Editorial: Beating a retreat

The NDA government’s decision to withdraw the much-debated and contentious Personal Data Protection Bill from Parliament is hardly surprising, given the widespread concerns over the proposed legislation and the complex dynamics surrounding the issue. The Joint Parliamentary Committee itself has recommended 81 changes in a Bill of 99 sections. It also made 12 recommendations for […]

The NDA government’s decision to withdraw the much-debated and contentious Personal Data Protection Bill from Parliament is hardly surprising, given the widespread concerns over the proposed legislation and the complex dynamics surrounding the issue. The Joint Parliamentary Committee itself has recommended 81 changes in a Bill of 99 sections. It also made 12 recommendations for a comprehensive legal framework for the digital ecosystem. Several objections have come, not just from global technology giants like Facebook, Amazon and Google but also from the rights activists over certain controversial provisions in the draft legislation that give sweeping powers to the state agencies to access personal data of individuals under opaque conditions, citing national security and other reasons. It would have become easier for the government to snoop on citizens. The law also would have required large social media platforms to offer an identity-verification option, a potentially precedent-setting effort to rein in the spread of “fake news”. The requirement would likely raise a host of technical and policy issues for companies including Facebook and its WhatsApp and Instagram units, and Twitter, among others, all of which have millions of users in India. The Personal Data Protection Bill 2019 was keenly awaited by top technology companies and industry stakeholders as it could alter the way all major internet companies process, store and transfer Indian consumers” data. It is designed to regulate how companies and the government could use the digital data of citizens.

The stated objective of the Bill was to safeguard citizens’ privacy by properly defining personal data, establishing a Data Protection Authority and chalking out a policy framework for data use including by big tech companies. Justifying the withdrawal of the Bill, the government maintained that incorporating the various amendments and recommendations would not have been conducive to the startup ecosystem in India, and thus another framework would need to be devised. The Bill was first introduced in Parliament in 2019, in the wake of the Supreme Court deeming the right to privacy as a fundamental right. The court had then asked the government to come up with a policy framework that could be duly followed by all the relevant stakeholders. The idea of this Bill was to ensure that there is a framework or rules to abide by when it comes to the handling of personal data by institutions and big tech companies. The inherent design flaws in the formulation of the Bill have resulted in the creation of two parallel universes: one for the private sector where the law would apply with full rigour and another for the government where it is riddled with exemptions and escape clauses. Understandably, the industry bodies raised concerns over several provisions of the Bill like the inclusion of non-personal data, treating certain social media networks as publishers and the expanded data localisation mandates.