Like the flying car or the new ‘Game of Thrones’ novel, India’s new data privacy law had been described as being ‘almost ready’ and ‘a few months away’ for a very long time! The draft Personal Data Protection Bill, 2019, was in the public domain for a couple of years, raising hopes that India would have its own ‘GDPR equivalent’ privacy law very soon.
Then, in early August 2022, new broke that the Bill had been formally withdrawn from Parliament by the Indian Government. In this article we look at the history of this Bill, why it was withdrawn, and discuss what comes next for data protection in India.
Despite the healthy debate engendered by the 2019 Bill during its lifetime, one issue on which there is no debate is that India needs a privacy law refresh.
As on date, the Indian data privacy regime is largely focused on obtaining a data subject’s ‘prior consent’, and ensuring data security measures are in place. There is no independent data protection regulator, data subjects have limited rights, and there is almost zero history of judicial enforcement of data privacy rights. But this is not surprising, given that when the current set of data privacy laws were formulated in 2011, there was not yet a constitutional right to data privacy in India!
That India needs a new data privacy law is also a direct consequence of the Indian Supreme Court’s ruling in 2017, establishing a right to informational privacy. The clamour for this law is also inspired in large part by developments around the world, particularly in the European Union since 2016. The 2019 draft Bill was similar to the EU’s General Data Protection Regulation, GDPR, in a number of important aspects; it required a ‘privacy by design’ architecture, set up a central data protection authority, required local processing of data, and mandated heavy fines for non-compliance.
While copying provisions from the ‘gold standard’ of global data protection laws was not a bad strategy, making it work for an Indian business and start-up ecosystem has proved to be a tough balancing act.
The 2019 data privacy Bill was withdrawn in the main due to opposition from digital business majors, civil society, and also from the Government’s own expert Committee. There was also a growing realisation that a new data privacy legislation cannot be a ‘net loss’ to Indian businesses, especially start-ups.
Data driven businesses in India were alarmed by restrictions on the use and export of Indian persons’ data. At the same time, Indian civil society groups and think tanks decried portions of the Bill that added to the Indian Government surveillance powers, and excepted their activities from scrutiny. The Bill went through a series of public consultation, and was then referred to the Indian Parliament’s joint expert committee for their views. The JPC undertook more stakeholder consultations, and in late 2021 recommended an overhaul of the draft Bill. It has been noted that the JPC ended up recommending 81 changes in a total of 99 provisions of the Bill.
What is also important is that the JPC recommended the Bill’s ambit be expanded to include non-personal data. This is the first time the regulation of non-personal data has been mooted in India, and the only regulatory precedent is an expert committee’s report on non-personal data dating back to late 2020. Folding in elements of non-personal data protection into a GDPR-like personal data law is (evidently) not easily done, explaining further why the 2019 Bill was withdrawn.
Despite the withdrawal, the industry consensus is that the overall policy thrust and direction of the Government to overhaul India’s privacy laws remains unchanged. The bill’s withdrawal can be said to be a ‘tactical’ move, in part to enable a ‘clean slate’ for addressing concerns raised on the 2019 Bill, as well as to find a place for issues such as Non-Personal Data, etc., that the old Bill did not contemplate.
Faced with rising unemployment and inflation, and fiscal tightening all around, the Indian Government is keen to push laws that will lead directly and immediately to wealth creation and (importantly) job creation. A standalone data privacy law is crucial to driving India’s digital economy, as well as ensuring smooth data flows to companies and customers in the big US and EU markets. There is a keen sense in the Government that the new data bill should not harm businesses, particularly start-ups. In this context, a ‘rather safe than sorry’ approach is predicated on the notion of avoiding any harm to India’s own start-up and IT industry sectors.
There are indications that, post the 2019 bill’s withdrawal, two separate sets of laws that are now on the anvil. One is a new privacy bill with an emphasis on data localisation, and more targeted at digital business majors holding vast volumes of Indian data (like social media, phone manufacturers, etc.). The other is a related overhaul of India’s 20 year old Information Technology Act, 2000, that may be replaced by a new Digital India Act.
Multiple industry sources say that a draft privacy law may be released in time for the Indian Parliament’s Winter Session in December 2022. It is also instructive to note that India is hosting G20’s presidency from December 2022. Given that general elections in India are scheduled for 2024, there are strong indications that an overhaul will be begun in late 2022, and not be left too late.
But whichever way you slice it, it is clear that the 2019 draft bill did yeoman’s service in driving the debate on data privacy in India. It remains to be seen what new law takes its place, but the lessons of the last few years will not be easily forgotten by the Indian Government, civil society, or data driven businesses.