The government has withdrawn the Personal Data Protection Bill from Parliament as it considers a “comprehensive legal framework” to regulate the online space, including bringing separate laws on data privacy, the overall Internet ecosystem, cybersecurity, telecom regulations, and harnessing non-personal data to boost innovation in the country.
Why is this development significant?
The government has taken this step after nearly four years of the Bill being in the works. It had gone through multiple iterations, including a review by a Joint Committee of Parliament (JCP), and faced major pushback from a range of stakeholders including big tech companies such as Facebook and Google, and privacy and civil society activists.
The tech companies had, in particular, questioned a proposed provision in the Bill called data localisation, under which it would have been mandatory for companies to store a copy of certain sensitive personal data within India, and the export of undefined “critical” personal data from the country would be prohibited. The activists had criticised, in particular, a provision that allowed the central government and its agencies blanket exemptions from adhering to any and all provisions of the Bill.
The delays in the Bill had been criticised by several stakeholders, who had pointed out that it was a matter of grave concern that India, one of the world’s largest Internet markets, did not have a basic framework to protect people’s privacy.
“The withdrawal of the Data Protection Bill, 2019 is concerning, for a belated regulation is being junked. It’s not about getting a perfect law, but a law at this point,” Apar Gupta, executive director of the Delhi-based digital rights group Internet Freedom Foundation, said. “It has been close to 10 years since the (Justice) A P Shah Committee report on privacy, five years since the Puttaswamy judgment (right to privacy) and four years since the (Justice B N) Srikrishna Committee’s report — they all signal urgency for a data protection law and surveillance reforms. Each day that is lost causes more injury and harm.”
Why has the Bill been withdrawn?
A data protection law for India has been in the works since 2018, when a panel led by Justice Srikrishna, a retired judge of the Supreme Court, drew up a draft version of a Bill. The draft was reviewed by the JCP, which submitted its recommendations along with a draft Bill in November 2021.
In a note circulated to Members of Parliament, Union IT Minister Ashwini Vaishnaw explained the reason behind the withdrawal of the Bill: “The Personal Data Protection Bill, 2019 was deliberated in great detail by the Joint Committee of Parliament. 81 amendments were proposed and 12 recommendations were made towards a comprehensive legal framework on the digital ecosystem. Considering the report of the JCP, a comprehensive legal framework is being worked upon. Hence, in the circumstances, it is proposed to withdraw ‘The Personal Data Protection Bill, 2019’ and present a new Bill that fits into the comprehensive legal framework.”
The Bill was also seen as being too “compliance intensive” by startups of the country, The Indian Express had reported earlier. According to government sources, the revamped Bill will be much easier to comply with, especially for startups.
What was the journey of the draft Bill like?
* The Justice Srikrishna panel was set up in 2017 in the backdrop of the Supreme Court’s verdict holding privacy is a fundamental right, and its direction to the government to draw up a data protection framework for the country. The Srikrishna Committee released a white paper that same year, outlining the areas it would be looking at.
* In July 2018, the committee submitted a draft data protection Bill to the Ministry of Electronics and IT, which said that it would draft a fresh Bill borrowing from the ideas presented in the Srikrishna Committee Bill.
* In December 2019, the Bill was referred to the JCP, which was then headed by the BJP’s Meenakshi Lekhi. As the committee started a clause-by-clause analysis of the Bill, it also sought and received extensions for presenting its report in September 2020 and March 2021.
* In July 2021, BJP MP PP Chaudhary was appointed chairperson of the JCP after Lekhi was made Minister of State for External Affairs. The JCP received yet another extension to submit its report after Chaudhary’s appointment.
* In December 2021, the JCP tabled its report in Parliament, which Justice Srikrishna said was heavily in favour of the government. In a media interview, he said that the Bill could turn India into an “Orwellian state”.
What did the JCP recommend?
The JCP tabled its report after 78 sittings spread over 184 hours and 20 minutes, and after having received half a dozen extensions. It proposed 81 amendments to the Bill finalised by the Srikrishna panel, and 12 recommendations including expanding the scope of the proposed law to cover discussions on non-personal data — thereby changing the mandate of the Bill from personal data protection to broader data protection. In its most basic form, non-personal data are any set of data that does not contain personally identifiable information.
The JCP’s report also recommended changes on issues such as regulation of social media companies, and on using only “trusted hardware” in smartphones, etc. It proposed that social media companies that do not act as intermediaries should be treated as content publishers — making them liable for the content they host.
So what could the revamped Bill look like?
Specific provisions or contours of the upcoming new Bill are not known. But a senior official said that on the question of data localisation, the government is considering whether to add it to the planned new version of the Information Technology Act, and whether to allow cross-border data flows only to “trusted geographies”. “The thinking is that the data should be stored in a region that is trusted by the Indian government, and that data should be accessible in the event of a crime,” the official said.
According to senior government officials, the new data protection Bill will do away with some recommendations by the JCP such as including “trusted hardware”, and local storage of some kinds of personal data within the boundaries of India. Instead, it will add these ideas to the larger framework for the Internet ecosystem, which will replace the Information Technology Act of 2000. All these separate laws, it is learnt, will be presented at the same time.
The new Bill could also do away with classification of personal data from the perspective of data localisation, and only use classification for awarding damages to people whose personal data may have been compromised by an entity.
When is the revamped Bill expected to be ready?
Minister of State for Electronics and IT Rajeev Chandrasekhar said the government will table the new legislation in Parliament “very quickly”.
“The government has today withdrawn the Personal Data Protection Bill that was formulated in 2018 and re-written by the JCP in 2021,” Chandrasekhar said on Wednesday (August 3). “After considerable deliberation and examination of the JCP’s report, it was found that there is a need for a comprehensive redrawing of laws and rules taking into account some of the JCP’s comments and the emerging challenges and opportunities that arise from there. A comprehensive approach to the laws will be undertaken by the government and we will come back to Parliament very quickly after following the process of consultation,” he said.
According to sources in the IT Ministry, the government is aiming to bring the legislation in Parliament’s Winter Session. A senior official said that the new Bill would incorporate the broader ideas of data protection as recommended by the JCP, and would be in line with the Supreme Court’s landmark privacy judgment of 2017. Given the significant number of amendments suggested by the JCP, it was necessary to comprehensively redraw the contours of the proposed law, the official said.