On August 3rd, 2022, the Personal Data Protection Bill, 2019 (PDP) was withdrawn.
Ministry of Electronics and IT (MEITY) had received intense scrutiny from the JPC on the PDP Bill, but now as per the statement of government, PDP will be replaced by “a new bill that fits into the comprehensive legal framework.”
Information Technology Minister has claimed that the new Bill is in advance stages of preparation and will most likely be tabled in the Budget session next year.
In this article we are going to discuss about PDP Bill, its requirement and finally the reasons that led to its withdrawal.
WHAT IS PERSONAL DATA PROTECTION BILL, 2019?
The PDP Bill 2019 was introduced by Ravi Shankar Prasad, (MEITY) to the Lok Sabha, on December 11, 2019 after 2 years of debate. PDP included mechanisms for personal data protection and proposed to set up a Data Protection Authority of India.
It was the sole document seeking protection over an individual’s data in cyber space along with regulating accessibility of personal data by companies as well as the government.
The three pillars of PDP were:
- Growth of digital economy expanded the use of data as a critical means of communication;
- Right to privacy is a fundamental right and it is necessary to protect personal data as an essential facet of informational privacy;
- It is necessary to create a collective culture that fosters a free and fair digital economy, respecting the information privacy of individuals and ensuring empowerment and innovation through digital governance.
PDP Bill was an outcome of engagement and consultation with a host of stakeholders, including India’s law enforcement who are major stakeholders for access to U.S.-stored data during investigations in the context of national security, along with its aversion to data colonialism of large western technology firms.
PDP proposed to supersede the IT Act, 2000 (Section 43-A) by deleting the provisions relating to compensation payable by companies for data breaches and data privacy failures.
WHY DO WE NEED A PDP BILL?
In August 2017, the nine-judge bench of the SC affirmed the right to privacy in the K.S. Puttaswamy vs. Union of India (2017).
During this case, a Committee of Experts was set up, to examine issues related to data protection. The recommendations from the Expert Committee along with suggestions from stakeholders inside and outside of the central government were included in the PDP.
The rapid digitization, the world is witnessing, depends extensively on gathering of personal data in all sectors. This Personal Data is the major contributor to the world of rapid digitization. The data subjects are the citizens of each jurisdiction and contributors to the accurate AI progression, this calls for comprehensive legal framework, without which this information will be exposed to data theft and misuse.
WHY HAS GOVERNMENT WITHDRAWN PDP
GoI has taken this step nearly after 4 years of building the anticipation that the PDP will soon be a law to be complied with. The PDP had faced major push back from a range of stakeholders including big tech companies. Data Localization, under the PDP, which makes it mandatory for companies to store a copy of certain sensitive personal data within India, and preventing the export of undefined “critical” personal data from the country would be prohibited, was a difficult concept to comply with for most stakeholders.
Criticized by stakeholders, the PDP was viewed as over-emphasizing on national security. However, activists seemed against provisions that allowed the central government and its agencies, blanket exemptions from adhering to PDP. It stressed on the localization of data and lacked a bifurcation to accommodate personal and non-personal datasets, separately.
The vocalized reason for the withdrawal is, a “comprehensive legal framework” to be introduced on data privacy and Internet regulation in sync with the principles of privacy, as per SC guidelines.
The opposition to the PDP included the voice of privacy experts who viewed it as favoring government than protecting privacy.
According to sources, the new legislation is to be brought in Parliament’s Winter Session. This pressure could make for a speedy outcome.
Some statistics, according to Dutch cyber security firm Surfshark VPN, India had the second highest number of data breaches in the first half of this year.
With the withdrawal of the sole data protection law, the matter has become urgent. It is currently unclear whether the Government would address the demand for a realignment of the legislation with the 2018 draft or whether this would be more in line with the JPC report.
Meanwhile, the lack of a proper data protection law is an anomaly when compared with major countries. If the Government is committed to a comprehensive legal framework on data privacy and protection, it must revert to the baseline provided by the JPC with enacting a law within a reasonable timeline.
This is only for informational purposes. Nothing contained herein is, purports to be, or is intended as legal advice and you should seek legal advice before you act on any information or view expressed herein. Endeavoured to accurately reflect the subject matter of this alert, without any representation or warranty, express or implied, in any manner whatsoever in connection with the contents of this. This isn’t an attempt to solicit business in any manner.
Sources: upguard.com, thehindu.com, livemint.com, dailypioneer.com, .indianexpress.com