Personal Data Protection Bill

  Sep 19, 2022

Q. Why is this in news?

A .

In a surprise development last week, the Government withdrew the Personal Data Protection (PDP) Bill, 2019, thereby abruptly halting the country’s quest for a national data protection law that had been in the works for over five years.

 

Q. What are the Reasons for withdrawal of the Bill?

A. 

• The short circular issued by the Minister of Electronics and Information Technology states that considering the report of the Joint Parliamentary Committee (JPC) — it had proposed 81 amendments and made 12 recommendations — “a comprehensive legal framework is being worked on”. 
• There is no elaboration on what such a “comprehensive legal framework” entails.
• Possible plan of action: The Government could enact a fresh privacy legislation or a comprehensive data protection law (covering both personal and non-personal data).
• Subsuming data protection in IT Act: Alternatively, it could subsume data protection under its ongoing attempts at revising the existing Information Technology Act, 2000.
• Digital markets law: It could also enact a digital markets law, along the lines of theEuropean Union’s Digital Services Act, focusing on competition and innovation in the digital space.

 

Q. What is the Background of the introduction of Personal Data Protection Bill?

A. 

• When the Supreme Court of India affirmed the right to privacy in  K.S. Puttaswamy judgment in 2017, the nine-judge Bench of the Court referred to the Government’s Office Memorandum constituting the B.N. Srikrishna Committee to suggest a draft Data Protection Bill.
• The committee released its draft Personal Data Protection Bill in 2018, which was the first public articulation of a data protection law in India.
• When the Supreme Court upheld the constitutionality of the Aadhaar Act, the majority emphasised that it believed that “there is a need for a proper legislative mechanism for data protection”.
• In December 2019, the Government introduced the PDP Bill, 2019 in the Lok Sabha as a comprehensive personal data protection regime.
• The Bill was referred to the JPC for its recommendations.

 

Q. What were the issues with the Bill?

A. 

• Power to exemption with state: The Bill’s expansive exemptions allowed the state to exempt the entire application of the law simply as if it was “expedient” to do so in the interest of national security or public order.
• Powers without accountability: The PDP Bill, 2019 as well as the JPC’s version established a strong regulator (the Data Protection Authority) with a lot of power, but very little independence or accountability.
• Data localisation: The Bill imposed a strong data localisation mandate, requiring companies to store all sensitive personal data and critical personal data (which was not defined) in India.
• Subsuming the personal and non-personal data: The JPC recommended subsuming the regulation of personal data and non-personal data within a single legislation, even though it undermined the Puttaswamy mandate to ensure protection of personal data.

 

Q. Why we need data protection law?

A. 

• Increasing internet use: India currently has over 750 million Internet users, with the number only expected to increase in the future.
• The Government is also making a strong push for a ‘Digital India’, with increased focus on digitisation of access to health, ration, banking, insurance, especially after the COVID-19 pandemic.
• There is a greater focus on the inter-linking of data, whether through facial recognition, Aadhaar, or the Criminal Procedure (Identification) Act, 2022.
• Data breaches: At the same time, India has among the highest data breaches in the world.
• Without a data protection law in place, the data of millions of Indians continues to be at risk of being exploited, sold, and misused without their consent.
• Lack of writ proceeding against corporate action: Unlike state action, corporate action or misconduct is not subject to writ proceedings in India.
• This is because fundamental rights are, by and large, not enforceable against private non-state entities.
• This leaves individuals with limited remedies against private actors.
• A personal data protection legislation would remedy this lacuna by providing individuals with proper grievance redress options and creating sufficient deterrence among private actors.