Journey of Personal Data Protection Bill, 2019

Can you imagine spending a day without using the internet? Almost 90 out of 100 percent people will most probably come up with a big NO. The rest of 10% are expected to be non-users only. This level of dependence over the internet is due to the information available at ease. As they say, everything is available on the internet. You can order food, dress, make payments, share your pictures and videos, get a job, all through the internet. All these things need the users to provide a certain level of personal information. 

Now that such huge amounts of personal information is being shared over the internet, is there any kind of protection from misuse of this information? It is an absolute necessity for the law in India in 21 century to go hand in hand with technological developments. Individuals being the source of such information, should have a say in the further use of their personal data. Keeping up with the most basic human rights like privacy is crucial. 

Here, we are talking about data privacy and the need for laws that grant certain control to the government, but at the same time does not leave the people of India helpless as far as their data safety is concerned. While everyone was awaiting the Personal Data Protection Bill 2019 to come into force, the same was withdrawn by the central government a few months back. Track the journey till the JPC report on Data Protection Bill followed by withdrawal by the authorities. 

Why was the Data Protection Bill introduced?

The need of Indian Personal Data Protection Bill dates back to the times when personal data was made available over the internet. Where there is personal information available through technology, there should be some means to control that technology disabling any scope for misuse of that data. This law also holds the potential to bring a solution on how to avoid internet frauds. The Personal Data Protection Bill was under process from 2018 in furtherance of the recommendations of Justice B N Srikrishna Committee. It was introduced in the Lok Sabha on December 11, 2019 and was recommended to the Joint Parliamentary Committee on the same date. 

Features of Withdrawn Personal Data Protection Bill

As mentioned earlier, the bill was in line with the recommendations of Justice B N Srikrishna Committee. Given below are some important points given through the Indian Data Protection Bill 2019:

• The bill controls the personal data processing by following stakeholders:
• 1. Government 
• 2. Indian companies
• 3. Foreign companies dealing with personal data of Indian people
• It differentiated between personal and non-personal data.
• It provided for the setup of a Data Protection Authority responsible for the following tasks:
• 1. Protection of individual interests
• 2. Prevention of misuse of personal data 
• 3. Compliance with the bill.
• Provisions like civil court-like powers with the Data Protection Authority were provided in the bill. Orders of this authority could be subjected to an appellate tribunal. Appeals against the appellate tribunal as per the Personal Data Protection Bill laid with the hon’ble Supreme Court. 
• The authority, i.e. guardian of the data has been termed here as the data fiduciary. These have to maintain transparency and accountability regarding handling and processing of data.
• Rights of individuals whose data is being collected, processed, etc. are also specified. This also includes the ‘right to be forgotten’.  
• In order to process an individual’s data, the individual’s consent was supposed to be necessary as per Indian Personal Data Protection Bill of 2019. Exceptions to this clause of consent include requirements of the state for individual’s benefits, legal proceedings and response to medical emergencies. 
• Requirement of explicit consent of the individuals in case the personal data would have been subject to transfer outside India. 
• There are Social Media Intermediaries, for example Twitter, Facebook, Instagram, Whatsapp, which have millions of users. Sometimes, these portals become carriers of fake and instigating information. Among various obligations, these intermediaries were required to provide a voluntary user verification mechanism. 
• Violating provisions of Indian Personal Data Protection Bill of 2019 also classified as offences specifying the penalties. Had the bill passed, various cases through internet lawyer would have empowered the people using the internet in India. 
• The bill also sought amendments in the existing Information Technology Act, 2000 to the extent of provisions that were being introduced through this data protection bill. 
• The bill also empowered the government to seek non-personal data, or even anonymized (individual identity is not revealed) personal data. 

JPC Report on Data Protection Bill

Being drafted by the Personal Data Protection Bill committee, it was introduced to the Joint Parliamentary Committee for scrutiny. Although the committee was given a shorter deadline till February 2020, it sought extension of this period to consult various stakeholders before the JPC report on Data Protection Bill was tabled in the Lok Sabha. 

This committee made a comeback after 2 years on December 16, 2021 with a review report containing 542 pages. The JPC report on the Data Protection Bill consisted of 93 recommendations on existing provisions. It also proposed 81 amendments to the same. In addition, another Union Minister led panel also proposed 97 corrections and improvements in the already drafted bill. The stakeholders included tech companies and privacy activists whose serious criticism led to withdrawal of this bill.

Some of the major pointers recommended through this report are as follows:

• Need for data protection in a broader way without segregation personal and non-personal data,
• Designating social media not just as intermediaries but content publishers,
• Provisions regarding regulation/ control of social media be included to prevent the various types of cyber crime,
• Need for norms regarding data localization,
• In case of data compromise, provisions for compensation required,
• The union government enjoys broader exemptions,
• Escape the silence over data related to children, deceased people, etc.
• The bill needs to be harmonious with the right to privacy judgment of K.S. Puttaswamy (2017).  

Withdrawal

Recently, on August 3, 2022, the Personal Data Protection Bill, 2019 was withdrawn by the central government. The motion for withdrawal of this bill was moved in Lok Sabha by Ashwini Vaishvaw, Union Minister for Electronics and Information Technology. As closed by the said Minister, another global standard law with comprehensive legal framework will be introduced later keeping abreast with the proposed amendments, respecting contemporary and future challenges. 

Closure

The concerns related to data privacy are serious. India is a vastly growing economy with second pedestal when it comes to the number of internet users in the world. This fact reveals how badly our country needs in place a well thought and drafted law on personal data protection.