In the widespread global scenario of COVID’19 where lockdowns are a mere practice to curb this pandemic, usage of online platforms through internet has gained rapid momentum. Indian consumers have been sharing their personal data for availing the opportunity of using free services on apps. Usually these details are being saved in servers outside India which has eventually been worrying the Indian Government.

The Personal Data Protection Bill was first drafted by a committee of experts led by retired Supreme Court Justice BN Srikrishna who submitted a draft of the Personal Data Protection (PDP) Bill in July 2018, requesting for a feedback from the public, Ministers, stakeholders, and other industry experts. Consequently, a revised draft of the PDP Bill was submitted in the Lower House of the Parliament for further deliberations before passing it finally in December 2019. The Bill is expected to become a Law or Act in 2020 but keeping in view the situation around the globe due to COVID’19, this seems the near future.

The relevant law in force for personal data protection in India is the Information Technology Act 2000, Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011. For example, Rule 3(iii) of these rules provides for personal information relating to the physical, psychological, and mental health of a person as sensitive personal data.



The Personal Data Protection Bill is India’s first attempt to domestically legislate the mechanisms for the protection of personal data and aims to set up a Data Protection Authority in the country. The bill regulates the processing of citizens’ personal data by government, companies incorporated in India, and foreign companies that are dealing with personal data sovereignty by mandating certain class of data to be stored within Indian borders.[1] The purpose of this bill is to mainly process three kinds of data – Personal Data, Sensitive Personal Data and Critical Personal Data.

This bill has enabled the flow of personal data on the full consent of the individual i.e. ‘Data Principal’ before such necessary information is given to the Government i.e. ‘Data Fiduciary’. However, this bill also provides non-consensual flow of personal information in certain cases such as, when the government is providing benefits to the individual, for legal proceedings, and in medical emergencies. The personal data so collected shall be used only for a clear, specific and lawful purpose i.e. ‘Purpose Limitation’ and most importantly should be used in a justifiable manner i.e. Lawful Processing’.



The Right to Privacy is protected as an integral part of Right to Life and Personal Liberty under Article 21 of the Constitution of India. The case of Justice K.S. Puttaswamy v. Union of India[2] recognized Right to Privacy as an integral component of Fundamental Rights as guaranteed under Part III of the Constitution. It also recognized data protection as an essential part of informational privacy of an individual and observed that India lacks a comprehensive legal framework for personal data protection.[3]

For the time being, a five-judge bench of the Supreme Court on deciding the constitutional validity of Aadhaar Card reiterated personal data protection as a part of right to privacy.

In the light of above two cases, it was ascertained that the restriction in right to privacy has to be effected by a law pursuing a legitimate state aim and also having a reasonable nexus between the objects and sources to achieve such objects in the least intrusive manner. These principles of proportionality have also been incorporated in the personal data protection.

A plea has been filed before the Kerala High Court for leaking the information of the patients being treated by hospitals to private concerns which is still pending in the court of law infringing not only the Right to Privacy but also the personal data of the individuals. Moreover, the Kerala Government has also contracted with a US based Sprinklr Inc. software that is used to control and track the spread of COVID’19 in such a manner that should not threaten the right to privacy of the users. By orders expressly provided, such information has to be compromised only by a clear knowledge and consent of the users.



The COVID’19 is the rarest of the rarest pandemic that has encountered the modern world. The current population of India accounts for about 1.3 billion[4]  people whose personal data is being accessed and required for fighting against the COVID’19, but this does not mean that it should not be handled with care. Desperate times call for desperate measures, but not unconstitutional ones.

In India, a mobile application has been developed tracing the user’s geographical location anywhere and informed them whether they are in contact of any infected person or not. This risk-tracking app is known as ‘Corona Kavach’ developed jointly by the Union Ministry of Electronics and Information Technology and the Union Ministry of Health and Family Welfare.

The state of Kerala has often used telephone call records, CCTV footage and mobile phone GPS systems to detect primary and secondary contacts of COVID’19 patients, and have also published the date and time in detail along with date maps showing the movement of people who tested positive. On the other hand, states such as Karnataka and Rajasthan, have announced the names and personal addresses of suspects through means of official websites and local newspapers. This shows that every individual state in India has been making such efforts to make the people aware about the seriousness of this Pandemic which might lead to mass destruction and mass killing of people in its wider sense. Hence there is an urge and need to protect the people of our Nation.

The ‘Aarogya Setu App’ received much criticism and havoc around the country for its propensity to leak the personal data information of the users. Mandatory use of this app had to take place for central government employees and also for public and private sector employees. Most recently a writ petition has been moved in the Kerala High Court challenging the constitutionality of such notifications passed by the Central Government.

Recently, the government issued guidelines for protecting this app by Personal Data Protection Laws (which are yet under consideration of the Parliament) and also laying down guidelines for sharing such information with government agencies and third parties. This app is allowed to collect only demographic data, contact data, self-assessment data and location data of the user. The new protocol also lays emphasis on sharing the data with any third parties if it is restricted only to the formulation and implementation of health responses. The response data can be shared with ministries, government departments and other administrative agencies in de-identified form and also that such data cannot be retained beyond a period of 180 days from the day it was collected.

Even though limitations have been imposed on using of personal data by such apps, this actually falls under the exceptions where consent of using personal information of such users is not actually required in case of Medical Emergencies but this cannot be ascertained completely unless the act is passed by the Parliament in its entirety.



The much awaited Personal Data Protection Bill was to be passed by 2019 but has been put on hold for the time being owing to certain major issues in it. This has been referred to the Joint Parliament Committee for further analysis. This bill lays down provisions for disharmonizing the misuse of personal data in a country by mandating activities such as data protection, storage and management. But on the other side, this bill can also bring serious implications on international trade, national security and foreign investment.

There are many social media platforms which are not safe from the point of view of one’s privacy. These apps are usually made by foreign countries hence a direct nexus can be formulated while entering one’s private information on any social media and leakage of such information on any platform. Hence it is always advisable not to share one’s personal information or data on social media or the internet.

India is a developing country and has been making remarkable efforts to revolutionize itself by taking a step forward in evolution of Digital India by providing securities to the users. By categorizing the data into three different forms by which protection and security from foreign leakage of information can be restrained. But this Government regulation is required to be brought into force in order to accomplish the set-up of a safer India, especially owing to the regime of this serious pandemic, COVID’19. Our country has to fight most of the major issues in 2020 in order to emerge out victorious on a global platform.





[2] (2017) 10 SCC 1




Author: Shubhi Dhiman,

Intern at Lawportal,


Author: Shubhi Dhiman,
School of Law, UPES Dehradun; 3rd year

Leave a Comment