Data Protection Bill pulled: what’s behind U-turn, what’s in the offing

A Parliamentary panel had proposed 81 amendments in a Bill of 99 sections and 12 recommendations for a comprehensive legal framework for the digital ecosystem; bringing in a fresh law seemed more tenable

Data Protection Bill
There was strong criticism over Article 12(a) and Article 35 of the Bill, with the Opposition and tech companies registering their dissent with the government.

After nearly three years of its introduction, the Union government on Wednesday withdrew the Personal Data Protection Bill from Parliament. IT Minister Ashwini Vaishnaw, who moved for the Bill’s withdrawal, said the government will come out with a “set of fresh legislations” that will fit into the comprehensive legal framework for the digital economy.

The government would hold a wide public consultation before putting the new legislation to Parliament, media reports said, adding that the Bill could be replaced by more than one bill, dealing with privacy and cyber security and the government may bring the new set of bills in the Winter Session of Parliament.

Reasons for withdrawal

The government circulated among members a statement containing reasons for withdrawal of the Bill, which was introduced on December 11, 2019, and was referred to the Joint Parliamentary Committee (JPC) for examination. The report of the JPC was presented to Lok Sabha in December 2021.

Advertisement



Also read: WhatsApp puts privacy policy on hold till Data Protection Bill comes into force

According to the statement circulated to Lok Sabha members on Wednesday, the 2019 Bill was deliberated in great detail by the JPC, which proposed 81 amendments and 12 recommendations for a comprehensive legal framework for the digital ecosystem.

“Considering the report of the JCP, a comprehensive legal framework is being worked upon. Hence, in the circumstances, it is proposed to withdraw ‘The Personal Data Protection Bill, 2019’ and present a new bill that fits into the comprehensive legal framework,” the statement said.

Vaishnaw tweeted: “Personal Data Protection Bill has been withdrawn because the JPC recommended 81 amendments in a bill of 99 sections. Above that it made 12 major recommendations. Therefore, the bill has been withdrawn and a new bill will be presented for public consultation.”

Reasons for opposition

The withdrawn Bill had proposed restrictions on the use of personal data without the explicit consent of citizens. It had also sought to provide the government with powers to give exemptions to its probe agencies from the provisions of the Act, a move that was strongly opposed by the opposition MPs who had filed their dissent notes.

There was an outcry over Article 12(a) and Article 35 of the Bill, with the opposition and tech companies registering their dissent with the government.

According to Article 35, the Union government could exempt any government agency from the law’s provisions “in the interest of India’s sovereignty and integrity, the state’s security, friendly relations with foreign states, public order, and if it is satisfied that it is necessary or expedient to do so, subject to procedures, safeguards, and oversight mechanisms to be prescribed by the government.”

Article 12(a), meanwhile, eliminated the need for the data principal’s informed consent for the processing of their data when it is required “for the performance of any function of the state authorised by law for I the provision of any service or benefit to the data principal from the state; or (ii) the issuance of any certification, licence, or permit by the state for any action or activity of the data principal by the state.”

Indian and foreign companies dealing with the data of Indian citizens had to comply with the now-withdrawn Bill. This included almost all businesses such as e-commerce, social media, IT companies, brick-and-mortar shops, real estate companies, telecom, hospitals, and pharmaceutical companies. If found in violation, companies were to pay up to Rs 15 crore or 4 per cent of their annual turnover. There was also a fine of Rs 5 crore or 2 per cent of the annual turnover if the company failed to conduct a data audit.

Withdrawal welcomed

Members of the erstwhile Joint Committee on Personal Data Protection Bill welcomed the government’s move to withdraw the legislation, saying it was better to bring a new legislation after more than 80 amendments suggested by the panel.

BJP MP PP Chaudhary, chairman of the parliamentary committee, said after so many amendments suggested by the panel, it makes more sense to bring a new legislation which will be comprehensive and will include all suggestions made by the committee.

Echoing similar sentiments, BJD MP Bhartruhari Mahtab, who was also a member of the JPC, said with a vast number of amendments the Bill required an overhaul and it can be done only by bringing a new law.

Also read: Better security in Data Protection Bill can avoid Arnab-like episodes

Congress MP Manish Tewari said that he had rejected the Bill from the beginning. He added that better legislation would have emerged if it had been debated in Parliament. Tewari, who was a member of the JPC, had authored a detailed dissent note on the issues he had with the Bill in its current form.

Last year, Congress MPs Jairam Ramesh and Tewari had added their dissent notes pertaining to the wide-ranging exemptions to the government from complying with the Bill in the name of public interest.

IT industry seeks participation

IT industry players too have appreciated the government’s move to withdraw the personal data protection bill and sought participation in the consultation process of the fresh draft. US-based ITI, whose members include all IT majors like Google, Meta, and Amazon, appreciated the government’s move to withdraw the Parliamentary panel version of the bill.

The Internet Freedom Foundation (IFF) said that the bill has been withdrawn after four years of deliberations. “We are cautiously watching these developments & hope the Ministry will use this opportunity to address the numerous criticisms of the bill made by various stakeholders during the consultation process,” IFF said.

What lies ahead?

After the Bill was withdrawn, Minister of State for IT Rajeev Chandrashekhar tweeted that it will soon be replaced by a comprehensive framework of global standard laws including digital privacy laws for contemporary and future challenges and to catalyse Prime Minister Narendra Modi’s vision.

He said the JPC report on the Personal Data Protection Bill had identified many issues that were relevant but beyond the scope of a modern Digital Privacy law. “Privacy is a fundamental right of Indian citizens & a Trillion-dollar Digital Economy requires Global std Cyber laws,” he said in another tweet.

CATCH US ON: