Explained: Why did the govt dump the Personal Data Protection Bill

Digital india act
MeitY has held a round of consultations with industry stakeholders, policy advocates, and legal experts on the broad contours of the Digital India Act.

After drawing flak at home and abroad alike, the Union government has finally decided to withdraw the controversial Personal Data Protection Bill from Parliament. However, it is already gearing up for presenting an alternative legislation which may be less contentious that the current one. On Wednesday, the government announced the withdrawal of the bill stating that it is considering a comprehensive legal framework to regulate the online space.

The framework will involve bringing separate laws on data privacy, the overall Internet ecosystem, cybersecurity, telecom regulations, and harnessing non-personal data to boost innovation in the country while also addressing all current and future challenges to the digital ecosystem.

The Bill had been in the works for four years now and had gone through multiple iterations. It drew fierce criticism from a range of stakeholders such as the big tech companies such as Facebook and Google, as well as privacy and civil society activists.

ALSO READ: Horses for courses: RBI need not hike interest rates to match Fed action

The Personal Data Protection Bill, 2019

The legislation aimed at protecting the digital privacy rights of the country’s thriving base of internet subscribers and the nascent data economy. However, the initial legislation underwent a series of changes to include provisions on regulating social media, hardware companies, as well as provisions on data localisation and non-personal data. This received major pushback from technology corporations and start-ups which claimed that the Bill comes with a high cost of compliance.

The high cost of compliance was due to a proposed provision in the Bill that called for data localisation. Under this, it would have been mandatory for companies to store a copy of certain sensitive personal data within India, and the export of undefined critical personal data from the country would be prohibited. A provision in the Bill also allowed the Union government and its agencies blanket exemptions from adhering to any and all provisions of the Bill which drew flak from activists.

Government’s version on the withdrawal of Bill

Analysts are seeing the withdrawal as a nod to the sustained pushback by global and local technology corporations, policy makers and activists. However, in a note circulated to the members of Parliament, Union IT Minister Ashwini Vaishnaw explained the government’s version on the withdrawal of the Bill. He said that initially the Bill came after great deliberations by the Joint Committee of Parliament. In all, 81 amendments were proposed and 12 recommendations were made towards a comprehensive legal framework.

The government is now working on a comprehensive legal framework after considering a report of the JCP. The current circumstances required the withdrawal of the Bill which is to be replaced by a new Bill. According to media reports, the new Bill will also be easy to comply with which was a major demand from start-ups and corporations. JCP had submitted its recommendations along with a draft Bill in November 2021.

The government has also acknowledged that there were some issues with the previous Bill and rectifying the same was beyond the scope of modern digital privacy law. Hence, the need for the new Bill.

ALSO READ: India makes great strides in financial inclusion, but issues remain

The JCP also recommended inclusion of discussions on non-personal data which means the mandate of the previous Bill from personal data protection needs to be changed to accommodate broader data protection. Among with other proposals, the JCP’s report recommended changes on issues such as regulation of social media companies, and on using only trusted hardware in smartphones. It has also proposed that social media companies that do not act as intermediaries should be treated as content publishers which, in turn, makes them liable for the content they host.

Way forward for the new Bill

As of now, nobody knows what the new Bill will bring to the table as specific provisions of the upcoming legislation are not known. But it should take all stakeholders in confidence before the new recommendations become a bill. The government should especially look to placate the concerns of its citizens and activists who saw the current Bill as a step towards making India an Orwellian state. Orwellian State is a term used to denote draconian control of its people by a state. The concept comes from the novel 1984 written by George Orwell.

At the time the Bill was introduced, Justice BN Srikrishna, who was also a part of the committee which drafted the Personal Data Protection Bill (PDP), said the bill was dangerous as it allowed the Union government to exempt its agencies from some or all provisions. He had then said that the government had removed the safeguards.

According to media reports, the new Bill may do away with classification of personal data from the perspective of data localisation, and only use classification for awarding damages to people whose personal data may have been compromised by an entity. The new Bill is expected to be tabled in the Winter Session of Parliament.