The government has withdrawn the Personal Data Protection Bill from Parliament in order to consider a “comprehensive legal framework” to regulate the online space, which includes bringing separate laws on data privacy, the overall Internet ecosystem, cybersecurity, telecom regulations, and harnessing non-personal data to boost innovation in the country.
What is the significance of this development?
The administration has taken this action after nearly four years of working on the bill. It had gone through several modifications, including a review by a Joint Committee of Parliament (JCP), and encountered significant opposition from a variety of parties, including huge tech giants like Facebook and Google, as well as privacy and civil society organizations.
The IT businesses, in particular, questioned a proposed provision in the Bill known as data localization, which would have required corporations to maintain a copy of some sensitive personal data within India and prevented the export of undefined “essential” personal data from the nation. The activists were particularly critical of a clause that granted the central government and its agencies sweeping exemptions from all sections of the Bill.
The Bill’s delays were criticized by various stakeholders, who expressed severe worry that India, one of the world’s largest Internet marketplaces, lacked a fundamental framework to safeguard people’s privacy.
The withdrawal of the Data Protection Bill, 2019, is troubling since a long-overdue rule is being discarded. It is not about having flawless legislation, but about getting a law at this point,” According to Apar Gupta, executive director of the Delhi-based digital rights organization Internet Freedom Foundation. “It has been nearly ten years since the report of the (Justice) A. P. Shah Committee on privacy, five years since the Puttaswamy judgment (right to privacy), and four years since the report of the (Justice B. N.) Srikrishna Committee—all of which signal the urgency of a data protection law and surveillance reforms.” ” Every day that passes results in greater hurt and harm.”
What is the reason for the withdrawal of the bill?
A data privacy law for India has been in the works since 2018 when a commission chaired by retired Supreme Court Justice Srikrishna drafted a bill. The JCP assessed the document and presented its comments, along with a draught Bill, in November 2021.
“The Personal Data Protection Bill, 2019 was examined in great depth by the Joint Committee of Parliament,” Union IT Minister Ashwini Vaishnaw stated in a memo issued to Members of Parliament. 81 revisions and 12 proposals were made in the direction of a complete legal framework for the digital ecosystem.
A complete legislative framework is being developed in light of the JCP findings. As a result, given the circumstances, it is suggested to withdraw “The Personal Data Protection Bill, 2019” and replace it with a new bill that fits into the overall legislative framework.
According to The Indian Express, the Bill was also viewed as excessively “compliance heavy” by the country’s entrepreneurs. According to government officials, the revised bill will be a lot easier to comply with, particularly for startups.
What did the JCP recommend?
The JCP tabled its findings after 78 sittings totaling 184 hours and 20 minutes, and many extensions. It offered 81 revisions to the Bill finalized by the Srikrishna panel, as well as 12 suggestions, including broadening the scope of the proposed law to include non-personal data protection; thus shifting Bill’s mandate from personal data protection to broader data protection. Non-personal data, in its most basic form, are any group of data that does not contain personally identifiable information.
The JCP study also proposed improvements on problems like social media company regulation and the use of only “trusted hardware” in cellphones, among others. It suggested that social media businesses that do not function as middlemen be handled differently.
When is the revamped bill expected to be ready?
Rajeev Chandrasekhar, Minister of State for Electronics and Information Technology, stated that the administration will introduce the new legislation in Parliament “very soon.”
“The government has now withdrawn the Personal Data Protection Bill, which was drafted in 2018 and will be rewritten by the JCP in 2021, “Chandrasekhar announced on Wednesday (August 3). “Following extensive debate and review of the JCP’s assessment, it was determined that there is a need for a complete redrafting of laws and norms that takes into consideration some of the JCP’s recommendations as well as the new difficulties and possibilities. ” The administration will take a thorough approach to the legislation, and we will return to Parliament very promptly after the consultation process,” he added.
According to IT Ministry officials, the administration intends to introduce the law during Parliament’s Winter Session. According to a senior official, the revised Bill would embrace the wider notions of data protection advocated by the JCP and would be consistent with the Supreme Court’s historic privacy decision in 2017. Given the considerable number of revisions made by the JCP, the official stated that it was essential to completely redraw the boundaries of the proposed bill.
