By Shivanand Pandit
The wait for profound legal security of people’s privacy in India, which has been under increasing attack, relentlessly, has just got longer. After almost four years of debates and discussions, the government has withdrawn the arguable Personal Data Protection Bill (PDP), 2019, which controlled how companies and the government could utilize the digital data of citizens. This outcome and the government’s continuous failure to develop an insightful people-centric data protection law have come with an exorbitant cost to human rights in the world’s largest democracy.
After withdrawing the Bill in Parliament, the Union Minister for Electronics and Information Technology, Ashwini Vaishnaw, said that the government will introduce a set of new laws for the digital economy. He also stated that the Bill had been “deliberated in great detail” by the Joint Committee of Parliament (JCP), which had proposed 81 amendments as well as 12 recommendations in a Bill of 99 sections for a comprehensive legal framework for the digital ecosystem.
According to the sources, the Bill could be substituted by more than one bill, dealing with data privacy, the overall internet ecosystem, cyber security, telecom regulations and connecting non-personal data. The sources also mentioned that the government may bring a new set of bills in the winter session of Parliament and it would organize a wide public consultation before placing the new law in Parliament.
In the background of the Supreme Court’s judgment upholding privacy as a fundamental right and its instruction to the government to draft a data safety norm for the country, the Justice BN Srikrishna committee was set up in 2017. The committee issued a white paper that same year, defining the spaces it would be looking at. Later in 2018, it presented a draft Data Protection Bill to the Ministry of Electronics and Information Technology (MeitY). The Ministry said that it would draft a new Bill borrowing from the thoughts presented in the Srikrishna committee Bill.
The Bill was referred to the JCP in December 2019, which was then led by the BJP’s Meenakshi Lekhi. As the committee started a clause-by-clause examination of the Bill, it also requested and received extensions for submitting its report in September 2020 and March 2021, respectively. In July 2021, Lekhi became the minister of state for external affairs and PP Chaudhary was appointed the chairperson of the JCP. The JCP received yet another extension to present its report after Chaudhary became the chairperson. In December 2021, the JCP presented its report in Parliament, which Justice Srikrishna said was solidly in favour of the government and that the Bill could convert India into an “Orwellian state”.
The JCP submitted its report after 78 meetings spread over around 185 hours and after having received half a dozen extensions. The Committee suggested 81 modifications to the Bill confirmed by the Srikrishna panel, and 12 suggestions comprising increasing the span of the intended legislation to cover deliberations on non-personal data—thereby altering the directive of the Bill from personal data protection to broader data protection. The JCP’s report also suggested alterations on matters, such as regulation of social media organizations, and utilizing only “trusted hardware” in smartphones, etc. It recommended that social media organizations that do not act as mediators should be considered content publishers—making them accountable for the matter they host.
There is no denying the fact that the PDP Bill has been in the pipeline for way too long. The proposed Bill is meant to govern a very molten and vibrant zone, where anxieties over the contravention of citizen’s privacy and protection are too serious to be brushed aside. It is hoped that the new edition of the Bill will be accelerated and not be prolonged any more. Importantly, the government must address many issues in the new avatar of the Bill, such as data breaches and surveillance matters, when it reshapes the PDP Bill.
The JCP has sidestepped the argument around Clause 35 of the proposed Bill, which bestows authorities to the central government to spare any organization of the government from the application of the Act. Additionally, the procedure of selection of the ruling officers of the Data Protection Authority (DPA) involves a substantial involvement of the government under Clause 42. The effects of these provisions on surveillance and data protection of people should be considered as the Bill goes back to the drawing board.
Security of data is of utmost importance in a digitized environment where citizens, machines, financial institutions, businesses and government organizations are being linked on the same network. Although India was among the first nations to consider implementing a data protection law, there has been a huge surge in data infringements across innumerable digital platforms. Every leak uncovers many consumers to hackers and scammers. The more disturbing fact is that in many circumstances, the companies involved are not proactively notifying users of the probable data breach and users get to know about data violation only when an ethical hacker or an Internet rights activist broadcasts a report.
Internationally, watchdogs in the US, China and the EU have executed laws to handle worries around privacy and data protection. Organizations have had to pay a heavy penalty for data outflows. Facebook had to pay a $5 billion penalty to the US watchdog after a year-long inquiry into the Cambridge Analytica data breach.
India needs to have a strong law and controller, considering that there are 700 million Internet users in the country, more than 130 crore Aadhaar numbers, increasing fiscal transactions on digital platforms, and millions of gadgets and machines which are connected. Mobile applications are capable of gathering large volumes of data from a user’s gadget in the absence of a deterrent. New technologies, such as AI and ML depend deeply on user data. Law execution bodies also employ data analytics to keep a check on people for national security objectives. Therefore, a line needs to be drawn to balance the welfare of individuals, companies and the State—with the Bill offering a remedy to citizens in the event of an immoral data breach.
Though the PDP Bill’s withdrawal is an opportunity to tackle lacunae, a data protection law allows no delay. Unfortunately, it is not clear if the Bill’s withdrawal is connected to opposition to compulsory “data localization” from international Internet companies. Meanwhile, the absence of an accurate data protection law in the country is irregular when compared to major nations. If the Government of India is actually committed to a comprehensive legal structure on data privacy and protection, it must return to the standard stipulated in the Srikrishna committee proposals and enact a decree within a reasonable timeline.
The government’s dream of Digital India is quickening, but any attempt to safeguard people’s privacy as more of their data is misused is slowing. The failure to enact a national privacy and data protection structure demonstrates the government’s tactic of putting the horse before the cart—authorizing amplified collection and utilization of personal data, without first guaranteeing that people’s information will be safe and secure, and the wait in executing meaningful data protection law is costing people their right to privacy.
The absence of a data protection law is very unsafe. India is the third most-impacted nation by network security attacks in the world and we are witnessing an intense rise in the number of data leaks and infringements. Without a robust data protection law, the assaults and leaks will only increase, as will the harm they cause to India’s internet infrastructure and people’s privacy. It has been nearly 10 years since the Justice AP Shah Committee report on privacy, five years since the Puttaswamy verdict on the right to privacy, and four years since the Srikrishna Committee’s report and they all indicate the necessity for data protection legislation and surveillance improvements. Each day that is lost causes more harm.
—The writer is a financial and tax specialist, author and public speaker based in Margao, Goa