Sunday, Oct 02, 2022

Govt withdraws data protection Bill to bring revamped, refreshed regulation

This comes after nearly four years of the Bill being in the works, where it went through multiple iterations including a review by a Joint Committee of Parliament (JCP), and faced pushback from a range of stakeholders including tech companies and privacy activists.

data protection, Data protection bill, Ashwini Vaishnaw, india data protection bill, india cybersecurity, telecom regulations, india news, india latest newsUnion Minister for Railways, Communications, Electronics and Information Technology Ashwini Vaishnaw. (Express archive photo)

The government has withdrawn the Personal Data Protection Bill from Parliament as it looks to come up with a “comprehensive legal framework” for regulating online space including separate legislation on data privacy, the overall internet ecosystem, cybersecurity, telecom regulations, and harnessing non-personal data for boosting innovation in the country.

This comes after nearly four years of the Bill being in the works, where it went through multiple iterations including a review by a Joint Committee of Parliament (JCP), and faced pushback from a range of stakeholders including tech companies and privacy activists.

According to IT Ministry sources, the government is targeting the winter session of Parliament to introduce the new legislation.

A senior official said the new Bill will incorporate the broader ideas of data protection as recommended by the JCP and will be in line with the Supreme Court’s landmark judgment of 2017 in which it held privacy as a fundamental right.

Given the significant number of amendments suggested by the JCP, the need to comprehensively redraw the contours of the legislation was necessitated, the official said.

The data protection Bill has been in the works since 2018 when a panel, led by retired Supreme Court judge Justice B N Srikrishna, had prepared a draft version of the Bill. After that, it was reviewed by a JCP which submitted its recommendations and a draft Bill in November 2021.

The JCP proposed 81 amendments to the Bill finalised by the Srikrishna panel and 12 recommendations including expanding its mandate to include discussions on non-personal data, thereby changing the mandate of the Bill from personal data protection to broader data protection, alongside changes on issues such as the regulation of social media companies and using only “trusted hardware” in smartphones, among other things.


Many pushed back

Big Tech firms had questioned the data localisation provision, under which they needed to store a copy of sensitive personal data within India and export of undefined “critical” personal data was prohibited.

In a note circulated to all members of Parliament explaining the reason behind withdrawal of the Bill, Union IT Minister Ashwini Vaishnaw said, “The Personal Data Protection Bill, 2019 was deliberated in great detail by the Joint Committee of Parliament. 81 amendments were proposed and 12 recommendations were made towards a comprehensive legal framework on the digital ecosystem. Considering the report of the JCP, a comprehensive legal framework is being worked upon. Hence, in the circumstances, it is proposed to withdraw ‘The Personal Data Protection Bill, 2019’ and present a new Bill that fits into the comprehensive legal framework.”


Minister of State for IT Rajeev Chandrasekhar said the government will table the new legislation in Parliament “very soon”.

“The government has today withdrawn the Personal Data Protection Bill that was formulated in 2018 and re-written by the JCP in 2021. After considerable deliberation and examination of the JCP’s report, it was found that there is a need for a comprehensive redrawing of laws and rules taking into account some of the JCP’s comments and the emerging challenges and opportunities that arise from there. A comprehensive approach to the laws will be undertaken by the government and we will come back to Parliament very quickly after following the process of consultation,” Chandrasekhar said.

According to senior government officials, the data protection Bill will do away with some recommendations by the JCP such as including “trusted hardware” and local storage of some kinds of personal data within the boundaries of India. Instead, it will add these ideas in the larger framework for the internet ecosystem which will replace the Information Technology Act, 2000. These separate legislation, it is learnt, will be presented at the same time.


“The Ministry tried several permutations and combinations to somehow try and present the data protection Bill as an amendment to the Bill proposed by the JCP. But there were several ideas in their report that were better suited elsewhere than in privacy legislation, and the new Bill will take that into consideration,” a senior official said.

After 78 sittings spread over 184 hours and 20 minutes, and half a dozen extensions, the JCP had tabled its report in Parliament in December 2021. Apart from recommendations related to data privacy, the JCP’s report also proposed that social media companies that do not act as intermediaries are to be treated as content publishers, meaning they become liable for the content they host. The JCP had also recommended including non-personal data in the Bill. In its most basic form, non-personal data is any set of data which does not contain personally identifiable information.

A senior official said that specific to data localisation, the government is mulling adding it to the new Information Technology Act and whether to allow cross border data flows only to “trusted geographies”.

Newsletter | Click to get the day’s best explainers in your inbox

“The thinking is that the data should be stored in a region that is trusted by the Indian government, and that data should be accessible in the event of a crime,” the official said.


The new Bill could also do away with classification of personal data from the perspective of data localisation and only use classification for awarding damages to people whose personal data may have been compromised by an entity.

The Indian Express had earlier reported that the government was looking to dilute data localisation requirements as startups had complained about the norms for being “compliance intensive”. Regarding non-personal data, the Ministry of Electronics and IT has already floated a draft that looks at harnessing such data for aiding the country’s startups.


BJP MP PP Chaudhary, who was chairperson of the JCP when it submitted its report to Parliament, told The Indian Express that it was “necessary” for the government to withdraw the Bill.

Subscriber Only Stories
From The Explained editor: The ban on PFI, forests at night, and free gra...Premium
From the Opinion Editor: An election for the Congress partyPremium
From Nehru to JP, the political leaders mentored by GandhiPremium
Uttarakhand resort murder: Amid questions within, BJP may revamp Dhami go...Premium

“The JCP had recommended a number of changes to the Bill and it would have been difficult for the government to add all those things in the final legislation. It would have also made it very complex to debate in Parliament,” Chaudhary said.

First published on: 03-08-2022 at 05:06:41 pm
Next Story

Free entry to all ASI-protected monuments from Aug 5 to 15

Latest Comment
Post Comment
Read Comments