5 years and waiting…a not-so-brief history of Data Protection legislation

The Data Protection Bill gets withdrawn by the government, delaying the much-waited legislation

5 years and waiting…a not-so-brief history of Data Protection legislation

With the Union IT minister Ashwini Vaishnaw announing the withdrawal of The Personal Data Protection Bill, 2019 in the Lok Sabha stating that the government has decided to come up with a fresh bill that fits into the comprehensive legal framework with reference to the suggestions made by the Joint Committee of Parliament (JCP) on the Bill, the wait for this elusive piece of legislation continues.

“The Personal Data Protection Bill, 2019 was deliberated in great detail by the Joint Committee of Parliament, 81 amendments were proposed, and 12 recommendations were made towards comprehensive legal framework on digital ecosystem. Considering the report of the JCP, a comprehensive legal framework is being worked upon. Hence, in the circumstances, it is proposed to withdraw The Personal Data Protection Bill, 2019 and present a new bill that fits into the comprehensive legal framework,” said the Government’s announcement.

One of the most active members of the panel, Odisha Rajya Sabha MP from Biju Janata Dal, Dr. Amar Patnaik’s reaction echoes the minister’s justification. Speaking to the newspaper, The Hindu, he said “There were 81 amendments, in a bill of 99 sections and I had also filed a dissent note even after the amendments stating that there should be State-level Data Protection Authorities. I support the withdrawal of the Bill in its existing form and hope that the revised bill would take into account our concerns.” His party colleague Bhratruhari Mahatab, another member of the panel too supported it, adding that the fresh bill should come early.

The Joint Committee of Parliament on the Personal Data Protection Bill had submitted a 542-page report with overall 93 recommendations and 81 amendments to the Bill in December 2021. Apart from that, the panel, headed by former Union Minister and BJP MP, P.P. Chaudhary had recommended about 97 corrections and improvements to the Bill.

The government apparently felt beyond a point it would be a patchwork and hence decided to come out with a fresh bill, that would be written based on the new recommendations.


It is five years…

The journey for this new privacy regime began in July 2017—more than five years back—when the government constituted an experts committee under the Chairmanship of Justice B N Srikrishna, former judge of Supreme Court of India. The brief before the committee was to identify key data protection issues in India and to ‘make specific suggestions for consideration of the Central Government on principles to be considered for data protection in India and suggest a draft data protection bill.’

Barely a month after that, Supreme Court, on 24 August 2017, ruled that right to privacy is a fundamental right.

“The right to privacy is protected as an intrinsic part of the right to life and personal liberty under Article 21 and as a part of the freedoms guaranteed by Part III of the Constitution,” the bench ruled in its order while over-ruling two earlier decisions by the apex court. The government had argued against privacy being a fundamental right.

That was a historic decision and forced the government to accelerate the move to create a legislation. The issue was in the limelight.

The expert committee published a whitepaper on data protection issues in December 2017, in just four months of it being constituted.  The government released the whitepaper, inviting public comments on the issues. Based on the consultation, the committee submitted its report and a draft data protection bill in July 2018—exactly a year after the SC judgment—and invited comments on it within two months.

The Indian draft data protection bill caught global attention because of a few reasons. One, it insisted on all organizations dealing with personal data of Indians to have one copy of that data within the shores of India, which created a lot of furor. Two, unlike the GDPR and UK Data Protection Act, the Indian draft bill was comparatively softer on government agencies when it comes to the rights of data owners, as compared to private organizations.

Due to General Elections, tabling of the Bill was delayed. After the General Elections in 2019, the Government did some changes in the version submitted by Srikrishna Committee, which drew further criticism from many activists.

In the first week of December 2019, the Union Cabinet cleared the bill, and the new bill was introduced in Lok Sabha on 11 December 2019. The new bill, by that time called Data Protection Bill 2019 brought about some significant changes.

One, it extended the obligations of significant data fiduciaries to what it called social media intermediaries. The Bill defined a social media intermediary as ‘an intermediary who primarily or solely enables online interaction between two or more users and allows them to create, upload, share, disseminate, modify or access information using its services’ while specifically excluding e-commerce companies, ISPs, on-line storage service providers, online encyclopedias, and search engine operators. In short, while Facebook, Twitter, LinkedIn could come in its definition, Wikipedia, Amazon and Google would not.  It further clarified that such intermediaries are entities those ‘whose actions have, or are likely to have, a significant impact on electoral democracy, security of the State, public order or the sovereignty and integrity of India.’ It also talked about social media verification of accounts (even though voluntary), which were criticized by many.

Two, while the earlier draft bill submitted by Srikrishna Committee allowed access of personal data to the government for security purpose, based on principles of necessity and proportionality, the new bill made stated that the Central Government may ‘direct that all or any of the provisions of this Act shall not apply to any agency of the Government in respect of processing of such personal data’. The Srikrishna Committee draft itself was seen as giving too many concessions to government agencies. This took it a few steps further.

However, it diluted on data localization requirements mandated by the earlier draft bill. While the earlier draft required that a copy of all personal data to be stored in India, the new bill restricted it only to sensitive and critical personal data. It also added right to erasure, a major provision in most privacy legislations across the world, which was a good change.

While there were many other changes, what attracted a lot of criticism was the removal of the mandatory inclusion of a judicial member (the CJI or another Supreme Court judge) from the selection committee empowered to give recommendations to the Central Government for the appointment of members of the Data Protection Authority, reducing it to a panel of secretaries – Cabinet Secretary, Secretary Law and Secretary IT – thus handing it over to the government. What was questioned was how a body appointed solely by the Government would ensure enforcement of the provisions by the government agencies.

Amidst the discussion, the bill was referred to a Parliamentary committee set up for the purpose on 11 December 2019. The deadline for the committee was the first day of the last week of the Budget Session in 2020. Since then, the deadline has been extended many times.

Between January to December 2020, the Committee had 66 sittings. In July, when the then chairperson of the committee, Meenakshi Lekhi was inducted as a minister in July 2021, there was concerns about further delays. But the government appointed PP Chaudhary as the chairman promptly.  

On December 16th 2021, the joint parliamentary committee (JPC) released a reworked version of the bill, changed fundamentally, including the title of the bill from Personal Data Protection Bill to Data Protection Bill. Certain other deviations such as the recommendations that social media intermediaries could become publishers in certain circumstances and a few aspects of data localisation norms change the original structure of the bill substantially.

But certain debates – such as whether the proposed Data Protection Authority should get constitutional status and whether States should have their own Data Protection Authorities are still debated. The opposition has also accused the Government of selling off to Big Tech.

A fresh bill – with all these issues sorted out – will take its own time and the wait is far from over.

As they say, waiting is the greatest vocation of the dispossessed. But whether Indians – many of whom are willing to share all personal information for a twenty rupees mobile recharge – are dispossessed or not when it comes to privacy is itself a big question.



Add new comment