The Government of India has retreated the Personal Data Protection Bill, 2019 from Lok Sabha and stated that it would roll out “contemporary digital privacy laws” to suit the “comprehensive legal framework” and to regulate online space. This decision comes after the intense scrutiny by the Joint Parliamentary Committee proposing around 81 changes to the Bill. Almost four years of discussions later, the Bill was withdrawn on 4 August 2022.
- The Personal Data Protection Bill was introduced in 2019.
- It was repealed in 2022 by Union Electronics and Information Technology Minister, Ashwini Vaishnaw following the various recommendations suggested by the Joint Committee of Parliament.
- The Bill is under consideration for a "comprehensive legal framework" to be designed afresh, expanding its scope to meet the standards of the evolving digital world.
Personal Data Protection Bill
The Personal Data Protection Bill (PDP) was first introduced on 11 December 2019 by Ravi Shankar Prasad, Minister of Electronics and Information Technology in the Lok Sabha. In 2017, a committee was set up by the ministry to research data protection which was chaired by former Supreme Court judge Justice B.N Srikrishna following the verdict that declared “privacy” as a fundamental right. The committee submitted the draft of the bill in July 2018, approved by the cabinet on 4 December 2019 and finally placed before the Lok Sabha on 11 December 2019. The objective of the Bill was to provide mechanisms forthe protection of personal data, digital privacy, restrictions on usage of personal data and the establishment of the Data Protection Authority of India. The application of the Bill extends to the government, Indian companies and foreign companies dealing with the personal data of Indian citizens. Personal data includes all attributes and traits used to identify an individual. The 2019 Bill included provisions granting the Central Government the power to exempt any government agency from the applicability of the Bill, regulate the use of personal data by social media and the Right to be forgotten.
Objectives of the Bill
Personal Data Protection Bill commonly known as the “Privacy Bill” intends to protect the digital privacy of individuals, regulate the usage of personal data by third parties, protect the rights of individuals whose data is used, restrict the transfer of data, accountability of organizations processing personal data and establish Data Protection Authorities. This Bill was analogous to the European General Data Privacy Regulation.
The data were classified into three by the bill: Sensitive, Critical and General. The Bill classifies certain personal data as sensitive personal data which includes financial data, religious or political beliefs, biometric data, ethnicity, health-related and any other data specified by the government. For the transfer of sensitive personal data outside India, explicit consent of individuals is required for processing and the data will be retained for storage in India. Data classified as critical personal data by the government can be processed and stored only in India. The rest of the data that does not fall under the two categories is general data.
The processing of personal data will be subject to rules regarding its collection purpose, storage and transfer. It could be used only for lawful purposes such as medical emergencies, benefits to the individual or legal proceedings. The process must ensure full transparency and accountability for entities using it. This extends to the social media intermediaries as well who enable the interface of individuals with outsiders. Data encryption should be undertaken to prevent misuse of data and additional protection for processing sensitive personal data. The Bill also provides certain rights to individuals (data principals) whose data is being used by entities (data fiduciary). Data fiduciaries are under obligation to receive consent from the data principal before using their data and the individual has the right to claim the same. The individual has the right to seek correction of erroneous data, the right to consent for processing and transfer of personal data, and the right to withdraw consent.
The Data Protection Authority has a duty to protect the rights and interests of individuals, regulate the use of all personal data and ensure compliance of entities processing such data. Any offence involving the processing or transferring of personal data in violation of the provisions shall be punishable with imprisonment up to 3 years or a fine or both.
Criticisms of the Bill
Justice B.N. Srikrishna criticized the revised 2019 Bill could potentially turn India into an Orwellian State. In an Economic Times interview, he said that the power of government to access private data on grounds of sovereignty or public order could be used arbitrarily. The physical location of data is immaterial in the digital world as encryption keys play an important role to access data.
Forbes India also reported that the Bill grants the government, blanket powers to access citizens’ data. The Bill faced criticism on international levels too. Many supposed that the Bill had serious loopholes and it lacks in identifying the scope of governmental bodies to extend their access to individual’s personal data.
The opposition parties including Congress alleged that the Bill breached the fundamental rights of citizens. It gave excess power to the government to access data on baseless grounds citing national security and integrity. Some privacy experts also quoted that the Bill was in favour of the government rather than protecting its citizens.
Recommendations of Joint Committee of Parliament (JCP) hints withdrawal of Bill
Personal Data Protection Bill, 2019 was forwarded to the Joint Committee of Parliament after its introduction in Parliament faced vehement objections. JCP was set up in December 2019 and was assigned the task of finalizing the draft of the Bill within a brief deadline but sought extensions. The committee was chaired by BJP MP Meenakshi Lekhi. In July 2021, when Meenakshi was made Minister of State for External Affairs, she was replaced by P.P. Chaudary since ministers were restricted from leading Parliamentary committees.
The Joint Committee of Parliament reviewed the Bill and tabled its recommendation report to the Parliament along with a draft bill in December 2021. JCP placed 81 amendments and 12 recommendations to the Bill after around 78 sittings including extending the scope of the law, to cover provisions on non-personal data, the inclusion of trusted hardware and regulation of social media companies. It also proposed that social media companies that are not intermediaries shall be considered as content publishers who will be liable for all the content they host. Reports stated many issues with the Bill, which were beyond its reach.
The Central government withdrew the PDP Bill on 4 August 2022 after several deliberations. The Bill which was first proposed in 2019 to protect cyberspace and access to individual personal data by government and companies, was withdrawn to present a new legislature that will fit into the current scenario. Rajiv Chandrasekhar, Minister of State for Electronics & Information Technology tweeted about the same and assured that new legislation will be constructed with global standards that meet the data governance framework of advanced technologies.
Withdrawal of the Bill
As a result of various recommendations proposed by JCP, the government was forced to withdraw the bill as it did not meet the growing concerns of data protection. The issues stated by the committee are under consideration and a new bill could be expected at the tables of Parliament during the Winter Session. The government will focus on including distinct laws on data privacy, cyber security, telecom regulations, and non-personal data.IT Minister, Ashwini has said that the government take in the public consultation for the revised version of the Bill.
However, it is of grave concern in the Intern markets that India doesn’t have a data protection policy. Let alone the flaws of the bill, India now lacks a law that could regulate the digital privacy of its citizens. The digital world signals an emergency in the implementation of data protection laws.
What does this withdrawal mean for the companies and social media?
PDP bill regulates the usage, storage and transfer of personal data by companies and social media. It had proposed for social media to create a mechanism, to verify accounts of individuals who register their service from India or avail service from India to track trolling and cybersecurity. The bill was criticized to have too many loopholes.
Silicon Valley tech giants like Facebook (Meta) and Twitter were said to have caused bruised relations between USA and India for their strict regulations on data privacy. Some of the tech companies requested a revision on “data localization” in the Bill which allows the company’s storage of sensitive personal data within India but prohibits the export of critical personal data. Meta stated that data localization was not cost-effective and it would become difficult for it to render services in India. Many corporates wrote to the government stating this would damage the businesses and reduce the inflow of foreign investments. Transfer of data to trusted geographies is under consideration in the new bill, said a senior official when questioned about data localization.
Meta, Twitter, Google and Amazon expressed their concern over the JCP recommendation as it was conflicting with some of their data collection cyber policies. The revised bill will have easy compliance policies unlike the former which was “compliance intensive” especially for start-ups.
While the PDP Bill was withdrawn based on the numerous recommendations placed by JCP, the officials assure that a new comprehensive legislature on data privacy will soon be formulated. Separate laws are to be introduced on various topics and it is expected that they will have an extended scope. The comprehensive redrawing of contours of law is to be undertaken upon the JCP’s recommendations and subject to the 2017 Supreme Court’s landmark judgment on privacy.