In the first week of August, the Ministry of Electronics and Information Technology moved to suddenly withdraw the Protection Data Protection Bill, 2019, citing the report of the Joint Parliamentary Committee and its detailed recommendations. In its place, the government has committed to enacting a “comprehensive legal framework”, i.e. a new law, “hopefully” – as per the Minister – by the next Budget session of Parliament.
A lot has been written about the reasons for withdrawal and its immediate implications. However, given that the withdrawal has happened, it is important to focus on the way ahead.
There have been multiple iterations of the data protection law over the last five years – the Srikrishna Committee submitted its draft Personal Data Protection Bill in 2018; the government introduced its version one year later in the Lok Sabha in the form of the PDP Bill, 2019; and the JPC proposed a redrafted Data Protection Bill in 2021. Each of these drafts was more complex, and more criticized than its previous version.
Regardless of one’s views on the merits of the withdrawal of the PDP Bill, the government now has a blank slate when it comes to redrafting the law. What elements should such a law contain? I give six suggestions here.
Re-Centre The Bill On Privacy
The impetus behind enacting a data protection law came partly from the Supreme Court’s observations in the Puttaswamy judgment, which recognized the right to privacy as a fundamental right. The decision was given in the backdrop of the constitutional challenge to the Aadhaar scheme and its impact on privacy, consent, and choice, leading the Court to recognize that the “dangers to privacy” in an information age originate from State and non-State actors.
The draft PDP Bill 2018 released by the Srikrishna Committee as well as its accompanying report tried to balance the right to privacy with the importance of the digital economy, with the objective to “unlock the data economy”. The 2018 Bill recommended a comparatively stricter approach towards regulating the private sector, compared to the leniency shown towards state action. This philosophy was followed in the PDP Bill, 2019. This was critiqued by many for unnecessarily undermining privacy. Unfortunately, instead of responding to this critique, the JPC further privileged the state’s interests, at the expense of the individual. Taking a view that digital privacy must be circumscribed and limited by the country’s sovereignty, integrity and security, the JPC recommended modifying the long title of the Bill to add that its purpose was also, “to ensure the interest and security of the State”.
Retain The Original Focus On ‘Personal’ Data
The PDP Bill was always intended to focus on the privacy of individuals and the regulation of their personal data. This was reflected in the text of the Srikrishna draft law in 2018 as well as the PDP Bill, 2019. However, without any coherent justification, the JPC recommended expanding the scope of the law to cover the regulation of personal and non-personal data.
Such a move was without precedent. Most countries regulate personal and non-personal data separately, partly to avoid conflicting concerns. A personal data protection law keeps the individual at its centre and is focused on regulating the collection, storage, and use of their personal data, such as health or financial data. In contrast, non-personal data such as traffic data is anonymized and its regulation is focused on unlocking the “economic benefit” that inheres in such data.
A law that conflates these concerns will only be cumbersome and difficult to implement.