BackCentre pulls data bill to make way for wider law
Move comes after joint Parliament panel sought 81 amendments in a bill of 99 sectionsThe bill had proposed to create three categories of personal data, sensitive personal data and critical personal data
PremiumNEW DELHI : The government withdrew the draft personal data protection (PDP) bill introduced in 2019 to replace it with a broader legal framework on the digital ecosystem based on suggestions made by a parliamentary panel.
In a statement to the Lok Sabha, minister of electronics and information technology Ashwini Vaishnaw said that the government was withdrawing the PDP bill because the joint committee of Parliament (JCP) flagged several issues and suggested changes to the bill to make it more comprehensive.
“Personal Data Protection Bill has been withdrawn because the JCP recommended 81 amendments in a bill of 99 sections. Above that, it made 12 major recommendations. Therefore, the bill has been withdrawn, and a new bill will be presented for public consultation," the minister said in a statement on Wednesday.
Rajeev Chandrasekhar, minister of state for electronics and information technology, said the JCP identified many important issues that were not part of the scope of the existing data protection law.
“The JCP report on the personal data protection bill identified many issues that were relevant but beyond the scope of modern digital privacy law. Privacy is a fundamental right of Indian citizens, and a trillion-dollar digital economy requires global standard cyber laws," the minister said in a Twitter post.
Wriju Ray, chief business officer of IDfy, a startup that helps with KYC and regulations, said many startups would breathe easy because of the withdrawal of the draft legislation. However, “I am not sure it’s a very good thing that an issue as important as data privacy keeps getting delayed," Ray added. Tech and legal experts said the government’s move was expected since revisions to the three-year-old draft bill were overdue. Some said that the new bill would have a broader context and include JCP recommendations on protecting the personal and non-personal data of Indians.
“The move appears to be a precursor to introducing a new draft. Whatever be the final decision ie of just a personal data protection bill or a combined draft including NPD, expeditious tabling and passing of the much-awaited legislation is a necessity. Clarity on the proposed legislation and timelines would have therefore helped obviate speculation. It would be fair to assume that the new bill would be in line with the JPC draft though it may limit itself to personal data," said N.S. Nappinai, a Supreme Court lawyer and founder of Cyber Saathi.
“The new legal framework is expected to be a broader law that covers not only personal data but also segregates personal and sensitive data—and how firms will have to handle each segment. The law will also lay down regulations on how companies in India will have to handle non-personal data," said Pawan Duggal, cyber security expert and lawyer at the Supreme Court.
He said the new law might raise compliance requirements for companies in India.
The new framework could be introduced by the end of the year, Duggal said.
Prateek Waghre, policy director, Internet Freedom Foundation of India, said that the future of data privacy in India was unclear. “Data localization could also be a part of the future framework, which seems to be the direction in which India’s cybersecurity and data protection laws are progressing. This is also in line with the overall global direction of data privacy and localization laws, and this provides further cover to push for such legislation. However, this could create problems for how we envision a global, open internet framework," he said.
The proposed bill, which was introduced following a mandate from the Supreme Court that recognized the right to privacy as a fundamental right in 2017, became a flash point between the government on one side and technology companies and civil society on the other because of several controversial provisions of the draft law.
The bill had proposed to create three categories of personal data, sensitive personal data and critical personal data, with each having separate regulations and compliances. The bill proposed firms would have to tell users of their data collection practices, while consumers’ consent for storing and removing data was to be obtained. However, the bill exempted government agencies from its provisions; yet, they could get non-personal anonymized data from data fiduciaries.
The JCP suggested widening the scope of the law to cover non-personal data, mandatory mirroring of sensitive data locally, regulation of content on social media platforms and treating platforms that are not intermediaries as publishers.
Milestone Alert!Livemint tops charts as the fastest growing news website in the world 🌏 Click here to know more.
