament during the upcoming Winter Session. Here, we look at the possible ways forward for the PDPB and highlight some of the issues that may emerge from the final report.

26 November, 2021
6 min read


The Joint Parliamentary Committee on the Personal Data Protection Bill, 2019 has adopted the final version of its report, and is expected to table it in Parliament during the upcoming Winter Session. Here, we look at the possible ways forward for the Data Protection Bill and highlight some of the issues that may emerge from the final report of the Committee. We guide you through the parliamentary process, next steps and the fundamental issues at play.


At the end of the 2021 Monsoon Session of the Indian Parliament, Union Minister of State PP Chaudhary, the then newly appointed chairperson of the Joint Parliamentary Committee (JPC) on the Personal Data Protection Bill, 2019, (“PDPB”), moved a motion seeking an extension till the first week of the Winter Session for submitting the report of the JPC. This motion was passed, and, once again, we were left waiting for the JPC’s much awaited report.

However, in the run up to the Winter Session, concrete media reports emerged which stated that the JPC was likely to adopt the final version of the report in November and table it during the Winter Session. Then, on 22nd November, multiple news outlets reported that the JPC had indeed adopted the report, though at least 7 members had moved dissent notes against the final version of the report (more on this later).

A quick recap

We have written extensively on the PDPB in the past (see our brief on the 2019 version of the Bill here). We have also written about the workings of the Committee and highlighted ways in which the Committee’s consultation processes has excluded civil society bodies and digital rights groups. In recent times, we have run several series explaining different facets of the PDPB:

  • Our #StartFromScratch series was a short introduction to the Bill which included some historical and legislative context, a summary of the Bill, an overview of the issues with the Bill, and possible alternative paradigms for data protection.
  • Next, our #DataProtectionTop10 series, analysed the top 10 issues with the Bill in detail.
  • Currently, our #PrivacyOfThePeople series is looking at how the Bill will impact our daily lives by focusing on its impact on different sections of society and industry sectors.

Now that the JPC has adopted its report, though it is still to be made publicly accessible, we thought it would be helpful to look at the potential ways forward for the JPC, and indeed answer a very important question: what will happen to the Personal Data Protection Bill, 2019 now?

What’s next for the PDPB?

The Winter Session of Parliament will start on 29th November. As per the motion submitted by the Chairperson of the JPC, the Committee is supposed to submit its report to Parliament in the first week of the Winter Session (i.e. next week). Once the Committee submits its report, under Rule 77 of the Rules of Procedure and Conduct of Business in Lok Sabha (‘Lok Sabha Rules’), there are several options available for moving forward:

  1. The government can introduce a new Bill based on the modifications proposed by the JPC that can then be taken up for consideration by the Parliament.
  2. The modified Bill recommended by the JPC  can once again be given back to the JPC (this could be the same committee or even a newly constituted committee) for further deliberation..
  3. The modified Bill recommended by the JPC can be circulated amongst the members of the Lok Sabha to elicit further opinion thereon.

If option 1 is chosen i.e. if the modified Bill is taken up for consideration, then Members of Parliament retain the option of moving a motion asking for the Bill to be sent back to the JPC or that it be circulated among MPs for deliberation.

In the case of the Personal Data Protection Bill, 2019, it is likely that option 1 will be taken, as discussions on the Bill have been ongoing since 2018 and MPs will be hesitant to send the Bill back to the JPC again. This can be evidenced by recent comments from the Minister of State for Skill Development and Entrepreneurship and Electronics and Information Technology of India, Mr. Rajeev Chandrashekhar:

“The government will accept the recommendations of the joint parliamentary committee, there is no reason for the government not to accept the recommendation of 20 parliamentarians or 30 parliamentarians, because they are the ones who would pass the Bill anyway in Parliament. So, unless we go through it in detail and study it and see if something is completely inconsistent with something else, I don't see any reason for us to not go with the committee.”

Thus, it would seem that everything is now done and dusted: the report will be tabled, the Government will introduce a new version of the Bill, and, given the majority of the ruling party in both Houses of the Parliament, the Bill will most probably pass. However, while it is possible that the new Bill may be introduced in the Winter Session itself, the existing list of Legislative business does not list the Bill at present, and so it is possible that the new Bill would be introduced during subsequent sessions.

Dissent notes of the JPC

While the government may be likely to adopt the version of the Bill recommended by the JPC, several major issues remain. For starters, as stated earlier, several members of the JPC have filed dissent notes against the final report:

  1. MP Jairam Ramesh stated that he rejected one of the fundamental premises of the report - that respect for privacy only applies to private bodies and not to government bodies - and recommended two amendments to clauses 12(a)(i) and 35.
  2. MP Manish Tewari stated that the Bill may be ultra vires the judgement of the Supreme Court in Justice K. S. Puttaswamy vs Union Of India better known as the Right to Privacy judgement, and rejected the Bill in its entirety, raising objections to 37 clauses.
  3. MP Gaurav Gogoi expressed reservations about exemptions granted to the government under Clause 35 and stated that the Bill may not adequately address harms arising from surveillance.
  4. MPs Derek o’Brien and Mahua Moitra have pointed out that the Bill does not provide adequate safeguards to protect the right to privacy and provides significant exemptions for the government under Clause 35, which may be open to misuse.
  5. MP Amar Patnaik has reportedly objected to the lack of state-level Data Protection Authorities, indicating that this may lead to issues of federal override.

In response to these concerns, the chairperson of the JPC stated that the dissent notes moved by members of the JPC are “ill-conceived”, and that the report of the JPC draws a fine balance between individual privacy and the need to facilitate the growth of the digital economy. However, such arguments may rely on a false dichotomy between individual privacy and economic development.

At this point of the time given the contents of the PDPB as adopted by the JPC are privileged we are avoiding specific comment. However, we have taken the benefit of media reports and previous versions of the PDPB to provide some initial analysis.

As per our understanding, the issues raised by the dissenting MPs seem to not have been addressed. Given that, as per media reports, the JPC has indeed retained the significant exemptions granted to the government to exclude government agencies from the ambit of the Bill, the issue of government misuse of these exemptions will not go away. Additionally, while the Bill does reportedly bring non-personal data further within its ambit, the paradigm proposed by the government through the second draft of the report of the Committee of Experts on Non-Personal does not inspire much confidence and may, in fact, be unconstitutional.

Media reports have also indicated that the JPC may be straying beyond its ambit of discussing the PDPB and looking at issues of intermediary liability: apparently, the JPC may be suggesting that the significant social media intermediaries (basically big social media platforms) that do require mandatory user verification may lose their status as intermediaries, thus also losing the ‘safe harbour’ afforded to them against legal action on the basis of posts made on their platform. Such a move may mean the end of anonymous social media accounts!

Clearly, there are a lot of questions that need to be answered and several issues that need to be addressed. Thus, in accordance with India’s democratic ethos, we hope that when the government finally presents the modified Bill, it also provides its rationale for either accepting or rejecting each of the recommendations of the JPC.

The upcoming Winter Session of Parliament, which begins on 29th November,  will be an exciting one as key issues related to digital rights are expected to be debated, chief among which is, of course, the report of the Joint Parliamentary Committee on the Personal Data Protection Bill, 2019. We plan to look at the report of the JPC in great detail, so stay tuned for key takeaways, in-depth analysis, and comparisons with previous versions of the Bill.

Important documents:

  1. The Personal Data Protection Bill, 2019 as introduced by the Minister for Electronics and Information Technology, Mr Ravi Shankar Prasad (link)
  2. IFF's Public Brief and Analysis of the Personal Data Protection Bill, 2019 (link)
  3. The SaveOurPrivacy Campaign (link)
  4. Rules of Procedure and Conduct of Business in Lok Sabha (link)

Subscribe to our newsletter, and don't miss out on our latest updates.

Similar Posts

Your personal data, their political campaign? Beneficiary politics and the lack of law

As the 2024 elections inch closer, we look into how political parties can access personal data of welfare scheme beneficiaries and other potential voters through indirect and often illicit means, to create voter profiles for targeted campaigning, and what the law has to say about it.

6 min read

Press Release: Civil society organisations express urgent concerns over the integrity of the 2024 general elections to the Lok Sabha

11 civil society organisations wrote to the ECI, highlighting the role of technology in affecting electoral outcomes. The letter includes an urgent appeal to the ECI to uphold the integrity of the upcoming elections and hold political actors and digital platforms accountable to the voters. 

2 min read

IFF Explains: How a vulnerability in a government cloud service could have exposed the sensitive personal data of 2,50,000 Indian citizens

In January 2022, we informed CERT-In about a vulnerability in S3WaaS, a platform developed for hosting government websites, which could expose sensitive personal data of 2,50,000 Indians. The security researcher who identified the vulnerability confirmed its resolution in March 2024.

5 min read

Donate to IFF

Help IFF scale up by making a donation for digital rights. Really, when it comes to free speech online, digital privacy, net neutrality and innovation — we got your back!