India's Data Protection Bill: A timeline of everything so far

After two years of deliberation, the Joint Parliamentary Committee (JPC) adopted the final draft of the Personal Data Protection (PDP) bill on November 22. The bill is now set to be tabled in the Indian Parliament’s winter session that started today, on November 29. 

The groundwork for this bill was laid by an August 2017 judgment by the Supreme Court that identified privacy as a fundamental right. Around the same time, in July 2017, a 10-member committee under retired Supreme Court judge B.N. Srikrishna was set up to examine the need for a data protection law in India and create a framework for it. 

August 2018: Srikrishna committee submits its report 

The Srikrishna committee submitted its draft report to IT minister Ravi Shankar Prasad in In August 2018. The committee made several recommendations on how data should be processed by Indian and global companies, emphasised the importance of user consent and suggested a penalty of up to 2-4% of a company's global turnover for non-compliance. 

The draft suggested that personal data can be processed only for a clearly defined purpose and users should be given the choice to withdraw consent. It also said that critical personal data should only be processed on local servers and all firms must hire a data protection officer. The committee studied data protection laws in Europe, Singapore and Australia to come up with the best practices for data protection in the Indian context. 

It also highlighted the inadequacies of the Information Technology (IT) Rules, 2011 (IT Act 2000) in dealing with new challenges of data protection. The committee said that the definition of sensitive personal data under the IT act was narrow and it left out several categories of personal data from its protective remit. It also flagged the fact that its obligation only applied to companies and exempted the government.

December 2019: PDP bill was first tabled in Parliament

After mulling over the recommendations of the Srikrishna committee’s draft, the PDP bill was tabled in the Indian parliament by the Ministry of Electronics and Information Technology (MeitY) in December 2019. The bill retained many of the suggestions made by the Srikrishna committee, including the restriction on storage and transfer of personal data and the proposal to slap a penalty for non-compliance. However, it also deviated on some key points and drew a lot of flak from privacy advocates and even justice BN Srikrishna. The 2019 bill gave the central government the power to exempt any government agency from the purview of the bill. 

Justice Srikrishna also criticised the bill for diluting the committee's recommendations on the structure of data protection authority (DPA). The committee wanted the DPA to have independent people who represented the industry and other stakeholders and included some government nominees. The 2019 bill suggested that all DPA members should be government nominees.

December 2019: JPC was constituted to examine the 2019 bill 

The bill introduced in the Lok Sabha in 2019 was widely criticised. To allay these concerns, the Parliament decided to form the JPC, comprising 30 members from both houses for further examination of the PDP bill. The JPC was chaired by the former union minister and Member of Parliament, PP Chaudhary. Over the next few months, the JPC held several meetings and interviews with representatives from the Ministry of Electronics and Information Technology (MeitY), the Reserve Bank of India (RBI)l industry bodies like NASSCOM, ASSOCHAM, and companies including Amazon, Facebook and Twitter. 

November 2020: JPC proposes widening the scope of data protection 

After several discussions, in November 2020 the JPC unanimously suggested that the bill should expand its ambit and focus on overall data protection that covers both personal and non-personal data. They recommended that the bill should also include non-personal data including both sensitive data and critical data. 

This was a major departure from the original draft and the subsequent bill that only revolved around personal data. Since then, the JPC has made several suggestions that add teeth to the bill. For instance, the JPC recommended that social media companies that do not act as intermediaries should be treated as publishers and held liable for content published on their platform. It also recommended that the government should set up a mechanism for hardware certification to ensure data is not collected by hardware manufacturers.

Clause 35 of the bill that allows the central government to exempt any government agency in the name of public order and sovereignty has drawn widespread criticism from privacy and rights advocates along with several members of the JPC. 

November 2021: JPC adopts report on Data Protection Bill

After two years of deliberations and extensions, the JPC finally adopted its report on November 22 this year. Its report is expected to be tabled during the winter session of the Parliament, which began on November 29, and includes many of the recommendations seen earlier.

The report includes both personal and non-personal data under the purview of the same bill, and has hence changed the name to Data Protection Bill. It has also said that social media companies should have to setup offices in India to operate here, and those that aren't intermediaries should be considered publishers who are responsible for the content they distribute. 

There are also provisions for the Data Protection Authority (DPA) to certify Internet of Things (IoT) and other digital devices being sold in the country. The DPA itself is being given two years to work on various aspects of the bill, which is when the Data Protection Act will become fully active.

On August 3, 2022, the Personal Data Protection Bill, 2019 was withdrawn by the central government. The motion for withdrawal of this Bill was moved in Lok Sabha by Ashwini Vaishvaw, Union Minister for Electronics and Information Technology.  

The minister said that another global standard law with comprehensive legal framework will be introduced keeping abreast with the proposed amendments, respecting contemporary and future challenges.  

On November 18, 2022, the Union ministry for electronics and technology (MeitY) initiated the process of consultation with the public and other stakeholders on the draft Bill, inviting comments from the public, the last date for receipt of which was January 2, 2023. 

The revised bill focuses only on personal data, thereby doing away with regulating the use of non-personal data. Further, it was said that the draft bill requires a data fiduciary. This means an entity that processes user data, in order to give an itemised notice to users on data sought to be collected in clear and plain language. 

Apart from this, the bill states that the data fiduciary shall not undertake tracking or behavioural monitoring of children or advertising directed at children. It mandates penalties of up to ₹500 crore for non-compliance. 

On January 3, the Union government said that it intends to introduce a new bill on personal data protection in the Parliament “at the earliest”, an affidavit filed by the Centre in the Supreme Court has said, even as the government refrained from specifying a timeline to do so. 

After two months, on March 3, Vaishnaw said that the Parliamentary Standing Committee on Communications and Information Technology has given an approval for the revised draft of the data protection law.