WHY DID INDIA’S 5 YEARS GO DOWN THE DRAIN? WITHDRAWAL OF PDPB 2019
Data protection has been a talk of the town in recent times with the advent of everything available on online platforms, be it receiving education or being able to watch the latest movies in the comfort of your home. Every change comes with its drawbacks. Since a vast amount of personal information is now available in online domains, it also needs legal protection from scammers who exploit such personal information for their gain. On December 11, 2019, the Minister of Electronics and Information Technology introduced the Personal Data Protection Bill 2019 in Lok Sabha. Commonly known as the “Privacy Bill,” it was designed to safeguard individual rights by limiting the gathering, transferring, and processing of personal data that can be used to identify a specific person.
On 6th August 2022, the centre withdrew the Personal Data Protection Bill because new legislation will be introduced in the winter session of the parliament. For both foreign businesses and Indian entrepreneurs, the most recent iteration of the data protection bill and the Joint Parliament committee proposals may provide significant difficulties. It also allows for creating a Data Protection Authority and suggests tight guidelines for cross-border data transfer and storage (DPA).
WHY DID THE BILL GET WITHDRAWN?
An expert committee led by Justice BN Srikrishna originally drafted the Personal Data Protection Bill in 2018. A Joint Parliamentary Committee (JPC) was given the Personal Data Protection Bill, 2019, and it reported back to Parliament with a new draft bill in December 2021. After six delays, the committee’s findings were presented to Parliament in December 2021. Some people believe that this measure could be harmful to India’s startup and technology ecosystem. There have been talks going on since the beginning of the year to scrap the personal data protection bill.
As it considers a “comprehensive legal framework” to govern the online world, the government withdrew the Personal Data Protection Bill from Parliament. This includes bringing separate laws on data privacy, the overall Internet ecosystem, cybersecurity, telecom regulations, and the use of non-personal data to foster innovation in the nation.
Commonly known as the “Privacy Bill,” it was designed to safeguard individual rights by limiting the gathering, transfer, and processing of personal data that can be used to identify a specific person. After working on the Bill for almost four years, the administration has finally made this move. It had undergone numerous revisions, including a Joint Committee of Parliament (JCP) review. It was the target of fierce opposition from a number of parties, including large internet corporations like Facebook and Google, privacy advocates, and members of civil society.
The internet companies had also raised concerns about a planned clause in the Bill termed “data localisation,” which would have required them to keep a copy of some sensitive personal data in India and prevented the transfer of undefined “critical” personal data. The campaigners had specifically criticised a clause that gave the federal government and its agencies broad exclusions from Bill’s requirements.
The nation’s startups also criticised the Bill as being too “compliance-intensive.”
The revised legislation will be much simpler to follow, particularly for entrepreneurs. After 78 sittings spanning 184 hours and 20 minutes and six extensions, the Joint Committee of Parliament finally submitted its findings. It suggested 81 changes to the Bill that were included in the version that the Srikrishna panel ultimately approved, as well as 12 recommendations, one of which was to change the focus of the Bill from protecting personal data to safeguarding all types of data. Non-personal data are any data collection that does not include any personally identifying information.
Several other measures were suggested in the JCP study, including controlling social media corporations and using only “trusted hardware” in cell phones. It was recommended that social media platforms that do not serve as middlemen should be regarded as content publishers and held accountable for the material they host.
A comprehensive legislative framework is being developed in light of the JCP’s report. Therefore, it was suggested that “The Personal Data Protection Bill, 2019”, be withdrawn in light of the current situation and replaced with a new Bill that adheres to the overall legislative framework.
A NEW DATA PROTECTION BILL-
The disastrous PDP Bill, which has seen multiple revisions at the hands of a Joint Parliamentary Committee since 2018 and briefly served as the “Data Protection Bill 2021,” has supposedly been withdrawn to be rewritten from the start, sending us back to the drawing board. Many corporate stakeholders were concerned when the PDP Bill proposed controversial ideas like data localisation and data mirroring since they would have needed to alter their data flow infrastructures to comply significantly. The current IT Act is an antiquated piece of legislation that falls woefully short of meeting today’s standards for data protection. Therefore, thoroughly revising all data regulations in India is a step in the right direction to address India’s data issues.
It is alarming that the Data Protection Bill, 2019, has been withdrawn because a tardy regulation is being abandoned. Getting a law is more important than getting perfect legislation. Nearly ten years have passed since the (Justice) A P Shah Committee report on privacy, five years since the Puttaswamy judgement (right to privacy), and four years since the (Justice B N) Srikrishna Committee’s report; they all point to the urgency of enacting a data protection law and reforming surveillance. Losing a day results in more significant pain and injury.
Laws governing technology and data are changing worldwide, not just in India. Strict data protection rules, like the EU GDPR, California’s CCPA, and Kenya’s Data Protection Law, are the norm today, with each country vigorously defending personal data privacy. All of this legislation were passed within the past ten years. In order to safeguard both business interests and individual rights, nations worldwide are currently working to incorporate the protections in these laws into their data flow systems. US President Joe Biden and President of the European Commission Ursula von der Leyen announced coordinated efforts to develop a new EU-US data sharing framework that will supplement or replace the current EU-US Privacy Shield in March 2022.
Due to surveillance regulations in the US that exposed the data of EU citizens, the Court of Justice of the European Union recently rejected the Privacy Shield in Schrems I and II Judgement, creating uncertainty regarding data transfers between the EU and US. Any rule that requires the blanket localisation of all data without providing similar protections for abroad data runs the danger of violating the standards set by the EU and several other international data laws.
The anticipated new Bill’s precise details or structure are unknown. A senior source, however, stated that the government is debating whether to include data localisation in the upcoming revision of the Information Technology Act and whether to restrict cross-border data transfers to “trusted regions”. The idea is that the data should be available in the event of a crime and stored in a location that the Indian government trusts.
After much consideration and analysis of the JCP’s report, it was determined that a thorough redrafting of laws and regulations is required, taking into account some of the JCP’s remarks and the new difficulties and opportunities that result from them. The administration will take a thorough approach to the laws and will be back in Parliament soon after the consultation process is complete.
The introduction of an overhauled Personal Data Protection Bill will be at par with the initiative of the Digital India Policy, in which data protection is also a vital part of the policy.
After more than ten years of the status quo, India seems prepared to accept a flurry of changes to its data and information technology legislation. India’s true potential as one of the most potent data-centric economies in the world is likely to be realised with the transformation.
Whatever the future reforms to India’s data protection legislation take, they must consider the global shift in how data protection is seen.