In a surprise development last week, the Government withdrew the Personal Data Protection (PDP) Bill, 2019, thereby abruptly halting the country’s quest for a national data protection law that had been in the works for over five years. The reasons for the Government’s decision are brief and cryptic. The short circular issued by the Minister of Electronics and Information Technology simply states that considering the report of the Joint Parliamentary Committee (JPC) — it had proposed 81 amendments and made 12 recommendations — “a comprehensive legal framework is being worked on”. “In these circumstances”, the Government proposed to withdraw the Bill and present a new Bill “that fits into the comprehensive legal framework”.
Multiple iterations, to no avail
Interestingly, there is no elaboration on what such a “comprehensive legal framework” entails. The Government could enact a fresh privacy legislation or a comprehensive data protection law (covering both personal and non-personal data). Alternatively, it could subsume data protection under its ongoing attempts at revising the existing Information Technology Act, 2000. It could also enact a digital markets law, along the lines of the European Union’s Digital Services Act, focusing on competition and innovation in the digital space. Unfortunately, the Ministry’s circular leaves us with no clarity on the way forward.
The Ministry’s attribution of the withdrawal to the JPC Report is also at odds with the proposed amendments of the JPC, which did not recommend withdrawing the PDP Bill in favour of a comprehensive legal framework.
The lack of clarity is compounded by the fact that the circular does not establish any timelines on when the new Bill will be introduced in Parliament, or when it will be passed. This is particularly important, given the drafting history of the PDP Bill. When the Supreme Court of India affirmed the right to privacy in its historic K.S. Puttaswamy judgment in 2017, the nine-judge Bench of the Court referred to the Government’s Office Memorandum constituting the B.N. Srikrishna Committee to suggest a draft Data Protection Bill. The committee released its draft Personal Data Protection Bill in 2018, which was the first public articulation of a data protection law in India.
Subsequently, when the Supreme Court upheld the constitutionality of the Aadhaar Act, the majority emphasised that it believed that “there is a need for a proper legislative mechanism for data protection”. It “impressed” upon the Central government to bring out a “robust data protection regime” through the enactment of a law based on the recommendations of the Srikrishna Committee Report, with modifications as deemed necessary.
In December 2019, the Government introduced the PDP Bill, 2019 in the Lok Sabha as a comprehensive personal data protection regime. Considering the importance of the Bill and the controversies associated with various provisions, the Bill was referred to the JPC for its recommendations. In 2021, the JPC suggested multiple amendments to its re-worded Data Protection Bill, 2021, which privileged state exceptionalism over individual privacy, while continuing to strictly regulate corporate action.
Now, after five years of hard work and three iterations of data protection legislation, the Government has wasted its efforts to protect our privacy.
The PDP Bill, 2019, as well as the JPC’s recommendations in the suggested Data Protection Bill, 2021, suffered from serious lacunae, leading Justice Srikrishna to criticise the Bill for its potential to turn India into an “Orwellian state”. First, the Bill’s expansive exemptions allowed the state to exempt the entire application of the law simply as if it was “expedient” to do so in the interest of national security or public order. These exemptions did not need to be tabled before Parliament and there was no provision for review or oversight of the Government’s decision. In fact, Member of Parliament Jairam Ramesh pointed out in his dissent note, “government agencies are treated as a separate privileged class whose operations and activities are always in the public interest and individual privacy considerations are secondary”.
Second, the PDP Bill, 2019 as well as the JPC’s version established a strong regulator (the Data Protection Authority) with a lot of power, but very little independence or accountability.
Third, the Bill imposed a strong data localisation mandate, requiring companies to store all sensitive personal data and critical personal data (which was not defined) in India. Despite concerns around surveillance and increased cost of compliance expressed by civil society and the private sector, the Government did not endorse cross-border data transfer.
Finally, the JPC recommended subsuming the regulation of personal data and non-personal data within a single legislation, even though it undermined the Puttaswamy mandate to ensure protection of personal data.
Increasing digitisation, issues
However, despite these real concerns, it was, and continues to be, imperative to enact data protection legislation urgently. India currently has over 750 million Internet users, with the number only expected to increase in the future. The Government is also making a strong push for a ‘Digital India’, with increased focus on digitisation of access to health, ration, banking, insurance, especially after the COVID-19 pandemic. There is a greater focus on the inter-linking of data, whether through facial recognition, Aadhaar, or the Criminal Procedure (Identification) Act, 2022.
At the same time, India has among the highest data breaches in the world. It has been reported that around 18 of every 100 Indians have been affected by data breaches since 2004, with 962.7 million data points being leaked, primarily personal data points such as names and phone numbers. Without a data protection law in place, the data of millions of Indians continues to be at risk of being exploited, sold, and misused without their consent.
Unlike state action, corporate action or misconduct is not subject to writ proceedings in India. This is because fundamental rights are, by and large, not enforceable against private non-state entities. This leaves individuals with limited remedies against private actors. They can either seek action under the inadequate and ineffective provisions of the Information Technology Act, or file civil/criminal proceedings before a court of law (which itself is time-consuming and expensive).
A personal data protection legislation would remedy this lacuna by providing individuals with proper grievance redress options and creating sufficient deterrence among private actors. Inadequate and flawed as it was, the enactment of the PDP Bill into law would have marked a beginning in providing a redress framework. Instead, we are left with the vague promise of a “comprehensive legal framework”, with no timeline in sight.
Consult, work on fresh law
Where, then, do the Government’s actions leave us? It is imperative that the Government soon introduces a fresh data protection legislation, drawn after proper public consultation. Such a law should take into consideration the criticisms that have been raised by civil society as well as the private sector. It should be extensively discussed and debated in Parliament.
Even if the PDP Bill is not the most privacy-respecting law, it provides a certain desirable level of protection to the personal data of individuals. Once enacted, there is always scope for judicial review (based on challenges to provisions that are potentially unconstitutional) and parliamentary amendment (by legislators incorporating feedback on the working of the law). That is why even the justifiable criticisms around the PDP Bill, 2019 or the JPC’s recommendations do not justify its withdrawal. After all, there is no reason to let perfect be the enemy of good.
Vrinda Bhandari is a lawyer practising in Delhi