The withdrawal of the Personal Data Protection (PDP) Bill has raised concerns about the inordinate delay and the contours of its future stature. In an interview with BusinessLine, the Minister for Electronics and Information Technology, Ashwini Vaishnaw, explains the criticality of the focus on personal data within the statutory umbrella that the government is envisaging for regulatory coverage of the ever-dynamic digital technology landscape, the need for separation of personal from non-personal data, and India’s convergence with newer geographies for facilitating export of indigenously developed information technology. Excerpts:
Are we looking at one omnibus legislation or a set of statutes governing the digital landscape?
We are looking at a very comprehensive set of legislations which address the fundamental constructs within the digital landscape. The first area is telecom, which is regulated by the 1885 Telegraph Act. We need a modern telecom bill because modern digital access is primarily through the phone. The second is revamping the Information Technology Act of 2000. The world has changed; the way the internet is governed has changed; technology and its usage have changed. The third is a focused legislation on protecting online personal data and privacy. We must understand that there is a very asymmetric relationship between big tech companies and the users of various platforms. This needs to be addressed properly. Privacy concerns are critical and have been framed in the Puttaswamy judgement by the Supreme Court. The fourth leg of this statutory framework is social media accountability. The question is whether it is possible to cover all these aspects in one omnibus legislation? Having an unwieldy statute governing all structures in this evolving landscape would make it impossible to address the issues as they are fleshed out. The law has to keep pace with the advancement in technology. It cannot lag behind. We will need separate and nimble pieces of legislation that are focused and can change and deconstruct issues as they evolve.
A lot of the commentary around it has focused on the five-year delay since the bill was first introduced and concerns about how the government is dragging its feet...
Frankly, there has been no deliberate delay. Despite the pandemic, the Joint Committee of Parliament (JCP) has held elaborate discussions with all stakeholders. Distilling all these issues into a report was a very tough task, and the Committee has to be commended for the work that has been done. It has recommended 81 amendments in a bill of 99 sections. The question before us was about how we address the 12 major recommendations that were over and above the 81 amendments. The Bill that the government presented to Parliament was practically rewritten by the JCP. The Committee’s report came on December 21. We took six months to deliberate on the issue and came to the conclusion that there was no option but to present a new bill.
At what stage is the new bill?
We are in an advanced stage of drafting the bill. It will be focused on privacy. There would be other statutes addressing telecom, digital technology, and perhaps social media. But this bill would be focused on privacy. This would be one of the cornerstones of the digital world. Instead of putting ten different things into one legislation, we are better off having specific bills focusing on specific aspects of digital technology and its usage.
Do you have a deadline for the privacy bill?
We are looking at the coming budget session to bring in the new privacy bill.
Would the entire legislative process unfold all over again – from stakeholder consultation to perhaps another standing committee reference?
Standing Committee reference is a decision that the Hon’ble Speaker or Hon’ble Chairman has to take. But so far as I can see, there have been very detailed deliberations and the JCP report is fairly exhaustive. So we might not be required to repeat it.
Some of the commentary has focused on how the consent framework in the bill, which has been borrowed from the GDPR bill, actually hinders the growth and evolution of technology at one level and does not really protect the individual at the other, How do you respond?
You have raised a very important point. For the bill to encourage growth and innovation, four things are required. Firstly, any bill on privacy should have clarity and easily comprehensive language that can be interpreted easily by common people, not just lawyers. Secondly, the bill’s implementation should be born digital, i.e., it should be designed to be implemented digitally. Thirdly, there should be a good scope for professionals, people who understand technology, and their voices should have weightage in the bill. Fourthly, the bill should specifically provide for innovation, and our start-up ecosystem should grow as opposed to being stifled. We have the third largest start-up ecosystem and it should not be hindered by over-regulation.
The inclusion of non-personal data by the JPC created a lot of confusion. Would that still be part of the newly drafted bill?
As a matter of propriety, I cannot comment on the new draft. I am only telling you what should be factored in. The original bill was focused on personal data protection. The JPC enlarged its scope to include non-personal data. We need to have a proper mechanism on how to process non-personal data. We need to understand the basic difference between protecting privacy and processing non-personal data. We need to take a considered view on whether non-personal data should go into other legislation concerning digital technology. We need to take a call on that.
Has the absence of privacy legislation hampered the expansion of our tech industry to other geographies?
The fact is that the Indian IT industry today is growing at a rapid pace. In the last fiscal, the IT industry clocked revenue of 227 billion USD and crossed a very important landmark of employing 5.5 million people. The world has an implicit trust in how the Indian technology industry handles data. The export of technology has not been hampered by a lack of legislation. The privacy law has not been codified, but the Supreme Court has laid down the law in the Puttaswamy judgement. So it is not as if India does not have a legal framework for privacy.
You don’t think regulating social media is a contentious issue?
The way the global thought process is evolving points to the consensus that social media has to be held accountable. Many Members of Parliament from almost every party have raised concerns about the accountability of social media. We need to move towards accountability of the content on social media because it is guiding public discourse. Such legislation exists across geographies, so we’re not alone in envisaging that.
The government was given a free hand and a lot of exemptions to invade privacy. Would the new bill correct that?
In fact, the exemptions given in the GDPR are far wider. The GDPR legislation gives about 23 exemptions. What we have done is strictly keeping the constitutional scheme of exemptions to personal freedoms. We have adhered to that. It would be unfair to say we’re invading privacy.