As of today, India does not have a comprehensive, stand-alone legislation that addresses data protection in the country unlike the European Union GDPR. It is mainly governed by the Information Technology Act of 2000 and Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 along with sectoral regulations that address protection of data collected by them in their respective sectors, such as Reserve Bank of India, Insurance Regulatory and Development Authority of India, Securities and Exchange Board of India, etc.

However, the Personal Data Protection Bill (‘PDP Bill’) was designed by a subcommittee appointed under the chairmanship of Justice Sri Krishna in 2018 to address the lack of a stand-alone data protection legislation. It was approved in December 2019 and was sent to be reviewed by the Joint Parliamentary Committee (‘JPC’). The Report of the JPC was tabled in November 2021 capturing multiple recommendations. To see our previous update on PDP Bill including the recommendations of the JPC in 2021, please refer here.

Debate over passing of the PDP Bill

There has been significant debate over passing of the PDP Bill in the past four years as it went through multiple scrutinizations, including scrutinization from the JPC, the public and various tech companies. Some believe that this delay is concerning as India is one of the largest Internet driven markets in the world and there is no form of regulatory framework that explicitly protects people’s privacy. They believe it is better to have some law instead of no law at this point.[1] On the other hand, some stakeholders criticized the PDP Bill suggesting that many provisions suggested such as data localization would be detrimental to their businesses. Start-ups believe that the PDP Bill is too compliance-intensive and certain civil society groups were against the surveillance-enabling provisions.

Withdrawal of the Bill

The Government on Wednesday (August 3, 2021) withdrew the PDP Bill stating that a ‘comprehensive legal framework’ is being worked upon and will be presented as a new bill. This new bill is supposed to provide a legal framework to regulate a much broader spectrum of activities in the online space, incorporating separate laws on data privacy, the overall internet ecosystem, cybersecurity and utilising non-personal data to amplify innovation in the country. The Bill is proposed to be tabled in the Winter Session.

Union Minister for Electronics and Information Technology, Ashwini Vaishnaw explained the reason behind the withdrawal of the PDP via a note circulated to the Members of the Parliament. The note stated that there were 81 amendments proposed and 12 recommendations made on the framework and thus, it has been proposed that a new Bill will be presented that fits into the Comprehensive legal framework. Post withdrawal of Bill, Minister of State for IT, Rajeev Chandrashekhar suggested that the new comprehensive framework will be global standard laws including digital privacy laws for contemporary and future challenges.[2] Members of the JPC too seems to have welcomed this decision, suggesting a new legislation is better than making 81 amendments.

Concluding remarks

The dilemma is whether some law targeted at the immediate need for comprehensive Indian data regulation would have been better than no law, or whether it is better to wait for a new legislation altogether, encompassing a broader scope, addressing the JPC suggestions as well as adapting to the ongoing changes in the local and global technology environment? The provisions of the new draft legislation that is hopefully to be proposed soon will possibly answer part of the question.