Indian Govt Withdraws Proposed Law On User Data Protection

In a surprise move the government has withdrew the much awaited Personal Data Protection (PDP) Bill from Parliament that it had proposed in 2019 on Wednesday. The Personal Data Protection Bill, 2018, was prepared by a high-level expert group headed by former Supreme Court judge BN Srikrishna.

The government is now promising to introduce a new legislation to release by early 2023, without any dilution to broader privacy aspects of the original bill and without any compromise to the Right to Privacy” as provided by the Supreme Court in its historic judgment given in August 2017, said by Ashwini Vaishnaw, Electronics and Information Technology Minister said.

Speaking in Parliament, the Centre was taking the decision as a parliamentary panel’s review of the bill had suggested 81 amendments and 12 recommendations were made toward a comprehensive legal framework for the digital ecosystem leading to the need for a new comprehensive legal framework.

The minister said that taking into consideration the JCP report, a comprehensive legal framework is now being worked upon.

The bill was aimed at expanding regulations to protect the digital footprints of millions of internet users, data flow, and its usage in the 1.3 billion citizens-strong country. At the same time, it is good that there will be a redraft from scratch.

The Bill was expected to provide protection of digital privacy to individuals relating to their personal data, specify the flow and usage of data, and create a relationship of trust between persons and entities processing the data. And now Experts discussing on, Does that mean Personal Data can be used whatever way the data owner wants?

The 2019 law had proposed stringent regulations on cross-border data flows and proposed giving the Indian government powers to seek user data from companies, seen as part of Prime Minister Narendra Modi's stricter regulation of tech giants.

The Personal Data Protection Bill would have changed the landscape of digital privacy for India. The proposed legislation was meant to regulate how various companies and organizations use individuals’ data inside India.

Industry speaks on, withdrawal of the Bill “without a confirmed timeline” on introduction of a fresh one “is a matter of grave concern. Now the global internet companies including Facebook, Twitter and Google have for years been concerned with many other separate regulations India has proposed for the technology sector.

JOURNEY OF PDP Bill

· The PDP bill was first introduced in Parliament on December 11, 2019 and passed on to the JCP for examination the same year.

· The JCP was initially chaired by BJP Member of Parliament (MP) Meenakshi Lekhi initially.

· Since a minister is not allowed to chair a JCP, Lekhi was subsequently replaced by PP Chaudhary.

· Over the three years, including the pandemic-hit 2020 and 2021, were 81 amendments and 12 recommendations to the original Bill.

· The report of the JPC was presented to the Lok Sabha on December 16, 2021.

· The Bill was withdrawn on August 3, 2022 during the Monsoon Session of Indian Parliament.

India still has no privacy law in sight. That's leaving data regulation open to a wide variety of sectoral regulations, something a common privacy law could have harmonised.

After the privacy law plan of 2019, it also floated new proposals to regulate "non-personal data", a term for data viewed as a critical resource by companies that analyse it to build their businesses. The parliamentary panel had said such non-personal data should be included in the purview of the privacy bill.

The bill also exempted government agencies from the law "in the interest of sovereignty" of India", a provision privacy advocates at the time said would allow agencies to abuse access.

NASSCOM’s statement on the new framework for Personal Data Protection says, India’s Techade is being shaped by accelerated digitisation and policy measures that enable access and inclusion. Data is the bedrock for Digital India and the new framework for Personal Data Protection can build on the learnings from global implementation of data privacy laws and stakeholder feedback on the earlier bill. The key imperatives will be to operationalise the fundamental right of privacy and enable data protection in a manner that grows trust in data driven businesses and allows data led services to grow in a safe and trusted manner.