Government withdraws data protection bill: Why is it a good decision

In light of the JPC report, the government withdrew the Personal Data Protection Bill, 2019, and will present a new bill based on the recommendations

The government withdrew the Personal Data Protection Bill, 2019 (PDP Bill) and has decided to come up with a new legislation in view of a large number of amendments suggested by the Joint Committee of Parliament towards a comprehensive legal framework on the digital ecosystem.

Union Electronics and Information Technology Minister Ashwini Vaishnaw said that Personal Data Protection Bill, 2019 was deliberated in great detail by the Joint Committee of Parliament and 81 amendments were proposed and 12 recommendations were made towards a comprehensive legal framework on the digital ecosystem.

“Considering the report of the JCP, a comprehensive legal framework is being worked upon hence, in the circumstances, it is proposed to withdraw ‘The Personal Data Protection Bill, 2019’ and present a new bill that fits into the comprehensive legal framework,” he said.

The Government had July 31, 2017 constituted a “committee of experts on Data Protection” chaired by Justice BN Srikrishna to examine the issues relating to data protection. The committee examined the issues on data protection and submitted its report on July 27, 2018. The 2019 bill sought to bring a strong and robust data protection framework for India and to set up an Authority for protecting personal data and empowering the citizens’ with rights relating to their personal data ensuring their fundamental right to “privacy and protection of personal data”. The bill was sent to a Joint Committee of Parliament which gave its report on December 16, 2021.

Also Read: Consumers are increasing their digital activity despite rising fraud concerns

Is it a good step?

Sajai Singh, Partner at J Sagar Associates says that the decision of the government to withdraw the 2019 Personal Data Protection Bill (PDP Bill) is a welcome one for several reasons.

“The most key issue is the practicality of a Bill becoming the law of the land. India is a plural country and represented by members of Parliament from various regions and political affiliations. Unless each one of these, or at least a majority, is on the same page a Bill can languish as a Bill and never see the light of day as a statute,” says Singh elaborating the reasons.

In a wise move the Government had set up a 30-member Joint Parliamentary Committee (JPC) to ensure all stakeholders got a chance to air their views and comment on the proposed legislation. The JPC made several recommendations to the PDP Bill in 2021, he adds.

It was possible to implement some by tweaking the draft, but several required a rethink of the legislation itself, like whether to include non-personal data in the PDP Bill. On the other hand, COVID and the sheer developments in technology have brought to the fore several other issues that need to be legislated upon, by countries across the globe.

“And the drafting of the PDP Bill needed to be made current with the ground realities. What with ethics and AI, ransomware becoming more sophisticated, crypto and NFT’s adding a commercial dimension to blockchain technology and the like. It, therefore, is a wise decision by the Ministry of Electronics and Information Technology (MeitY) to withdraw the PDP Bill and go back to the drawing board and start afresh,”

On the parallel ground is the drafting of the Digital India Act, which will update and replace the Information Technology Act, 2000.

“I am interested in seeing the interplay between these two drafts. Various multinationals, on the other hand, are interested in seeing how Indian law will address issues like cross-border data flow, data localisation requirements and restrictions placed on certain services, like VPN. Till there is movement on the PDP Bill and the Digital India Act, privacy will continue to be addressed by the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011, and CERT-In will keep addressing cybersecurity issues in India,” he said.

Also Read: Why India needs strong cybersecurity norms to curb misuse of VPNs

According to Singh, the August 24, 2017, guiding principles of the Puttaswamy Aadhaar judgment will have to wait to see their transition from caselaw to statute law. “Though the wait should not be too long, as I believe the Government is working overtime to make this a reality sooner than later.”