Withdrawing the Personal Data Protection Bill was a bad move

In a surprising development last week, Government withdraws Personal Data Protection (PDP) Bill, 2019, thus abruptly stopping the country’s search for a national data protection law that had been in the works for more than five years. The reasons for the government’s decision are brief and secret. The short circular issued by the Minister of Electronics and Information Technology only stated that considering the report of the Joint Parliamentary Committee (JPC) – it had proposed 81 amendments and made 12 recommendations – “on a comprehensive legal framework The work is being done”. “Under these circumstances”, the government proposed to withdraw the bill and introduce a new bill that “fits into the broader legal framework”.

Multiple iterations, to no avail

Interestingly, there is no detail on what is included in such a “comprehensive legal framework”. The government may enact a new privacy law or a comprehensive data protection law (covering both personal and non-personal data). Alternatively, it may include data protection as part of its ongoing efforts to amend the existing Information Technology Act, 2000. It could also enact a digital market law on the lines of the European Union’s Digital Services Act, which focuses on competition and innovation in the digital space. , Unfortunately, the ministry’s circular does not leave us any clarity on the way forward.

editorial | A new opportunity: on the rollback of the Personal Data Protection Bill

The ministry’s allegation of withdrawing the JPC report is also contrary to the proposed amendments of the JPC, which did not recommend withdrawal of the PDP Bill in favor of a broader legal framework.

The lack of clarity is compounded by the fact that no timeline has been set as to when the new bill will be introduced or passed in Parliament. This is especially important given the draft history of the PDP Bill. When the Supreme Court of India upheld the right to privacy in its landmark KS Puttaswamy judgment in 2017, a nine-judge bench of the court set up the BN Srikrishna Committee to suggest a draft data protection bill for government offices. Referred to the memorandum. The committee released its draft Personal Data Protection Bill in 2018, the first public expression of a data protection law in India.

Subsequently, when the Supreme Court upheld the constitutionality of the Aadhaar Act, the majority asserted that it held that “a proper legislative mechanism is required for data protection”. It “influenced” the central government to bring in a “robust data protection regime” through the enactment of a law with necessary amendments based on the recommendations of the Srikrishna Committee report.

In December 2019, the government introduced the PDP Bill, 2019 in the Lok Sabha as a comprehensive personal data protection regime. Keeping in view the importance of the Bill and the controversies surrounding various provisions, the Bill was referred to the JPC for its recommendations. In 2021, JPC suggested a number of amendments to re-word its Data Protection Bill, 2021, which privileges the state’s exceptionalism on personal privacy, while continuing to strictly regulate corporate action.

Now, after five years of hard work and three iterations of data protection legislation, the government has ruined its efforts to protect our privacy.

fault lines

The JPC’s recommendations in the PDP Bill, 2019, as well as the Suggested Data Protection Bill, 2021, faced serious loopholes, leading Justice Srikrishna to criticize the bill for its potential to turn India into an “Orwellian state”. First, the bill’s broad exemption allowed the state to exempt the entire application of the law, as if it were “proximate” to do so in the interest of national security or public order. These exemptions were not required to be presented before Parliament and there was no provision for review or oversight of the decision of the Government. In fact, Member of Parliament Jairam Ramesh said in his dissent note, “Government agencies are treated as a separate privileged class, whose operations and activities are always in the public interest and considerations of individual privacy are secondary”.

Second, the PDP Bill, 2019 as well as the JPC’s version established a stronger regulator (Data Protection Authority), with much more power, but little independence or accountability.

Third, the bill implemented a stronger data localization mandate, requiring companies to store all sensitive personal data and critical personal data (which was not defined) in India. Despite concerns about surveillance and the rising cost of compliance expressed by civil society and the private sector, the government did not support cross-border data transfers.

Finally, the JPC recommended the integration of the regulation of personal data and non-personal data into a single law, even though it undermined the Puttaswamy mandate to ensure the protection of personal data.

Increasing digitization, issues

However, despite these genuine concerns, immediate enactment of a data protection law was, and will continue to be, imperative. India currently has over 750 million internet users, the number of which is only expected to increase in the future. The government is also pushing for a ‘Digital India’ with more focus on digitization of access to health, ration, banking, insurance especially after the COVID-19 pandemic. There is a greater focus on inter-linking of data through facial recognition, Aadhaar, or the Criminal Procedure (Identity) Act, 2022.

At the same time, India is involved in the highest number of data breaches in the world. It is reported that 18 out of every 100 Indians have been affected by data breaches since 2004, in which 962.7 million data points have been leaked, mainly personal data points such as names and phone numbers. Without a data protection law, the data of millions of Indians remains at risk of being exploited, sold and misused without their consent.

Unlike state action, corporate action or misconduct is not subject to writ proceedings in India. This is because fundamental rights against private non-state entities are, by and large, not enforceable. This leaves individuals with limited measures against private actors. They can either seek action under the inadequate and ineffective provisions of the Information Technology Act, or file civil/criminal proceedings before the court (which is itself time-consuming and costly).

A personal data protection law would address this shortcoming by providing appropriate grievance redressal options to individuals and creating substantial resistance among private actors. Being inadequate and flawed, enactment of the PDP Bill as a law would have begun to provide a redressal framework. Instead, we are left with the vague promise of a “comprehensive legal framework” with no timeline.

Consult, work on new law

So where do the actions of the government leave us? It is imperative that the government soon introduce a new data protection law, prepared after due public consultation. Such legislation should take into account the criticisms raised by civil society as well as the private sector. This should be widely discussed and debated in Parliament.

Even though the PDP bill may not be the most privacy-respecting law, it provides a certain desirable level of protection to the personal data of individuals. Once enacted, there is always scope for judicial review (based on challenges to potentially unconstitutional provisions) and parliamentary amendment (involving feedback on the working of the law by legislators). Therefore, even legitimate criticism of the PDP Bill, 2019 or the recommendations of the JPC does not justify its withdrawal. After all, there is no reason to allow the perfect to be the enemy of the good.

Vrinda Bhandari is an Advocate practicing Lawyer in Delhi.