“The Personal Data Protection Bill, 2019 was deliberated in great detail by the Joint Committee of Parliament (JCP). 81 amendments were proposed and 12 recommendations were made towards the comprehensive legal framework on the digital ecosystem,” the minister informed the other MPs about the “reasons for the withdrawal.”
“Considering the report of the JCP, a comprehensive legal framework is being worked upon. Hence, in the circumstances, it is proposed to withdraw ‘The Personal Data Protection Bill, 2019’ and present a new bill that fits into the comprehensive legal framework,” he added.
According to the “reasons for withdrawal” shared with other MPs, the Ministry is working on a comprehensive legal f… https://t.co/92yyNxUTht
— Internet Freedom Foundation (IFF) (@internetfreedom) 1659526353000
ET was the first to report that India may draft a completely new privacy bill by putting aside the current version of the Bill that was in the making for nearly five years but does not comprehensively address the requirements of the country’s changing technology landscape.
In a tweet, minister of state, IT, Rajeev Chandrasekhar said the JCP report on Personal Data Protection Bill had identified many issues that were relevant but beyond the scope of modern digital privacy law.
Discover the stories of your interest
“Privacy is a fundamental right of Indian citizens & a trillion-dollar digital economy requires global standard cyber laws,” he tweeted.
JCP report on Personal Data protection bill had identified many issues that were relevant but beyond the scope of a… https://t.co/n5wqKlWYAs
— Rajeev Chandrasekhar 🇮🇳 (@Rajeev_GoI) 1659526904000
“The Data Protection Bill, 2021, did have imperfections which need to be reconsidered. We hope the government will re-look at all the aspects of data governance in the new Bill, and arrive at progressive principles to govern India’s digital ecosystem,” Kazim Rizvi, a public-policy entrepreneur and founder of policy think tank The Dialogue.
There is a need to engage in greater stakeholder consultations and seek expert inputs to formulate robust legislation which ensures adequate accountability and transparency from all data processors. An independent data protection authority needs to be operationalised to regulate data collection practices of all data fiduciaries,” he said.
Rizvi believes the Bill must ensure compliance with the principles of ‘necessity, legality and proportionality’ as laid down in the Puttaswamy judgment.
A withdrawal five years in the making
In December 2021, a report of the JCP was tabled. The Bill was first brought in 2019 and then referred to the JCP. The revised Bill included both personal and non-personal data under its ambit, which was supposed to be dealt with by a Data Protection Authority.
In Feruary, Vaishnaw – referring to the Bill – had reportedly said, “there was no plan to scrap the current draft data protection legislation that has undergone detailed consultation and parliamentary panel deliberations”.
Among the options is the introduction of fresh legislation to cater to the ongoing “sea change in the local and global technology (environment)”, ET had reported.
It would also allay concerns that current provisions may hurt the country’s fledgling technology and startup ecosystem, which saw a record 42 unicorns being created in the last year, ET’s report had said.
The 2019 Bill — drafted first by a panel led by retired Supreme Court Judge BN Srikrishna — was reviewed by the JCP, which submitted its final recommendations and a revised draft Bill in November 2021.
“Since it’s a JCP draft Bill, the government can only tweak the clauses to some extent but the provisions cannot be changed completely. A better option is to bring a new Bill which is aligned with the current times,” ET had quoted one official as saying.
Originally mooted in 2017, the Bill was drafted by the Srikrishna Committee after a year-long consultation process and it was tabled in 2019. Subsequently, the JCP took a further two years, amid the pandemic, to study the contours of the highly-debated regulation.
The proposed regulation had attracted sustained criticism from several stakeholders, both local and global. They flagged provisions such as the inclusion of non-personal data, treating social media as publishers, and the structure of the Data Protection Bill, as concerning.
ET had also reported that a study commissioned by the European Data Protection Board (EDPB) had called out data policies of India — specifically the exemptions the government had sought under Section 35 of the Data Protection Bill — as an area of concern.