Withdrawal of Personal Data Protection Bill

The government has withdrawn the Personal Data Protection Bill from Parliament after several amendments were proposed by the Joint-Parliamentary Committee.

• The Personal Data Protection Bill was first introduced in Parliament in December 2019, in the wake of the Supreme Court deemed the “right to privacy” as a fundamental right under the Constitution.
• The court had then asked the government to come up with a policy framework that could be duly followed by all the relevant stakeholders, including big tech companies.

What was the Bill all about?

• The idea of this bill was to ensure that there is a framework or rules to abide by when it comes to the handling of personal data by institutions and big tech companies. Personal data, in the bill, was divided into three categories:

1. 1. Sensitive personal data (like health, sexual orientation, finances),
   2. Critical personal data (left to be defined by the government), and
   3. basic personal data

• Companies were supposed to inform consumers about how are they utilizing data and take consent from them.
• The bill gave the consumers the right to withdraw consent whenever they wanted and companies had to oblige and provide a mechanism to enable this.
• The law proposed strict regulations on the flow of data outside of India’s borders, including giving the government powers to seek information about users from companies. The bill was sent to a joint parliamentary committee for further deliberation on its provisions.

Why government withdrew the Personal Data Protection Bill?

• The Personal Data Protection Bill 2019 was under consideration by the joint parliamentary committee (JPC), and had been “deliberated in great detail”. It had proposed major amendments as well as recommendations for a comprehensive legal framework for the digital ecosystem.
• Considering the report of the JCP, the government has decided that there is a need for a ‘comprehensive legal framework’, so it has decided to withdraw the bill and decided to start afresh.

Concerns Regarding the Policy:

• Lack of Data Protection Law: Any data accessibility-and-use policy is incomplete without adequate public safeguards provided through a comprehensive data protection framework. Unfortunately, the progress on that front has been slow.
• Misuse of Data: There are also issues of conflict of interest and misuse of such data for commercial or political purposes.
• Citizens’ Attempts to Obtain Public Data: Administrative control over data has also been used to thwart attempts by users and citizens to obtain data for public use.
• Disregards Reliable Independent Surveys: Public data has often been used to discredit independent credible surveys, rather than complement them. Such records are often used to suit a political narrative.
• Impact of Commercial Interests in Data: Given that more data means more money, commercial interests will prompt the government to collect granular personal details through greater capture and increased retention periods. Over time, the original objectives for which databases are built will get diluted in favour of commercial interests.
• Federalism: The policy, even notes that the State governments will be, “free to adopt portions of the policy,” but it does not specify how such freedom will be realized.

What did the JCP recommend?

• Broader Data Protection: JCP has expanded the scope of the proposed law to cover discussions on non-personal data — thereby changing the mandate of the Bill from personal data protection to broader data protection.
• Trusted Hardware: It has also recommended changes on issues such as regulation of social media companies, and on using only “trusted hardware” in smartphones, etc.
• Provision of regulation for social media: Changes on issues such as the regulation of social media.
• Social media as a content publisher: It has been proposed that social media companies that do not act as intermediaries should be treated as content publishers. Thus, making them liable for the content they host.
• Inclusion of non-personal data: JCP has recommended the inclusion of non-personal data.

How is personal data regulated presently?

• As of now the usage and transfer of personal data of citizens are regulated by the Information Technology (IT) Rules, 2011, under the IT Act, 2000.
• The rules hold the companies using the data liable for compensating the individual, in case of any negligence in maintaining security standards while dealing with the data.

Issues with IT Rules, 2011

• The IT rules were a novel attempt at data protection at the time they were introduced but the pace of development of the digital economy has shown its shortcomings.
• For instance, (i) the definition of sensitive personal data under the rules is narrow, and (ii) some of the provisions can be overridden by a contract.
• Further, the IT Act applies only to companies, not to the government.

Conclusion:

Legislation with imperfections may institutionalize bad privacy practices. Seeking changes in the law at a later date may be difficult.  But we must not foresee the relentless pace of digitization, that relies on gathering personal data in all spheres of our lives — agriculture, education, financial records, health, welfare, and labour benefits. If all of this is done in a legal vacuum, without any oversight or remedy, then it must require immediate action.