Published: 04th August 2022
#WhatTheFAQ: After four years of work, why was Personal Data Protection Bill withdrawn?
The Bill that alarmed tech companies and privacy experts has now been withdrawn by the government after going through multiple changes and facing criticism. Why was the bill so controversial?
The Personal Data Protection Bill which was in the works since 2018 and drafted first by a panel led by retired Supreme Court Judge BN Srikrishna, was withdrawn by the government yesterday, August 4 as the Parliament looks to come up with a new “comprehensive legal framework” that addresses data privacy in the online space. In fact, a Joint Parliamentary Committee (JPC) suggested 81 amendments to the bill in December 2021.
But what did the Bill say that attracted criticism from privacy experts? And what can be expected from the new legislation?
What did the Personal Data Protection Bill say?
Among many other provisions, the Bill that sought to protect both personal and non-personal data of people recognised that personal data cannot be processed without the consent of the user. This consent was only valid if it was freely given, on the basis of an informed decision and capable of being withdrawn. The Bill also laid down detailed guidelines for data fiduciaries (any state, companies, non-governmental organisations, individuals and so on who determine the processing of personal data), for what purposes can people’s data be stored and processed — only for lawful purposes.
The Bill also sought to establish a Data Protection Authority (DPA) of India that would be the umbrella authority that regulates both personal and non-personal data. However, the Bill also provided for many exemptions, which are some of its most criticised sections.
Why was the Bill criticised?
Privacy experts said that the Bill gave broad exemptions to the Central government. For example, a report by the Internet Freedom Foundation mentioned that the government can in the interest of national security and the prevention of incitement to any cognisable offence, exempt any government agency from any of the provisions of the Bill. Additionally, it empowers the Central Government to access non-personal and personal data with any data fiduciary “for framing policies for the digital economy.”
In fact, Section 12 (a)(i) of the Bill allowed the government to collect personal data without the informed consent and approval of individuals on the grounds of “national sovereignty” and “public order”. But these terms have been termed by experts as vague because public order, for example, can be interpreted differently by different people. Additionally, the regulatory structure of the DPA was not independent as the Central government could appoint its members which would interfere with the committee’s decisions regarding violations of privacy and misuse of data by the government.
Why was the Bill withdrawn?
Although the PDP Bill was referred to the JPC consisting of members from both the Houses of the Parliament in 2019, the committee laid down its report only in 2021 after multiple extensions. The committee suggested 81 amendments to the Bill. However, privacy experts flagged concerns from this report as well such as the fact that it expands the scope of non-consensual processing of personal data. The Information and Technology Minister Ashwini Vaishnaw stated that the Bill was withdrawn because JPC recommended 81 amendments in a Bill with 99 sections. “Above that it made 12 major recommendations. Therefore the Bill has been withdrawn and a new bill will be presented for public consultation,” he said in a tweet.
What can be expected from the new legislation?
After the Bill was withdrawn, the Minister of State for IT Rajeev Chandrashekhar tweeted that this will soon be replaced by a comprehensive framework of global standard laws including digital privacy laws for contemporary and future challenges and catalyse Prime Minister Narendra Modi's vision.
According to the “reasons for withdrawal” shared with other MPs, the Ministry is working on this framework, after considering the report of the JPC set up for the matter. The new legislation, therefore, could incorporate changes suggested by the JPC. The committee, for example, had suggested that the non-consensual collection of data should be done in the legitimate interest of the data principal (user). Their report also made it clear that if a person exercises a choice to not provide personal data, then they will not be denied a service or the enjoyment of any legal right or claim. But it still does retain certain vague exemptions that have been criticised.
Additionally, privacy experts are wary that the Bill shouldn’t be dismissed altogether given all the work that went into it. They also say that the new Bill should also be put up for public consultation.