Listen to this story
After dithering for over three years, the Centre on Wednesday finally withdrew the highly controversial Data Protection Bill 2019. The Bill sought to regulate how the government and companies could use the digital data of citizens. It had faced severe backlash from stakeholders – citizens, tech firms, and political parties – since inception and had undergone various changes over the years based on experts’ suggestions.
The Union minister for electronics and information technology (MeiTY) Ashwini Vaishnaw noted that the now-withdrawn Bill had been “deliberated in great detail” by the joint parliamentary committee (JPC). The committee proposed 81 amendments and 12 recommendations to build a “comprehensive legal framework” for the digital space. The Modi government now intends to “present a new Bill”.
Sign up for your weekly dose of what's up in emerging technology.
As per media reports, Vaishnaw said that the new draft would go through the approval process very soon. He was hopeful that the new Bill would get passed in the Budget session of the Parliament. In an exclusive interview with Economic Times, retired Justice B N Sri Krishna (who headed the experts committee that brought out the draft for the Personal Data Protection Bill way back in 2018), commented that the government probably thought it was wiser to withdraw now, “rethink the entire Bill” and come out with a new one with proper provisions.
The Bill has been doing the rounds for a long time now and prompt action is the need of the hour to put a proper framework for data protection in place. Apar Gupta, executive director, Internet Freedom Foundation, tweeted: “It has been close to 10 years since the AP Shah on Privacy, 5 years since the Puttaswamy judgement and 4 years since the Srikrishna Committee’s report — they all signal urgency for a data protection law and surveillance reforms. Each day lost, causes more injury and harm.”
In the making for half a decade now
It all started with the monumental 2017 Justice Puttaswamy judgment by the Supreme Court that identified privacy as a fundamental right. During the same time, MeiTY constituted an expert committee to study what kind of data protection issues the country was facing and recommend steps and procedures to tackle them. This committee was headed by Supreme Court judge (retired) Justice B N Srikrishna.
The committee submitted the report draft titled ‘A Free and Fair Digital Economy – Protecting Privacy, Empowering Indians’ to IT minister Ravi Shankar Prasad in mid-2018 and proposed the Personal Data Protection Bill-2018.
A template for the developing world
The report highlighted that if India is to shape the global digital landscape in the 21st century, it needs to formulate a legal framework relating to personal data which can work as a “template for the developing world”.
The committee came up with several recommendations on the methods to be followed to process personal data of citizens by companies (both global and Indian). The stress was on user consent. The report also mentioned the penalties that can be imposed for violation of the rules.
In 2019, the Bill was introduced in the Lok Sabha and met with strong criticism. The Parliament formed a JPC to look into the Bill minutely. After a whole two years and many changes later, the JPC report was tabled during the winter session of the Parliament in late 2021.
The Bill has received flak for various provisions – a common grievance being that it gave too much power to the government with respect to users’ personal data. Another provision that attracted criticism was Article 35, which could allow the Centre to exempt any government agency from the provisions of the proposed law “in the interest of India’s sovereignty and integrity, the state’s security, friendly relations with foreign states, and public order”.
Last year, Congress MPs Jairam Ramesh and Manish Tewari added their dissent notes criticising the exemptions given to the government. TMC MP Derek O Brien, too, had voiced his dissatisfaction.
Tech giants were displeased with the Bill
The old Bill had proposed strict regulations on data flows from India to other countries and gave the government the power to seek user data from companies, as a way to maintain its grip over them.
The Bill was not at all well received by tech giants. They were miffed with the provision under the name “data localisation” that asked the companies to maintain a copy of certain sensitive personal data within India. It also prohibited export of critical personal data to another country. Google expressed the said concerns in 2020. It had told the JPC on the Personal Data Protection Bill that India should avoid data localisation requirements.