Published On 04-08-2022
The Union Minister of Information and Technology Ashwini Vaishnav has withdrawn the Personal Data Protection (PDP) Bill 2019. It will now be replaced with one that has a “comprehensive framework” and is in alignment with “contemporary digital privacy laws”.
This comes after a joint parliamentary committee suggested 81 amendments to it.
The Bill aimed to safeguard individuals' data over cyberspace and regulate the accessibility of personal data by companies and the government.
The government withdrew the Bill after the Joint Parliamentary Committee (JPC) suggested 81 amendments to the 99-section Bill.
The JPC issued 12 recommendations.
“The Joint Parliamentary Committee’s report on the Personal Data Protection Bill had identified many issues that were relevant but beyond the scope of a modern digital privacy law,” Minister of State for Electronics and Information Technology (MeitY) Rajeev Chandrasekhar tweeted.
"Privacy is a fundamental right of Indian citizens & A Trillion dollar Digital Economy requires Global std Cyber laws," he said.
“This will soon be replaced by a comprehensive framework of global standard laws including digital privacy laws for contemporary and future challenges and catalyze PM Narendra Modi’s vision of India Techade,” the minister added.
The Bill was criticised for focusing on the government's interests instead of the privacy of data owners. But what exactly did it say? And what was the issue around it? Know all about the Personal Data Protection (PDP) Bill, 2019.
In 2017, the Supreme Court declared the right to privacy to be a fundamental right protected by the Constitution. The Top Court has ordered the Centre to develop a data protection framework for the country.
On December 11, 2019, the Personal Data Protection Bill was introduced in India's parliament. It established the rules for how personal data should be processed and maintained, as well as a list of people's rights in relation to their personal information. It also recommended establishing the Data Protection Authority, an independent Indian regulatory body, to carry out this law.
A Joint Parliamentary Committee was then formed to review the bill's provisions and make recommendations.
The bill classified three types of data: personal data, sensitive personal data, and critical personal data. Each category has its own set of obligations and regulatory requirements. Indian and foreign companies working with data of Indian citizens were required to adhere to the law.
If the Bill had been passed, businesses would have been required to inform customers about their data collection activities and obtain their consent.
They would have to collect and store evidence that such notice was made and consent was obtained. Because the bill gave customers the right to withdraw their consent, companies would be obligated to establish procedures that would allow consumers to do so.
The bill essentially gave customers the right to access, amend, and erase their data.
The law further said that "sensitive personal data" must be stored in India and that "critical personal data," defined as any data identified as critical by the Central Government, cannot be moved outside of India.
The bill specifically exempted any government agency from any of its provisions. The government also has the power to request non-personal data and anonymised personal data from data fiduciaries in order to profit from various government services.
As the Congress leader Manish Tiwari said - the PDP Bill creates two parallel universes, one for the private sector, where it would apply rigorously, and another for the government, where it is riddled with exceptions.
The bill was introduced after similar legislations were made in other countries to entrench the right to privacy of citizens in a digital age where businesses want to track every parcel of information of citizens for their own gain.
The California Consumer Privacy Act and the General Data Protection Regulation were two key pieces of legislation passed in California and the European Union that gave citizens control over their personal data.
However, though the PDP Bill 2019 sought to emulate similar levels of success, the exemptions and the power of the government to look through the data attracted criticism from privacy activists.
The Bill was extensively questioned since its introduction for being biased towards the data collecting entity and for causing additional major problems with a user's rights.
The withdrawal of consent with only “valid reason”
The laws enabled users to select how and when their data can be collected, used, stored, and shared by providing them with the necessary rights and power to decide when and how they desire to deal with their data.
However, the PDP Bill complicated users' rights to withdraw consent by adding that if consent is withdrawn without a "valid reason," the data subject would bear the legal consequences of such withdrawal. This made exercising the right to withdraw consent not only difficult, but also unnecessarily taxing, and it also denies the individual's right to exercise such a right.
To make this situation worse, the law did not specify what constitutes "valid reason," as well as the extent and nature of the legal consequences envisioned by the section.
Employees data
Another troubling aspect of this Bill was the exemption given to companies to handle employee data without their consent for the purposes of hiring or terminating employees, providing services to employees, verifying employee attendance, or evaluating employee performance.
Several provisions of the Bill clarified that the law did not consider or respect employees' privacy, or how their data is handled by their company, allowing them to abuse their rights and position of authority.
Exceptions for the government
The Bill also gave the government the authority to allow government authorities to obtain each subject's data and use it as they saw fit in the interests of sovereignty, public order, security, international relations, or the prevention of activities that would be considered crimes.
The Bill received criticism for focusing more on the government's interests than on the privacy of data owners. The phrase "to ensure the interest and security of the State" was added to the preamble of the Bill to put it in the context of safeguarding the interest and security of the State.
In the case of data processing by the State, the exceptions in the Bill for processing users' personal data without their consent had relatively little protection. This might have resulted in extensive monitoring disguised as state security or public order.
