What the withdrawal of the Personal Data Protection bill implies?

On Wednesday, the 03rd of August, the central government announced the withdrawal of the Personal Data Protection Bill, 2019. Instead, the government will introduce a revamped bill that is more in sync with the times. The Joint Parliamentary Committed (JPC) which had been appointed to look into the nuances of the bill had given a total of 12 recommendations towards a comprehensive legal framework as well as 81 amendments. In the light of these drastic changes proposed by the JPC, the government has decided to shelve the bill for now.

It may be recollected that the Personal Data Protection Bill was first drafted by a high powered committed headed by the redoubtable Justice BN Sri Krishna in 2018. Based on his recommendations the central government had introduced a draft Bill in 2019 in the Lok Sabha. At that point, amidst popular demand from the legislatures, the bill was referred to the Joint Parliamentary Committee (JPC). However, this was followed by the COVID outbreak so the bill was tabled in Parliament only in December 2021, after 6 extensions.

The original version of the bill only dealt with personal data and the move to include non-personal data under the ambit came in for a lot of criticism. However, the latest version of the bill includes personal and non-personal data under its ambit. In a sense, the new version of the bill also included social media and other forms of non-personal data. However, the bill explicitly exempts the government from the purview of the Act. This was seen by many as a ticket for the government to dig deeper into the private affairs of tis citizens.

One of the major criticism against the bill was that it was tilted in favour of the government rather than focussed on protecting the privacy of the individual. This is important, since the Supreme Court had held the right to privacy as a fundamental right in the year 2017. Many industry experts and even opposition leaders saw this as an opportunity to consult a wider gamut of stakeholders so as to address all the key concerns. In fact, Big Tech companies had strongly objected to this Bill as they felt that it had the scope to be grossly misused.

Since the bill in its current for has been shelved, it provides a chance to focus on some very key issues. This includes the data protection authority lacking independent authority. Also, the mandatory storage of customer data in all cases within the borders of India could be another contentious issue for the Big Tech companies, which cannot logistically handle the challenge of multiple data centres. Also, it creates issues of data privacy for them if such a bill were to be passed in the Indian context.

The biggest objections to the bill had come from the Big Tech firms. They had seriously questioned the data localisation provision. Under this provision, they needed to store a copy of sensitive personal data within India and export of “critical” personal data was prohibited. However, the Minister of State for IT, Rajeev Chandrasekhar, gave a different twist to the argument. He opined that the PDP bill in its current form would not be conducive to the start-up system in India and the new bill will also ensure that.