Listen to this story
Last week, the draft document that listed guidelines for data anonymisation was removed from the information technology ministry’s website. The draft had been put up for public feedback just a week prior to being withdrawn. This is not the first instance of sudden retraction of draft Bills. In the past two years alone, major changes have been made to data-related Bills – the draft Indian Data Accessibility & Use Policy, 2022, was updated without any notification, and in 2021, the draft amendments to the IT Rules, 2021, were unceremoniously taken down during public consultations.
MeitY was in the news in August when it withdrew the Personal Data Protection Bill after facing much pushback from several quarters. The ministry said a new legal framework incorporating several changes and amendments would replace it.
Data anonymisation draft pulled down
Two drafts – the Guidelines for Anonymisation of Data (AoD) and Mobile Security Guidelines (MSG) – listing guidelines on data anonymisation were put up on the IT ministry’s website for public consultation. The website had announced that all the public comments made until September 21 would be considered. It may be noted that the documents were released on a new website, instead of the official website of MeitY. Interestingly, no press release accompanied these documents at the time of uploading.
Sign up for your weekly dose of what's up in emerging technology.
A government official told ET that data anonymisation is a complex issue that needs wider consultation. “We will talk to experts again, look at global examples, examine them, and then put up the draft for public consultation in a few days,” the source said.
The data anonymisation draft included guidelines for all stakeholders involved in personal data processing and its subtypes through the e-governance projects. The draft aimed to lay down the recommendations for processing of the data collected through e-governance portals like Aarogya Setu, Cowin vaccinations, and National Health Mission, among others. On the other hand, the second document draft on mobile security guidelines had measures for sensitive data protection, privacy, and security of transactions.
The draft report was prepared by the Standardization Testing Quality Certification (STQC) Directorate and Centre for Development of Advanced Computing (C-DAC) and was commissioned by the Ministry of Electronics & Information Technology (MeitY). The standards and the guidelines outlined in the draft were to ensure secure sharing of information and seamless interoperability of data across several government applications.
The government has been deliberating several steps for data governance and privacy, and the data anonymisation draft was a step closer to that goal. Earlier, CDAC had constituted a Working Group consisting of 14 experts to frame the guidelines for data anonymisation when personal information is processed and shared, especially in government applications. Further, this committee was also set up to deliberate on standard operating procedures to conveniently implement the concept of various organisations and government agencies. Another purpose of the committee was to prepare a supplement to the data-related policies and legislations of the Indian government.
What happened to the PDP Bill?
After three years of deliberations, the Centre this year, withdrew the Personal Data Protection Bill 2019. The Bill sought to regulate how the government and companies could use the digital data of citizens. It had faced severe backlash from stakeholders – citizens, tech firms, and political parties – since inception and had undergone various changes over the years based on experts’ suggestions.
The Union minister for electronics and IT Ashwini Vaishnaw noted that the now-withdrawn Bill had been “deliberated in great detail” by the joint parliamentary committee that proposed 81 amendments and 12 recommendations.
Earlier this month, Rajeev Chandrashekar, MoS for electronics and information, said at a conference that the government would be replacing the IT Act with a Digital India Act. Chandrashekar added that the government aims to bring this framework into the public domain within three to four months, and it will address digital data protection, and non-personalised and anonymous data.