The government withdrew the draft personal data protection (PDP) bill introduced in 2019 to replace it with a broader legal framework on the digital ecosystem based on suggestions made by a parliamentary panel.
In a statement to the Lok Sabha, minister of electronics and information technology Ashwini Vaishnaw said that the government was withdrawing the PDP bill because the joint committee of Parliament (JCP) flagged several issues and suggested changes to the bill to make it more comprehensive.
“Personal Data Protection Bill has been withdrawn because the JCP recommended 81 amendments in a bill of 99 sections. Above that, it made 12 major recommendations. Therefore, the bill has been withdrawn, and a new bill will be presented for public consultation,” the minister said in a statement on Wednesday.
Rajeev Chandrasekhar, minister of state for electronics and information technology, said the JCP identified many important issues that were not part of the scope of the existing data protection law.
“The JCP report on the personal data protection bill identified many issues that were relevant but beyond the scope of modern digital privacy law. Privacy is a fundamental right of Indian citizens, and a trillion-dollar digital economy requires global standard cyber laws,” the minister said in a Twitter post.
Wriju Ray, chief business officer of IDfy, a startup that helps with KYC and regulations, said many startups would breathe easy because of the withdrawal of the draft legislation. However, “I am not sure it’s a very good thing that an issue as important as data privacy keeps getting delayed,” Ray added. Tech and legal experts said the government’s move was expected since revisions to the three-year-old draft bill were overdue. Some said that the new bill would have a broader context and include JCP recommendations on protecting the personal and non-personal data of Indians.
“If withdrawing the data protection bill of 2021 is a precursor to introducing a personal data protection bill, then it may be a welcome move. It would have been better if the government clarified the same in advance to avoid undue speculation. In any event, any personal data protection bill that the government may introduce would have to be in line with the JCP report inputs on personal data—and not merely a reversion to the 2019 draft,” said N.S. Nappinai, a Supreme Court lawyer and founder of Cyber Saathi.
“The new legal framework is expected to be a broader law that covers not only personal data but also segregates personal and sensitive data—and how firms will have to handle each segment. The law will also lay down regulations on how companies in India will have to handle non-personal data,” said Pawan Duggal, cyber security expert and lawyer at the Supreme Court.
He said the new law might raise compliance requirements for companies in India.
The new framework could be introduced by the end of the year, Duggal said.
Prateek Waghre, policy director, Internet Freedom Foundation of India, said that the future of data privacy in India was unclear. “Data localization could also be a part of the future framework, which seems to be the direction in which India’s cybersecurity and data protection laws are progressing. This is also in line with the overall global direction of data privacy and localization laws, and this provides further cover to push for such legislation. However, this could create problems for how we envision a global, open internet framework,” he said.
The proposed bill, which was introduced following a mandate from the Supreme Court that recognized the right to privacy as a fundamental right in 2017, became a flash point between the government on one side and technology companies and civil society on the other because of several controversial provisions of the draft law.
The bill had proposed to create three categories of personal data, sensitive personal data and critical personal data, with each having separate regulations and compliances. The bill proposed firms would have to tell users of their data collection practices, while consumers’ consent for storing and removing data was to be obtained. However, the bill exempted government agencies from its provisions; yet, they could get non-personal anonymized data from data fiduciaries.
The JCP suggested widening the scope of the law to cover non-personal data, mandatory mirroring of sensitive data locally, regulation of content on social media platforms and treating platforms that are not intermediaries as publishers.
In addition, the committee recommended a staggered implementation route, setting up a statutory authority for regulating social media platforms on the lines of the Press Council of India and levying penalties in cases of violation of rules while keeping startups and smaller entities out of the purview.
The panel also suggested regulating content on social media platforms and making platforms that are not intermediaries accountable for the content they publish, including from unverified accounts. In addition, only social media platforms that set up offices locally will be allowed to operate in India.
The recommendations added that the central government will have full power to direct data protection authority (DPA) on all issues. It can also exempt any government agency from the purview of the Act, subject to just, fair, reasonable and proportionate procedure.
The move to keep government agencies outside the purview has been opposed by lawmakers from opposition parties who filed their dissent notes.