MeitY withdraws Personal Data Protection Bill after over two years of deliberation
The ministry said that it will come up with a comprehensive legal framework based on amendments and recommendations proposed by the Joint Parliamentary Committee.
The government on August 3 announced that it has withdrawn the Personal Data Protection Bill introduced in 2019. Ministry of Electronics and Information Technology () said that the Bill was withdrawn based on multiple amendments and recommendations proposed by the 30-member Joint Parliamentary Committee (JPC).
The Bill was referred to the JPC in 2019 soon after it was introduced, and the JPC submitted its report after nearly two years of deliberation in December 2021.
“The Personal Data Protection Bill, 2019 was deliberated in great detail by the Joint Committee of Parliament. 81 amendments were proposed and 12 recommendations were made towards a comprehensive legal framework on digital ecosystem,” said Ashwini Vaishnaw, Minister of IT, in a note stating reasons for the withdrawal.
He further added, “Considering the report of the Joint Committee of Parliament, a comprehensive legal framework is being worked upon. Hence in the circumstances, it is proposed to withdraw ‘The Personal Data Protection Bill, 2019’ and present a new Bill that fits into the comprehensive legal framework.”
Various ministry officials had indicated earlier this year that the Bill was headed for a re-haul as there was opposition from stakeholders on multiple aspects. Experts are of the opinion that after the legal framework has been determined, nodal ministries for different sectors will come with their own specifications on data governance.
Also, the government has been working on the Digital India Act which will likely replace the IT Act. Some of the provisions of data governance are also likely to be built into the new Act, said the experts.
“I hope this withdrawal of the current Bill will open the path to a more comprehensive and nuanced framework which addresses the challenges of the previous versions of the Bill. Issues such as the lack of independent data protection authority, restrictive cross-border data flow, and state exemptions are revisited and addressed,” Kazim Rizvi, Founder of Delhi-based think-tank, The Dialogue, told YourStory.
The Personal Data Protection Bill, 2019 laid down governance of the individual’s personal data by the government and government bodies, Indian companies, as well as foreign companies with operations in India. It also proposed setting up a central regulator, the Data Protection Authority (DPA).
Global IT bodies, including the likes of Microsoft, Apple, Google, Amazon, Dell, and others, had expressed concerns repeatedly over the recommendations of the JPC as well as provisions of the bill.
“Many tech and social media companies in India had already initiated plans to align their operations with the requirements of the PDP Bill in the anticipation of the long-awaited legislation. For example, processes for data localisation, internal audit and consent mechanisms etc were put in place. Now, with the withdrawal of the draft Bill, such companies again face the unknown,” Anupam Shukla, Partner at law firm Pioneer Legal, told YourStory.
He further added, “The increase in instances of data breaches in recent years also highlights the criticality of robust privacy legislation. In absence of comprehensive central privacy law, various authorities have had to address separate privacy issues in their specific sectors, creating overlapping compliance requirements and potential conflict.”
"We are likely to see further developments on the data protection front in the government’s proposal for the Digital India Act, which will overhaul the current framework of the Information Technology Act, 2000. It is also possible that new regulations will be brought in (possibly under the Digital India Act itself) to specifically address personal data and privacy. Until then, the status quo will remain where privacy in India, as of today, is governed by the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011, the Puttaswamy Aadhaar judgment, and contract law principles," Shreya Suri, Partner at law firm Indus Law, told YourStory.
(The story was updated with a new quote.)
Edited by Kanishk Singh