The Narendra Modi government has withdrawn a controversial data protection and privacy bill containing draconian provisions that sought to override an individual’s right of consent before processing his personal data, and alarmed big technology companies by restricting cross-border data flows.
The turnabout came more than eight months after the Centre had thrown out several amendments proposed by
Opposition members in a report submitted by a 30-member joint parliamentary committee last November — and brushed aside their warnings that the bill in its present form would not stand a legal challenge.
On Wednesday, Ashwini Vaishnaw, minister for electronics and information technology, withdrew the bill in the Lok Sabha and said a new, comprehensive law would be prepared after considering all the suggestions made earlier.
The contentious bill, introduced in 2019, had proposed to give the Indian government powers to seek user data from companies even as it raised the data storage requirements and compliance burden of Big Tech companies.
Vaishnaw said the JPC report had proposed 81 amendments and made 12 recommendations.
“In the circumstances, it is proposed to withdraw the Personal Data Protection Bill 2019 and present a new bill that fits into the comprehensive legal framework,” Vaishnaw added.
Junior IT minister Rajeev Chandrasekhar said on Twitter the new planned framework would adhere to global standards, adding that privacy was a fundamental right of Indian citizens and that the economy required such cyber laws.
The privacy law of 2019 had drawn a sharp distinction between personal and non-personal data -– a term encompassing information relating to consumers and their transactions that companies want to analyse in order to build their businesses by fine-tuning communications and offers to users on their platforms.
The parliamentary panel had said such non-personal data should also be included within the purview of the privacy bill.
The big beef that the Opposition members of the JPC had with the original bill was that it treated the government and its agencies as a privileged class on the presumption that they always acted in the public interest and, in effect, treated an individual’s privacy concerns as secondary.
The Opposition’s main objection was directed at Section 35 of the bill, which empowered the government to exempt federal agencies from the application of the data protection law in the interest of “sovereignty and integrity of India, security of the State, friendly relations with foreign countries and public order”.
Last November, Jairam Ramesh of the Congress had said in his dissent note, appended to the JPC report, that the Centre ought to “get parliamentary approval before exempting any of its agencies from the purview of the law.
Congress MP Manish Tewari, who was a member of the JPC, said in a tweet: “I had rejected Personal Data Protection Bill in toto in my dissent note since it split the data universe into Govt- Exempt & the Private Sector where it would apply with full rigour.”
The Trinamul MPs in the 30-member JPC had described the bill as “Orwellian” and were deeply concerned about the manner in which the government was arrogating to itself the right to control the functioning of the Data Protection Authority that was to oversee the implementation of the protections provided under the bill.
The authority was supposed to act independently and without any interference from anyone.
Ramesh had also objected to Section 12(a)(1) of the bill which granted the government and its agencies the power to override an individual’s right to consent over the processing of his data when the state provides “any service or benefit” to the individual.
The bill was introduced after a government-appointed committee headed by Justice B.N. Srikrishna, a retired Supreme Court judge, had submitted a draft version.
The timelines and other details of the proposed legislation to replace the bill are not known as yet.
“There were multiple, large concerns earlier. One has to wait and watch whether the new bill is any better,” said Apar Gupta, executive director at advocacy Internet Freedom Foundation.
N.S. Nappinai, Supreme Court advocate and founder of Cyber Saathi, said: “The withdrawal was to be expected once the JPC report was issued. However, clarity on the next steps from the government, including timelines within which the new draft in line with the JPC report would be tabled, would have been welcome. Else it merely causes undue angst and speculation….”
Cyber law expert Pavan Duggal said the bill “had various problematic areas…. It is expected that the government will bring in a much broader, wider version of a data protection law, covering not just personal data but also non-personal data.”
Technology expert Nikhil Pahwa said in a series of tweets: “I hope that the bill isn’t junked altogether, given all the work that went into it. Junking the bill altogether will create a limbo of sorts from a privacy protection standpoint. Nobody wants that.”