The government has withdrawn the Personal Data Protection Bill, 2019, and has informed that it would be replaced by a comprehensive legal framework which will be designed to address all of the contemporary and future challenges of the digital ecosystem.
According to Ashwini Vaishnaw, Union Minister of Communications, Electronics and Information Technology and Railways, the government withdrew the bill because the Joint Parliamentary Committee (JPC) had recommended 81 amendments to it, which had 99 sections. The JPC had made 12 recommendations.
Meanwhile, Rajeev Chandrashekhar, Union Minister of State for Information Technology, added that the JPC’s report on the bill had identified many issues that were relevant but beyond the scope of modern digital privacy law.
According to Chandrashekhar, the revised legislative framework now being worked on by the government will take into account issues such as non-personal data, social media regulation, data localisation, and hardware security requirements, all of which will now be dealt with in a separate law. While penalties on companies for data breaches will remain, provisions that imposed criminal penalties on officials of these companies may be dropped in the new law.
Industry reactions:
Commenting on the withdrawal, Sajai Singh, partner, J Sagar Associates, said, “The decision of the central government to withdraw the 2019 Personal Data Protection Bill is a welcome one for several reasons. The most key issue is the practicality of a Bill becoming the law of the land. India is a plural country and represented by members of parliament from various regions and political affiliations. Unless each one of these, or at least a majority, is on the same page a bill can languish as a bill and never see the light of day as a statute. In a wise move, the government had set up a 30-member JPC to ensure all stakeholders got a chance to air their views and comment on the proposed legislation. The JPC made several recommendations to the bill in 2021. It was possible to implement some by tweaking the draft, but several required a rethink of the legislation itself, like whether to include non-personal data in the bill. On the other hand, COVID and the sheer developments in technology have brought to the fore several other issues that need to be legislated upon, by countries across the globe. And the drafting of the bill needed to be made current with the ground realities. What with ethics and artificial intelligence, ransomware becoming more sophisticated, crypto and non-fungible tokens adding a commercial dimension to blockchain technology and the like. It, therefore, is a wise decision by the Ministry of Electronics and Information Technology (MeitY) to withdraw the bill and go back to the drawing board and start afresh. On the parallel ground is the drafting of the Digital India Act, which will update and replace the Information Technology Act, 2000. I am interested in seeing the interplay between these two drafts. Various multinationals, on the other hand, are interested in seeing how Indian law will address issues like cross-border data flow, data localisation requirements and restrictions placed on certain services, like virtual private network. Till there is movement on the Personal Data Protection Bill and the Digital India Act, privacy will continue to be addressed by the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011, and the Indian Computer Emergency Response Team (CERT-In) will keep addressing cybersecurity issues in India. The August 24, 2017, guiding principles of the Puttaswamy Aadhaar judgment will have to wait to see their transition from caselaw to statute law. Though the wait should not be too long, as I believe the government is working overtime to make this a reality sooner than later.”
