The stated reason for the Government’s withdrawal of the Personal Data Protection Bill, 2019, was that it will come up with a “comprehensive legal framework” on data privacy and Internet regulation. The Government has averred that a new draft will be in sync with the principles of privacy, in line with Supreme Court guidelines based on the landmark judgment on privacy, i.e., Justice K.S. Puttaswamy vs Union of India, and would consider the Joint Committee of Parliament’s recommendations on the framework to regulate the digital ecosystem. The 2019 Bill had been rightly criticised by stakeholders, including Justice B.N. Srikrishna — he chaired a committee of experts that had authored a draft bill in 2018 — for overemphasising the national security angle, among other reasons. The 2019 Bill diverged from the Srikrishna Committee Draft in the selection of the chairperson and members of the Data Protection Authority (DPA) that shall protect the interests of data principals, and in the leeway given to the Union government to exempt its agencies from the application of the Act. The 2018 draft Bill allowed for judicial oversight in the selection process for the DPA, while the 2019 Bill limited the composition to the executive. The 2018 Bill allowed for exemptions to be granted to state institutions from acquiring informed consent from data principals or to process data in the case of matters relating only to the “security of the state”; it also called for a law to provide for “parliamentary oversight and judicial approval of non-consensual access to personal data”. In contrast, the 2019 Bill added “public order” as a reason to exempt a government agency from the Act, besides only providing for these reasons to be recorded in writing.
By choosing to withdraw the Bill, it is unclear whether the Government would address the demand for a realignment of the legislation with the 2018 draft Bill that came about after extensive consultations with civil society. Or whether this would be more in line with the JPC report, which has also been criticised by civil society for retaining provisions that allow the Government access to private data of citizens without sufficient safeguards. Dissent notes to the JPC report, by Congress MP Jairam Ramesh for example, went on to criticise the leeway granted to the Government on exemptions and how the ground of “public order” and not “security of the state” was liable for misuse. It is not clear if the Bill’s withdrawal is linked to opposition to mandatory “data localisation” from multinational Internet companies. Meanwhile, the lack of a proper data protection law in the country is an anomaly when compared with major countries. If the Government is indeed committed to a comprehensive legal framework on data privacy and protection, it must revert to the baseline provided in the Justice Srikrishna Committee recommendations and enact a law within a reasonable timeline.