Current state
Reasons for withdrawal
What happens next
India's new data privacy law has been in the works for a long time. The draft Personal Data Protection Bill 2019 (the Bill) was in the public domain for a couple of years, raising hopes that India would soon have its own General Data Protection Regulation (GDPR) equivalent.
In early August 2022, news broke out that the Bill had been formally withdrawn from Parliament. This article looks at the history of this Bill, why it was withdrawn, and what comes next for data protection in India.
Despite the healthy debate arising from the Bill, one issue on which there is no debate is that India needs a privacy law refresh.
To date, the data privacy regime is largely focused on obtaining a data subject's prior consent and ensuring that data security measures are in place. There is no independent data protection regulator, data subjects have limited rights, and there is almost zero history of judicial enforcement of data privacy rights. But this is not surprising, given that when the current set of data privacy laws was formulated in 2011, there was no constitutional right to data privacy.
The need for a new data privacy law is also a direct consequence of the Supreme Court ruling in 2017, which established a right to informational privacy. The clamour for this law has also been largely inspired by developments that have taken place globally since 2016, particularly those in the European Union. The Bill was similar to the GDPR, in a number of important aspects. It provided for:
- a "privacy by design" architecture;
- the setting up of a central data protection authority;
- local processing of data; and
- heavy fines for non-compliance.
While copying provisions from the GDPR, the gold standard of global data protection laws, was not a bad strategy, making it work for a business and start-up ecosystem has proved to be a tough balancing act.
The Bill was withdrawn mainly due to opposition from major digital businesses, the public and the government's own expert committee. There was also a growing realisation that new data privacy legislation could not entail net losses for businesses, especially start-ups.
Data-driven businesses were alarmed by the restrictions on the use and export of personal data. At the same time, several groups and think-tanks denounced portions of the Bill that added to the government surveillance powers and exempted their activities from scrutiny. The Bill went through a series of public consultations and was then referred to the parliament's joint expert committee (JPC) for their views. The JPC undertook more stakeholder consultations, and in late 2021 recommended an overhaul of the Bill. It has been noted that the JPC ended up recommending 81 changes in a total of 99 provisions of the Bill.
Further, the JPC recommended that the Bill's ambit be expanded to include non-personal data. This is the first time the regulation of non-personal data has been mooted in India, and the only regulatory precedent is an expert committee's report on non-personal data dating back to late 2020. Folding in elements of non-personal data protection into a GDPR-like personal data law is not easily done, which further illustrates why the Bill was withdrawn.
Despite the withdrawal, the industry consensus is that the overall policy and direction of the government to overhaul privacy laws remains unchanged. The Bill's withdrawal can be said to be a tactical move, in part to enable a clean slate for addressing concerns raised on the Bill, as well as to find a place for issues such as non-personal data – issues that the old Bill did not contemplate.
Faced with rising unemployment and inflation, and fiscal tightening all around, government is keen to push laws that will lead directly and immediately to wealth creation and, importantly, job creation. A standalone data privacy law is crucial to driving India's digital economy, as well as ensuring smooth data flows to companies and customers in US and European markets. There is a keen sense in government that a new data bill should not harm businesses, particularly start-ups. In this context, a cautious approach is preferred in order to avoid any harm to India's own start-up and information technology industry sectors.
There are indications that, now that the Bill has been withdrawn, two separate sets of laws are in the works:
- One is a new privacy bill with an emphasis on data localisation – and more targeted at large digital businesses holding vast volumes of data (eg, social media, phone manufacturers, etc).
- The other is a related overhaul of the Information Technology Act 2000, which may be replaced by a new Digital India Act.
Multiple industry sources say that a draft privacy law may be released in time for parliament's winter session in December 2022. It is also instructive to note that India is hosting the G20's presidency from December 2022. Given that general elections in India are scheduled for 2024, there are strong indications that an overhaul will begin in late 2022 and not be left too late.
Whatever direction future legislation takes, it is clear that the Bill served its purpose in driving the debate on data privacy among the government, the public and data-driven businesses.
For further information on this topic please contact Vikram Jeet Singh at BTG Legal by telephone (+91 9769934713) or email ([email protected]). The BTG Legal website can be accessed at www.btg-legal.com.