After two years of deliberation, the Joint Parliamentary Committee (JPC) adopted the final draft of the Personal Data Protection (PDP) bill on November 22. The bill is now set to be tabled in the Indian Parliament’s winter session that started today, on November 29.
The groundwork for this bill was laid by an August 2017 judgment by the Supreme Court that identified privacy as a fundamental right. Around the same time, in July 2017, a 10-member committee under retired Supreme Court judge B.N. Srikrishna was set up to examine the need for a data protection law in India and create a framework for it.
August 2018: Srikrishna committee submits its report
The Srikrishna committee submitted its draft report to IT minister Ravi Shankar Prasad in In August 2018. The committee made several recommendations on how data should be processed by Indian and global companies, emphasised the importance of user consent and suggested a penalty of up to 2-4% of a company's global turnover for non-compliance.
The draft suggested that personal data can be processed only for a clearly defined purpose and users should be given the choice to withdraw consent. It also said that critical personal data should only be processed on local servers and all firms must hire a data protection officer. The committee studied data protection laws in Europe, Singapore and Australia to come up with the best practices for data protection in the Indian context.
It also highlighted the inadequacies of the Information Technology (IT) Rules, 2011 (IT Act 2000) in dealing with new challenges of data protection. The committee said that the definition of sensitive personal data under the IT act was narrow and it left out several categories of personal data from its protective remit. It also flagged the fact that its obligation only applied to companies and exempted the government.
December 2019: PDP bill was first tabled in Parliament
After mulling over the recommendations of the Srikrishna committee’s draft, the PDP bill was tabled in the Indian parliament by the Ministry of Electronics and Information Technology (MeitY) in December 2019. The bill retained many of the suggestions made by the Srikrishna committee, including the restriction on storage and transfer of personal data and the proposal to slap a penalty for non-compliance. However, it also deviated on some key points and drew a lot of flak from privacy advocates and even justice BN Srikrishna. The 2019 bill gave the central government the power to exempt any government agency from the purview of the bill.
Justice Srikrishna also criticised the bill for diluting the committee's recommendations on the structure of data protection authority (DPA). The committee wanted the DPA to have independent people who represented the industry and other stakeholders and included some government nominees. The 2019 bill suggested that all DPA members should be government nominees.
December 2019: JPC was constituted to examine the 2019 bill
The bill introduced in the Lok Sabha in 2019 was widely criticised. To allay these concerns, the Parliament decided to form the JPC, comprising 30 members from both houses for further examination of the PDP bill. The JPC was chaired by the former union minister and Member of Parliament, PP Chaudhary. Over the next few months, the JPC held several meetings and interviews with representatives from the Ministry of Electronics and Information Technology (MeitY), the Reserve Bank of India (RBI)l industry bodies like NASSCOM, ASSOCHAM, and companies including Amazon, Facebook and Twitter.
November 2020: JPC proposes widening the scope of data protection
After several discussions, in November 2020 the JPC unanimously suggested that the bill should expand its ambit and focus on overall data protection that covers both personal and non-personal data. They recommended that the bill should also include non-personal data including both sensitive data and critical data.
This was a major departure from the original draft and the subsequent bill that only revolved around personal data. Since then, the JPC has made several suggestions that add teeth to the bill. For instance, the JPC recommended that social media companies that do not act as intermediaries should be treated as publishers and held liable for content published on their platform. It also recommended that the government should set up a mechanism for hardware certification to ensure data is not collected by hardware manufacturers.
Clause 35 of the bill that allows the central government to exempt any government agency in the name of public order and sovereignty has drawn widespread criticism from privacy and rights advocates along with several members of the JPC.
November 2021: JPC adopts report on Data Protection Bill
After two years of deliberations and extensions, the JPC finally adopted its report on November 22 this year. Its report is expected to be tabled during the winter session of the Parliament, which began on November 29, and includes many of the recommendations seen earlier.
The report includes both personal and non-personal data under the purview of the same bill, and has hence changed the name to Data Protection Bill. It has also said that social media companies should have to setup offices in India to operate here, and those that aren't intermediaries should be considered publishers who are responsible for the content they distribute.
There are also provisions for the Data Protection Authority (DPA) to certify Internet of Things (IoT) and other digital devices being sold in the country. The DPA itself is being given two years to work on various aspects of the bill, which is when the Data Protection Act will become fully active.