As it considers a “comprehensive legal framework” to govern the online world, the government withdrew the Personal Data Protection Bill from Parliament. This includes bringing separate laws on data privacy, the overall Internet ecosystem, cybersecurity, telecom regulations, and using non-personal data to foster innovation in the nation.
After working on the Bill for over four years, the administration has finally made this move. It had undergone several revisions, including a review by a Joint Committee of Parliament (JCP), and was the target of fierce opposition from a number of parties, including large internet corporations like Facebook and Google, privacy advocates, and members of civil society.
The internet giants had also raised concerns about a planned clause in the Bill termed “data localization,” which would have required them to keep a copy of some sensitive personal data in India and prevented the transfer of undefined “critical” personal data.
Several stakeholders have criticised the Bill’s delays, pointing out that it was extremely concerning that India, one of the world’s largest Internet marketplaces, lacked a fundamental foundation to safeguard people’s privacy.
The Bill was also criticised by the nation’s startups as being too “compliance-intensive.” Government sources claim that the revised Bill will be lot simpler to comply with, particularly for startups.
After 78 sittings spanning 184 hours and 20 minutes and six extensions, the JCP finally submitted its findings. It suggested 81 changes to the Bill that were included in the version that the Srikrishna panel ultimately approved, as well as 12 suggestions, one of which was to change the focus of the Bill from protecting personal data to protecting all types of data. Non-personal data are essentially any collection of data that does not include any personally identifying information.
Additionally, the JCP study included suggestions for improvements to social media company regulation and the use of only “trusted hardware” in cellphones, among other things. It was suggested that social media platforms that don’t serve as middlemen should be viewed as content providers and held accountable for the material they contain.
Senior government sources claim that the new data protection Bill would eliminate certain of the JCP’s suggestions, including the use of “trusted hardware” and the local storage of specific types of personal data inside the borders of India. Instead, it will include these concepts into the wider Internet ecosystem framework, which will take the place of the Information Technology Act of 2000. It is understood that all of these distinct legislations will be introduced simultaneously.
In terms of data localization, the new Bill may do away with categorization of personal data and limit its use to determining damages for individuals whose personal data may have been compromised by an organisation.
Rajeev Chandrasekhar, minister of state for electronics and information technology, stated that the administration will “very rapidly” introduce new laws in Parliament.
The administration intends to introduce the law during the Winter Session of Parliament, according to sources in the IT Ministry. According to a senior official, the revised Bill would include the wider concepts of data protection suggested by the JCP and will be consistent with the Supreme Court’s important privacy decision from 2017. The official stated that it was essential to completely redraw the boundaries of the proposed law due to the huge number of revisions that the JCP offered.
