Government withdraws data protection bill

The Centre withdrew the Personal Data Protection Bill, 2021 and said it would soon be replaced by "a comprehensive legal framework," that will be "designed to address all of the contemporary and future challenges of the digital ecosystem,".

The withdrawal is seen as a nod to the sustained pushback by global and local technology corporations, policy makers and privacy activists to the legislation first mooted as a "privacy bill" in 2017.

The "work on drafting of the new bill is almost is at a very advanced stage," IT minister Ashwini Vaishnaw told ET in an exclusive interview soon after presenting "reasons for the withdrawal" of the bill to fellow parliamentarians. "We will go through the process of approvals very soon and present (it) in the coming session or the forthcoming session of the Parliament," he said.

aced Flak for 'High Compliance Cost'

Earlier, in his address to Lok Sabha, Vaishnaw said the "Personal Data Protection Bill, 2019 was deliberated in great detail by the Joint Committee of Parliament (JCP). 81 amendments were proposed and 12 recommendations were made towards the comprehensive legal framework on the digital ecosystem."

T was the first to report on February 17 that India may draft a completely new privacy bill by putting aside the current version of the bill that had been in the making for nearly five years but did not comprehensively address the requirements of the country's fast changing technology landscape.

The bill was tabled in the Parliament in 2019, and the JCP formed to review it had submitted its final report and the bill in December 2021.

The legislation, initially aimed at protecting the digital privacy rights of the country's burgeoning base of internet subscribers and a nascent data economy, underwent a series of changes to include elements on regulating social media, hardware companies, as well as provisions on data localisation and non-personal data. The legislation following JCP review drew flak from technology corporations and startups for what they termed as the "high cost of compliance".

Pointing out that the JCP report on Personal Data Protection Bill had identified many issues that were relevant but beyond the scope of modern digital privacy law, minister of state for information technology Rajeev Chandrasekhar said, "the idea is that it will soon be replaced by a much more comprehensive framework that will address all of the contemporary and future challenges of the digital ecosystem."

Chandrasekhar, who was also a member of the JCP, said the committee found that the PDP Bill 2021 had identified a large number of other issues that "lay outside the domain of privacy."

"That catalysed a thought process within the government that we needed a much more comprehensive look at the bill," he told reporters on Wednesday.

Half a dozen members of the JCP belonging to opposition parties had submitted dissent notes along with the final report and the bill that was tabled in the Parliament during December 2021.

Reacting to the Centre's withdrawal of the controversial bill on Wednesday, Rajya Sabha MP Amar Patnaik said that he "supports the withdrawal of the bill in its existing form and hopes that the revised bill would take into account our concerns." Patnaik, one of the MPs to file a dissent note, added the government has now withdrawn the Data Protection Bill 2021 since there were 81 amendments in a bill of 99 sections.

Infosys cofounder Kris Gopalakrishnan also voiced his support for a new bill. "Support a new bill. Need a simple, single bill covering privacy, data protection and data sharing," he tweeted.

The revised legislative framework now being worked on by the Centre will take into account issues such as non-personal data, social media regulation, data localisation, hardware security requirements- all of which will now be dealt with in a separate law, Chandrasekhar said. While penalties on companies for data breaches will remain, provisions that imposed criminal penalties on officials of these companies may be dropped in the new law, he added.

The bill was withdrawn on Wednesday after approval from the Union Cabinet, Chandrasekhar said.

Privacy activists are of the view that the Data Protection Bill, 2021 did have imperfections "which need to be reconsidered."

"We hope the government will re-look at all the aspects of data governance in the new bill and arrive at progressive principles to govern India's digital ecosystem," Kazim Rizvi, founder of policy think tank The Dialogue, told ET.

There is a need to engage in greater stakeholder consultations and seek expert inputs to formulate robust legislation which ensures adequate accountability and transparency from all data processors. An independent data protection authority needs to be operationalised to regulate data collection practices of all data fiduciaries," he said.


Originally mooted in 2017 after the Justice Puttaswamy privacy judgement, the bill was drafted by a committee headed by retired Supreme Court judge Justice BN Srikrishna after a year-long consultation process and it was tabled in 2019.

The 2019 bill was reviewed by the JCP, which submitted its final recommendations and a revised draft bill in November 2021. The revised bill included both personal and non-personal data under its ambit, which was supposed to be dealt with by a Data Protection Authority. It also changed the title of the bill to Data Protection Bill since it includes non-personal data as well under its ambit.

"Since it's a JCP drafted bill, the government can only tweak the clauses to some extent but the provisions cannot be changed completely. A better option is to bring a new bill which is aligned with the current times," ET had then quoted one official as saying.

The proposed regulation had attracted sustained criticism from several stakeholders, both local and global. They flagged provisions such as the inclusion of non-personal data, treating social media as publishers, and the structure of the Data Protection Bill, as concerning.

ET had also reported that a study commissioned by the European Data Protection Board (EDPB) had called out data policies of India - specifically the exemptions the government had sought under Section 35 of the Data Protection Bill - as an area of concern.

In 2022, trade and tech bodies and US-based companies had met officials from the IT ministry and expressed their apprehension of the provisions of the PDP bill, including some aspects on local storage of data. Privacy experts, including some US-based think tanks, had also been critical of the government's wide exemptions provided under Section 35 of the PDP bill.


ET BureauLast, Aug 04, 2022