Protection of personal data – the journey starts again

On 3 August 2022, in a surprise move, the Indian government withdrew the Data Protection Bill (2021). The bill has been in the making for quite a while now – in 2017, a codified law on data protection was taking shape under the supervision of the Srikrishna Committee and the Indian Supreme Court had, vide the Puttaswamy case, passed a landmark judgment upholding the right to privacy as a fundamental right. The judgment was instrumental in giving an impetus to the formalisation of a dedicated law for the protection of personal data and privacy in India. Currently, India does have legislation on data protection – including the Information Technology Act (2000) and the rules framed thereunder as well as other industry-specific policies mandating protection of personal data – however, these have been found lacking and are not effective enough to safeguard and regulate the dynamically changing arena of data and related issues. A data protection bill was first introduced in Parliament in 2019, and thereafter referred to a Joint Parliamentary Committee (JPC) for review. In December 2021, the JPC submitted its report and, making exhaustive recommendations, suggested fundamental changes to the bill. This led to the introduction of the 2021 bill. Notably, the JPC’s recommendations included amending the name of the bill from Personal Data Protection Bill to Data Protection Bill and incorporating provisions regulating non-personal data along with personal data.

Reason for withdrawal

The government’s stance for withdrawing the bill was primarily on account of the JPC having recommended numerous changes to the earlier bill and the idea that, on consideration, it would be easier to come out with a new draft legislation instead of modifying the existing version. As a matter of fact, the JPC had proposed 81 changes and 12 recommendations in a total of 99 provisions of the bill. Per the government, the bill was withdrawn to make way for a comprehensive legal framework to regulate online space, including bringing separate laws on data privacy, the overall Internet ecosystem, cybersecurity, telecom regulations and harnessing non-personal data to boost innovation in the country.

Major challenges with the bill

The bill had, in fact, met with opposition from various stakeholders. Big tech companies had an issue with the data localisation requirement whereby companies would have to mandatorily store a copy of sensitive personal data within India. Another requirement forbade ‘critical’ (an undefined term) personal data from being exported from the country. At the same time, activists protested against broad and unfettered rights being given to the central government and its allied agencies to use data with certain blanket exemptions provided to them from adhering to provisions of the bill. The Indian tech industry feared that the bill would hamper the growth of the Indian tech start-up ecosystem due to high level of compliance and the absence of costly infrastructure related to storage and transfer of data that would be required to comply with the bill. Additionally, there was unanimous dissatisfaction among stakeholders about the incorporation of provisions relating to non-personal data within the bill – a bill with only personal data within its ambit was preferred.

What next

A ‘comprehensive legal framework’ to cover the digital tech landscape is now being contemplated. There is a twofold requirement. First, of a robust legislation specific to personal data protection and privacy, congenial to the Indian tech start-up ecosystem while protecting the interests of other stakeholders, including big tech companies, with a separate set of rules to regulate non-personal data. Second, there is a need to revamp the existing, over two-decade old, IT Act to facilitate electronic transactions and regulate cybercrime.