There can be no denying that the Personal Data Protection (PDP) Bill has been in the pipeline for way too long. The proposed Bill is meant to regulate an extremely fluid and dynamic space, where concerns over breach of citizen privacy and security are too serious to be brushed aside. The Joint Parliamentary Committee (JPC) took two years to come out with its report on the Bill, proposing a large number of changes. With the JPC suggesting as many as 81 amendments, along with 12 additional recommendations in a Bill of 99 sections, the government obviously had little choice than to go back and draft a new Bill. It is to be hoped that the new version of the Bill will be expedited and not take too much time in coming. However, some questions remain unresolved, despite the deliberations that have taken place since the JPC was formed in December 2019. The JPC has skirted the controversy around Clause 35 of the proposed Bill, which gives powers to the Centre to exempt any agency of the government from application of the Act. Furthermore, the process of appointment of the presiding officers of the Data Protection Authority (DPA) entails heavy involvement of the government under Clause 42. As things stand, these issues may not be addressed in the new avatar of the Bill, given that the JPC had earlier rejected the proposed changes in this regard. The implications of these provisions on surveillance and data security of citizens should yet be considered, as the Bill goes back to the drawing board. To recap, the Bill was initially referred on December 11, 2019 to the JPC, which finally came out with its report on December 16, 2021.

In a digitized world where individuals, machines, financial establishments, enterprises, and government agencies are being connected on the same network, protection of data is of paramount importance. India was among the first countries to consider putting in place a data protection law. Yet, there has been an increase in data breaches across various digital platforms. While every leak exposes thousands of consumers to hackers and scammers, what is more troubling is that in most cases the companies involved are not proactively informing users of the possible data breach. Customers get to know only when an ethical hacker or an Internet rights activist publishes a report. Globally, regulators in the US, China and the EU have put in place laws to address concerns around privacy and data protection. Companies have had to pay a hefty fine for data leaks. Facebook had to pay a $5 billion fine to the US regulator after a year-long investigation into the Cambridge Analytica data breach.

India needs to have a robust law and regulator -- given the 700 million Internet users in the country, over 130 crore Aadhaar numbers, rising financial transactions on digital platforms and millions of devices and machines being connected. Innocuous-looking mobile applications are able to collect large quantities of data from a user’s device in the absence of a deterrent. New technologies such as AI and ML depend heavily on user data. Law enforcement agencies also use data analytics to keep a tab on people for national security purposes. The line needs to be drawn here to reconcile the interests of citizens, companies and the State – with the Bill providing recourse to citizens in the event of unethical data breach.