While many aspects of the Bill had received criticism from various quarters, it was a referral point for many
The government is likely to bring in a new comprehensive Bill in the next session of the Parliament, but like the withdrawn Bill, it will also probably have to take a long path before it becomes a law
The withdrawal of the Bill will only increase the waiting time for the citizens of the country to get a legal remedy for violation of their digital rights
Inc42 Daily Brief
Stay Ahead With Daily News & Analysis on India’s Tech & Startup Economy
The withdrawal of the Personal Data Protection Bill, 2021 has left several legal experts perplexed and all eyes are now set on the government’s new Bill on the issue and the timeline for it to become an Act.
Earlier this week, the government announced the withdrawal of the Personal Data Protection Bill, 2021, which was first drafted in 2017, citing a joint parliamentary committee’s (JPC) proposal for 81 amendments in the Bill.
Ashwini Vaishnaw, Minister of Electronics and Information Technology, moved a motion in the Lok Sabha to withdraw the Bill. “Considering the report of the JCP, a comprehensive legal framework is being worked upon,” said Vaishnaw.
While many aspects of the Bill had received criticism from various quarters, it is no one’s contention that India doesn’t need a data protection law. Given the fast-evolving technology landscape in the country, a comprehensive legal framework to protect data is the need of the hour.
In the absence of a robust data protection law, the Bill was a referral point for many. Its withdrawal has left a vacuum, legal experts told Inc42.
“As a bill was in place, it gave people an indication of what to expect in the law. When the Bill first came out in 2018, many private companies took the initiative of evaluating the steps which would have to be undertaken by them to ensure compliance once the Bill comes into force,” said Anupam Shukla, Partner at Pioneer Legal.
He said that it is not easy for large organisations to suddenly start complying with new rules, especially if they require operational change. With the withdrawal of the bill, the organisations are again left in the dark, with no idea what to expect.
The Internet Freedom Foundation (IFF) in a note about the withdrawal said that the draft Data Protection Bill, 2021 withdrawal “marks the unsatisfactory end of a long and arduous consultation and review process for the legislation”.
“Today there exists no remedy for the violation of many digital rights that emerge from the expansive collection and procession of personal data for Indians. The existing legal vacuum on data protection portends an Orwellian state and is clearly an infringement of the fundamental right to privacy,” IFF said.
Tejasi Panjiar, Capstone Fellow at IFF, said that while legally the citizens did not have any tool to protect themselves against violation of digital rights, whenever different sectors had to come up with legal framework or policies for digitisation, most of them used to refer to the Bill, at least in letter, if not in spirit.
“Also, what we all were looking forward to was the Bill being tabled so there could be judicial oversight, there could be parliamentary amendments around it. At this moment, when there isn’t even a Bill to be tabled, we are back to square one,” said Panjiar.
A New Bill In The Next Parliamentary Session?
The data protection Bill was first drafted by a panel led by retired Supreme Court Judge BN Srikrishna in 2017. In December 2019, the Personal Data Protection Bill, 2019 was introduced in Parliament. After receiving severe criticism from various opposition party leaders, the Bill was then referred to the JPC for examination. The JPC’s report was presented to the Lok Sabha in December 2021, when a draft Data Protection Bill, 2021 was also submitted.
Here’s a more detailed view of the data protection framework timeline, as noted by IFF.
The Parliament was expected to pass the new Bill this year, providing citizens with a legal framework for data protection. However, its withdrawal has dashed these hopes.
After the withdrawal of the Bill, Vaishnaw also talked about introducing a new Bill, which, as per various media reports, is almost ready and would be presented in the next parliamentary session. IT Minister of State Rajeev Chandrashekhar also said that the existing Bill would be replaced soon by “a comprehensive framework” of global standards.
Not everyone is convinced with this.
“We don’t know what this comprehensive legal framework is going to look like, we don’t know if proper public consultation will be conducted and more importantly, what are the timelines like. At the end of the day, there is an existing legal vacuum and we need data protection right now,” said Panjiar.
She also pointed to the government’s conflicting statements and “lack of transparency” around the Bill in the past.
Echoing a similar tone, Shukla said it is not known what the government will cover in the “comprehensive legal framework”. While the Bill was not without certain fundamental flaws, it was still a good first step, and the issues could have been ironed out by the time the Bill became law, he said.
In fact, it is unlikely that the new Bill will be a “spectacular piece of legislation” from the very moment it comes out. It will also be a work in progress, Shukla added.
Panjiar too said that the road for the new Bill will also not be smooth and it will take longer for it to turn into law than is being promised.
After all, the new Bill would have multiple frameworks – protection of personal data, National Data Governance Framework, and the revamp of the IT Act, she added.
Meanwhile, Shreya Suri, Partner at IndusLaw, believes that it is unlikely that core privacy principles will be compromised in the new “framework”.
“Any proposal for a new legislation may factor key elements already embodied in the EU GDPR (European Union’s General Data Protection Regulation) and also the more recent Digital Services Act,” Suri said.
Concerns About Big Tech
After the withdrawal of the Bill, MoS Chandrasekhar said, “Big tech firms would have just hired more lawyers to comply if there was a complicated privacy law. The burden of such legislation would have hurt startups.”
Meanwhile, MP Manish Tewari took to Twitter, calling the withdrawal “most unfortunate”. “Big Tech never wanted this Law. Big Tech won. India lost,” he said.
In fact, Gurpreet Gulati, founder and managing partner of law firm Ip Caravan, also said that the concerns of big tech firms such as Meta, Google and Amazon about some of the recommendations by the JPC on the proposed Bill could also be one of the probable reasons behind the withdrawal.
Whatever the reasons, it is true that India is in a dire need of a robust data protection law. As Shukla said, today the internet penetration in India has increased manyfold making the weaker section of the society prone to risk of privacy exposure on a large scale.
Till the introduction of a new Bill, the status quo will remain, and privacy will continue to be governed by the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011, the Puttaswamy Aadhaar judgment and contract law principles, Suri said.
{{#name}}{{name}}{{/name}}{{^name}}-{{/name}}
{{#description}}{{description}}...{{/description}}{{^description}}-{{/description}}
Note: We at Inc42 take our ethics very seriously. More information about it can be found here.