Data Protection Bill – The Significance of its Withdrawal

The Union Government withdrew the Data Protection Bill proposed first in 2019 on grounds that a parliamentary committee’s review had suggested as many as 81 amendments to it and that it would be better if a new one was worked upon and introduced for approval by the country’s lawmakers. 

The motion to withdraw the Bill was brought by Union Minister for Electronics and Information Technology Ashwini Vaishnaw, who accepted that the changes suggested by the panel pointed to the need for a new and comprehensive legal framework to be developed around data protection and associated matters.

“Considering the report of the JCP, a comprehensive legal framework is being worked upon Hence, in the circumstances, it is proposed to withdraw ‘The Personal Data Protection Bill, 2019’ and present a new bill that fits into the comprehensive legal framework,” he said. Readers would recall that the Personal Data Protection Bill, 2018 was prepared by an expert group headed by former Supreme Court Judge B N Srikrishna. 

The Bill sought to regulate various companies and organizations that use individual data within the country. It was first brought to Parliament in 2019 and then passed on to the Parliamentary Panel for consideration. The Panel was initially headed by BJP MP Meenakshi Lekhi, who was replaced by P P Chaudhary upon the former’s appointment as a central minister. 

Data security experts believe that this stepping back was a result of the pressure exerted by global and local technology corporations, policy makers and privacy activists to the legislation that was first mooted in 2017. Economic Times quoted minister Vaishnaw to suggest that a new draft of the Bill is almost ready and may be presented in the next session of Parliament. 

What was the Data Protection Bill aimed at?

It aimed to provide data privacy to individuals on their personal information shared as part of a process when using IT enabled services. The Bill specifies the flow and usage of such data with a view to create trust between data owners and those processing it. The Bill proposed creation of a Data Protection Authority to regulate use of personal data by those who collect it. 

The Bill was modeled on the European General Data Privacy Regulation and aimed to set the stage for big technology companies to operate in India. It proposed that social media platforms create a mechanism whereby registered users from India could get an option of voluntary verification mechanism to review the data they shared. 

The provision, aimed at checking social media trolls, put the onus of creating such a mechanism on the companies collecting such data. Experts say that this was one of the reasons companies collecting and using big data analytics were peeved at the government’s proposed law. 

The Bill further classified data into three categories of critical, sensitive and general. While critical data was to be defined from time to time by the government, sensitive data pertained to the finances, health, sexual orientation, biometrics, gender, religious and political beliefs. Both were to be stored in India though the latter could be processed overseas with explicit consent. 

Data that did not fall under the above two buckets were categorized as general and could be stored and processed anywhere. The general contours of the Bill left social media companies, data security experts and even some government officials in a quandary as they perceived several loopholes in the rules that could potentially render them ineffective. 

What could change in the new Bill? 

The original Bill drew flak over the high costs of compliance while the lawmakers panel found that there were several issues that actually lay outside the domain of the policy, which has now necessitated a much more comprehensive look at the legal framework. Both lawmakers as well as tech company czars have welcomed this move of the government. 

It was felt that there was a need for deeper engagement with stakeholders and data security experts to formulate a new legislation that ensures adequate accountability and transparency from those who process the data. Some of the concerns that were flagged in the old Bill related to including personal data and treating social media as publishers. 

There was also serious concern over the exemptions sought by the government under some sections of the Data Protection Bill in its original form. Earlier this year, trade and technology bodies and representatives of US-headquartered companies had met government officials on areas such as local data storage.