Data law delay

Why in news?

The government withdrew the Personal Data Protection Bill, 2019 after intense scrutiny by a Joint Parliamentary Committee (JPC).

What are the origins of the Bill?

In the seminal Justice K.S. Puttaswamy (Retd) vs Union of India case, the Supreme Court of India ordered, that the right to privacy is an intrinsic part of the right to life and personal freedom guaranteed by the Indian Constitution.
In the light of this judgment, and the concerns around how large tech platforms were handling the personal data of their Indian users came into the picture.
The Centre in 2017 set up an expert committee chaired by retired Supreme Court Justice B.N. Srikrishna to formulate a regulatory framework for data protection.
The Srikrishna committee submitted its report and a draft for the Data Protection Bill to the Ministry of Electronics and Information Technology on July 27, 2018.
The Bill that was tabled by the Ministry in Parliament, was criticized by Justice Srikrishna for giving more control to the Central government over the data than envisaged in the committee’s draft.
The JPC then deliberated on the Bill and submitted its report in November 2021.
The JPC cleared clause 35, the provision that enables government agencies to circumvent provisions of the law citing public order, sovereignty, friendly relations with foreign states, and security of the state.
The opposition members of the JPC had submitted strong dissent notes along with the report.

Why has the Bill been withdrawn now?

Despite the government retaining its access to data, it has withdrawn the bill.
The reason being cited as, a significant number of amendments, recommendations, and corrections suggested by the JPC.
The JPC’s 542-page report has 93 recommendations, and 81 amendments and members have suggested 97 corrections and improvements to the Bill.
The key recommendation is to widen the ambit of the Personal Data Protection Bill, 2019 to cover all data instead of just personal data, thus moving it considerably away from its Puttaswamy origins.
The stated view of the government is that in the face of such a radical overhaul, it is better to bring in a new Bill.
The government also said that it received several concerns from the tech industry, specifically from Indian start-ups, regarding the stipulations on data localization in the Bill.

What does the Bill say on data localization?

Personal data as defined in the Bill is “any characteristic trait, attribute or any other feature information” that can be used to identify a person.
The Bill also identified a sub-category of Sensitive Personal Data.
Such data consists of details on a person’s finance, health, sexual orientation and practices, caste, political and religious beliefs, and biometric and genetic data.
It also created a Critical Personal Data Category, which was “personal data as may be notified by the Central government” in the future.
The Bill stated that while Sensitive Personal Data can be transferred abroad for processing, a copy of it must be kept in India.
Critical Personal Data can be stored and processed only in India.
It also stipulates the conditions under which sensitive data can be sent abroad, such as government-authorized contracts.
Several countries such localization provisions, considering the strategic and commercial implications of data, the “new oil”.
However, businesses both big and small, international, and domestic, have issues with such localization.

What were the concerns of the tech industry?

Indian start-ups have raised the issue that the infrastructure needed to comply with the localization stipulations will be a huge drain on their resources.
Start-ups also often depend on international companies for services such as customer management, analytics, and marketing, which will require them to send data on their customer abroad.
Data localization requirements would not only reduce their choices of such services but also burden them with the compliance process.
The compliance requirements have implications for the larger US-based tech companies as well.
Reports indicate that umbrella organizations of US businesses were lobbying against the bill.

What is the way forward?

A new bill that fits into the comprehensive legal framework shall be considered by the government.
One of the JPC recommendations would also have been of particular concern for social media companies as it sought to move them from the category of online intermediaries to content publishers.
This makes them responsible for the post they host.

Reference: