Why has the government withdrawn the PDP Bill?

The Personal Data Protection Bill was proposed by the government to protect citizens’ data privacy. Despite the long and arduous legislative and consultation process, the Bill was withdrawn last Wednesday.

Minister of Railways and Communications Ashwini Vaishnaw said the Bill was withdrawn because the Joint Parliamentary Committee proposed a large set of changes, and it would be far easier to come out with a new Bill instead of modifying the current one. The PDP Bill was submitted to the JPC in 2019, and the JPC released its report in December 2021, where it proposed 81 amendments and 12 recommendations.

How long was the proposed Bill in the works?

While some contours of the data protection framework have been in discussion for the past decade, the PDP Bill itself is five years in making. Between 2011 and 2014 the Ministry of Personnel, Public Grievances and Pensions started coordinating the Draft Privacy Bill’s versions dealing with Data Protection and Surveillance reform, however, the work was halted.

The next trigger for the government to was the Supreme Court’s decision on the Justice K.S. Puttaswamy vs Union of India case, where it ruled that a citizen’s right to privacy is a fundamental right. This kick-started the formulation process of the current version of the PDP Bill.

In 2018, the Srikrishna Committee released a 176-page report and proposed the first draft of the PDP Bill. The draft PDP went through various consultation processes and revisions after which it was introduced in Parliament in 2019 along with the Srikrishna Committee’s recommendations. In December 2019 the Bill was sent to the JPC for review from both Houses, which came out with its report in December 2021.

Why is this law important?

For the first time, a Bill was enacted to protect the digital rights and privacy of Indians. Global attempts include the General Data Protection Regulation implemented by the European Union, and the State data privacy laws in the United States. Even, Brazil has implemented a data privacy legislation.

While India has some laws to regulate sensitive data under the Information and Technology Act of 2000, no legislation has been passed so far to implement the ethos of the Puttaswamy judgment, which guaranteed Indians their right to privacy. As Indians increasingly onboard onto digital platforms, there is an urgent need to protect citizens’ personal data and make the data utilisation process transparent.

What were the controversial aspects of the Bill?

The PDP Bill’s opponents included tech companies and civil liberties organisations. Most private enterprises opposed the data localisation norms that were part of the Bill, which they felt were stringent.

In fact, many tech giants such as Google and Meta frowned at the JPC’s criticism of their data collection methods. Indian technology industry bodies also felt that some aspects of the PDP Bill would hamper the growth of the Indian tech start-up ecosystem.

On the other hand, civil liberties organisations noted that there was significant state overreach in the PDP Bill. Privacy rights organisation Internet Freedom Foundation said more needs to be done to hold the Data Protection Authority accountable, furthermore the utilisation of citizen data by the Indian State also must be kept ‘in check’.

What happens now?

After withdrawing the PDP Bill the government plans to introduce four comprehensive laws to cover the digital tech landscape. This will include introducing new regulations in the domains of telecom, information and technology, personal data and privacy, and social media accountability. The government has committed to submit the draft of the next data protection framework no later than the next Budget session.