Digital rights activists disappointed with withdrawal of draft Personal Data Protection Bill from Parliament

Internet Freedom Foundation said that this decision lays waste years of labour and deliberation on a law essential for the protection of every Indian in a digitised society and has led to uncertainty

Representative Photo (Getty images)
Representative Photo (Getty images)

NH Web Desk

The Union government has withdrawn the draft Personal Data Protection Bill, 2021 from Parliament after nearly four years of working on it. Moving for its withdrawal, IT Minister Ashwini Vaishnaw said the government will come out with a set of fresh legislations along with a comprehensive legal framework for the digital economy.

Several digital rights activists felt that the withdrawal of the draft Bill marked the end of an unsatisfactorily long consultation and arduous review process for the legislation.

The Internet Freedom Foundation said that this decision lays waste years of labour and deliberation on a law essential for the protection of every Indian in a digitised society and has led to uncertainty. It had earlier highlighted that the draft Bill provided sweeping exemptions to government departments, prioritised the interests of big corporations and did not adequately respect personal fundamental right to privacy.

The Centre had circulated a statement containing reasons for withdrawal of the Bill, which was introduced on December 11, 2019, and was referred to the Joint Committee of the Parliament (JCP) for examination. The report of the JCP was presented to Lok Sabha in December 2021.

The government stated that the Bill could be replaced by more than one Bill, dealing with privacy and cyber security and the government may bring the new set of Bills in the Winter Session of Parliament.

In the note that was circulated, Vaishnaw stated, “The Personal Data Protection Bill, 2019 was deliberated in great detail by the Joint Committee of Parliament. 81 amendments were proposed and 12 recommendations were made towards a comprehensive legal framework on the digital ecosystem. Considering the report of the JCP, a comprehensive legal framework is being worked upon. Hence, in the circumstances, it is proposed to withdraw ‘The Personal Data Protection Bill, 2019’ and present a new Bill that fits into the comprehensive legal framework.”

The delays have been severely criticised by stakeholders because India, which is one of the world’s largest Internet markets, does not have even a basic framework to protect people’s privacy.

The Bill had faced pushback from data privacy activists and stakeholders including tech companies such as Facebook and Google.

The tech companies had questioned data localisation, a proposed provision in the draft Bill, under which it would have been mandatory for companies to store a copy of certain sensitive personal data within India, and the export of undefined “critical” personal data from the country would have been prohibited.

The companies had to inform consumers about how they were utilising personal data and had to take consent from users. The draft Bill gave the consumers the right to withdraw consent whenever they wanted and the companies had to provide a mechanism to enable this.

It has been close to 10 years since the release of the AP Shah Committee Report on Privacy, five years since the Puttaswamy Judgement on privacy and four years since the Srikrishna Committee’s report, which all signalled urgency for a data protection law and surveillance reforms.

This decision has rendered waste the efforts of 10 years, said Apar Gupta, executive director, Internet Freedom Foundation. “The existing legal vacuum on data protection portends an Orwellian state and is clearly an infringement of the fundamental right to privacy. We hope that the government has taken into account previous deliberations while drafting the new comprehensive legal framework. Each day lost causes more injury and harm,” read a statement from the IFF.

The CEO of Data Security Council of India is reported to have said, “It’s like going back to the drawing-board.”

“This is a setback not only for big tech or the corporate world but also for individuals, consumers and privacy-first organisations that had worked hard on engaging with the government, consumers and other stakeholders,” Amol Kulkarni, director (research), CUTS International, was quoted as saying in The Business Standard.

A few Opposition leaders including Congress leader Manish Tewari tweeted that that it signified a win for big tech, which “never wanted this law”. He added that if it had been debated on the floor of the House, a better legislation could have been framed.

In a series of tweets, Nikhil Pahwa, editor of MediaNama, which covers policy and media, said, “I hope that the Bill isn’t junked altogether, given all the work that went into it. Junking the Bill altogether will create a limbo of sorts from a privacy protection standpoint. Nobody wants that.”

History of the Bill

After the Supreme Court’s unanimous verdict in August 2017 affirming that privacy is a fundamental right under the Constitution of India, the Justice Srikrishna panel was set up to build a data protection framework for the country. The Committee had released a white paper that same year, outlining the areas it would be looking at.

In July 2018, the Committee submitted a draft data protection Bill to the Ministry of Electronics and IT, which said that it would draft a fresh Bill borrowing from the ideas presented in the Srikrishna Committee Bill.

The Bill was then referred to the JCP, which was headed by BJP’s Meenakshi Lekhi, in December 2019. The committee, which was formed to analyse each clause in the Bill, sought and received extensions twice – in September 2020 and March 2021.

After Lekhi was made Minister of State for External Affairs, BJP MP PP Chaudhary was appointed chairperson of the JCP in July 2021. Finally, the committee submitted the report in December 2021, which gave the government sweeping powers.

Justice Srikrishna, in an interview, had stated that the draft Bill sets the stage for turning India into an “Orwellian state”.

The Committee proposed 81 amendments to the draft Bill finalised by the Srikrishna panel, and 12 recommendations including expanding the scope of the proposed law to cover discussions on non-personal data — thereby changing the mandate of the Bill from personal data protection to broader data protection. The draft Bill had wanted to treat social media companies not as intermediaries but as content publishers, which would make them liable for the content they host.

Non-personal data is electronic data that does not contain any information that can be used to identify a natural person. Personal data, in the bill, was divided into three categories: sensitive personal data (like health, sexual orientation, finances), critical personal data (left to be defined by the government), and basic personal data.

Follow us on: Facebook, Twitter, Google News, Instagram 

Join our official telegram channel (@nationalherald) and stay updated with the latest headlines

Published: 05 Aug 2022, 9:00 PM