Data Protection Bill - What it was and why it was withdrawn
Personal Data Protection Bill, 2019
On December 11, 2019, the Ministry of Electronics and Information Technology introduced the Personal Data Protection Bill 2019 (PDP Bill 2019) in the Indian Parliament. A Joint Parliamentary Committee (JPC) is analyzing the Bill as of March 2020, in cooperation with experts and stakeholders. The JPC, which was set up in December 2019, is headed by BJP Member of Parliament (MP) Meenakshi Lekhi. While the JPC was given a limited timeline to complete the draught law before the 2020 Budget Session, it has requested extra time to analyze the Bill and contact stakeholders.
The Bill addresses measures for protecting personal data and proposes the establishment of an Indian Data Protection Authority.
Some essential features of the 2019 Bill that the 2018 draught Bill did not include, such as the central government's ability to exempt any government agency from the Bill and the Right to Be Forgotten, have been included.
Provision
This act aims to protect a person’s information about themselves or about another person including those who have died. It will also set out how this information can be used and how it should be protected.
The Bill seeks to protect individuals' privacy in relation to their personal data, specify the flow and usage of personal data, establish a relationship of trust between persons and entities processing personal data, to protect the fundamental rights of individuals whose personal data are processed, to establish a framework for organizational and technical measures in data processing, to establish norms for social media intermediaries, and to facilitate cross-border transactions. It included extensive provisions for consent collection, dataset evaluation, data flows, and personal data transfers, among other things.
After four years of work, why was Personal Data Protection Bill withdrawn?
The Personal Data Protection Bill, which had been in the works since 2018 and was first drafted by a panel led by retired Supreme Court Judge BN Srikrishna, was withdrawn by the government yesterday, August 4, as Parliament seeks a new "comprehensive legal framework" that addresses data privacy in the online space. In reality, in December 2021, a Joint Parliamentary Committee (JPC) proposed 81 modifications to the measure.
What does the Personal Data Protection Bill say?
The Bill, which attempted to safeguard both personal and non-personal data of persons, recognised, among other things, that personal data cannot be used without the user's consent. This consent was only legitimate if it was freely provided, based on an informed decision, and revocable. The Bill also established specific criteria for data fiduciaries (any state, company, non-governmental organisation, individual, or other entity that determines the processing of personal data), stating that people's data can only be retained and handled for authorised reasons.
The Bill also proposed to establish an Indian Data Protection Authority (DPA), which would serve as an umbrella authority for both personal and non-personal data. However, the Bill also had several provisions.
Why was the Bill criticised?
According to privacy experts, the Bill granted the Central Government significant exclusions. According to an Internet Freedom Foundation study, the government can exclude any government agency from any of the Bill's requirements in the interest of national security and the prevention of incitement to any cognisable offence. Furthermore, it grants the Central Government access to non-personal and personal data with any data fiduciary "for the purpose of defining policies for the digital economy."
In reality, Section 12 (a)(i) of the Bill authorised the government to acquire personal data on the basis of "national sovereignty" and "public order" without the informed agreement and assent of people. However, experts have labelled these phrases as ambiguous since public order, for example, might be perceived differently by various individuals. Furthermore, the DPA's regulatory structure was not independent since the Central government could nominate its members, interfering with the committee's findings about privacy infractions and government data exploitation.
Why was the Bill withdrawn?
The PDP Bill was referred to the Joint Parliamentary Committee (JPC) in 2019. The committee recommended 81 amendments to the Bill. Privacy experts flagged concerns from this report as well as the fact that it expands the scope of non-consensual processing of personal data.
What can be expected from the new legislation?
After the withdrawal of the Bill, Minister of State for Information Technology Rajeev Chandrashekhar tweeted that it will be replaced soon by a comprehensive framework of global standard laws, including digital privacy laws, to address current and future challenges and catalyse Prime Minister Narendra Modi's vision.
According to the "reasons for withdrawal" shared with other MPs, the Ministry is working on this framework after reviewing the report of the JPC established to look into the problem. As a result, the JPC's recommendations may be incorporated into the new legislation. The group, for example, proposed that non-consensual data acquisition be done in the data principal's legitimate interest (user). Their study also said unequivocally that if a person chooses not to submit personal data, they will not be denied a service or the enjoyment of any legal right or claim. However, many ambiguous exemptions that have been criticised remain.
Conclusion
Privacy experts are wary that the Bill shouldn’t be dismissed altogether given all the work that went into it. They also say that the new Bill should also be put up for public consultation.