As stakeholders await the release of the bill, here’s a look at the Data Protection Bill’s five-year history.
July 2018: Srikrishna Committee Submits Report
First came a report and draft bill by a committee headed by retired Justice BN Srikrishna.
It was lauded for:
Changing the language of privacy by using constructs like ‘data principals’ and ‘data fiduciaries’.
Taking a guarded approach to surveillance and recognising that though security of the state is a ground for partial exemption from the data protection law, it must come with certain safeguards to prevent abuse.
Providing a solid data portability framework.
Where it drew strong criticism is its proposals on strict standards for cross-border transfer of data and storage, and gaps in the redressal framework.
December 2019: The Government Version
The government made certain tweaks to the Srikrishna Committee version and introduced the Personal Data Protection Bill in the Parliament in December 2019.
The changes included some such as:
Wide exemptions granted for the state’s use of data.
No judicial member in the selection committee, which will make appointments to the Data Protection Authority.
Narrowing the list of offences under the law.
the requirements of data localisation.
The bill presented by the government saw criticism both inside and outside the Parliament.
“This is nothing but giving a blank cheque to the state to say ‘you write whatever you want on that, signature is already there’,” Justice Srikrishna had said in March 2020. He had also the bill a step towards an Orwellian state. The opposition, too, had attacked the government for a growing “snooping industry”.
In December 2019, on the same day of its introduction, the bill was sent to the 30-member Joint Parliamentary Committee.
December 2021: JPC Submits Its Report
The Joint Parliamentary Committee submitted its report in December last year, suggesting around 188 amendments and expansion of the scope of the law.
The key proposals included:
Personal and non-personal data to be governed by a single legislation.
Regulating social media companies.
Procedure to exempt government agencies from purview of the bill.
Provisions related to data localisation.
Composition of the Data Protection Authority.
Experts had criticised the JPC version for endorsing wide exemption for state agencies; worsening the independence of the Data Protection Authority; legitimising profiling of adults; and undermining several user rights.
August 2022: Bill Withdrawn
The government withdrew the Personal Data Protection Bill, 2021.
At the time, Chandrashekhar had said that the bill will soon be replaced by a “comprehensive framework of global standard laws including digital privacy laws for contemporary and future challenges”.