On August 3, 2022, the Government withdrew the “Personal Data Protection Bill, 2021 (“the 2021 Bill”). It would not be an exaggeration to say that no other Bill has undergone such extensive scrutiny and discussion among various segments of stakeholders. The Personal Data Protection Bill (“the PDP Bill”) was first introduced in the Parliament on December 11, 2019. It was referred to a Joint Committee of both Houses of Parliament (JCP) for examination who then made 81 recommendations, containing 99 sections of which 12 major recommendations were for changes. Thereafter, the JCP submitted its report along with the 2021 Bill on December 16, 2021. The 2019 and 2021 versions of the PDP Bill have been preceded by extensive stakeholder consultations.
The 2021 Bill has had its fair share of criticism. The consensus during the public discourse had been that the 2021 Bill (along with the 2019 version) had significantly diluted the enforceability of personal privacy as a fundamental right against state action and would thus be liable to a constitutional challenge. Stakeholders in general and Big Tech also raised concerns about recommendations for data localization. It was their concern that mandatory data localization requirements and restrictions on cross-border data transfers in the 2021 Bill were rigid obligations that would weaken privacy protection. They also felt that these would impede interoperability with emerging international norms and practices impacting India’s economic opportunities. Indian tech start-ups felt that the compliance burden on them would be disproportionately high; civil society criticized the overriding powers given to central law enforcement agencies; and the industry at large was uncomfortable with the criminal liability attached to directors of companies for willful offences.
While the withdrawal of the 2021 Bill came as a surprise to most, the Government clarified that drafting a new Bill would be easier than doing extensive patchwork on the 2021 Bill.
The timeline of the new Bill
The Minister of State for Electronics and Information Technology (MeitY) stated that a new draft of the Bill is ready, and that the consultation process would not take long since all the key issues have been discussed threadbare. More than 70 countries around the world have data protection regulations in place at various stages of implementation. In India’s neighborhood, Sri Lanka passed its data protection bill in March 2022; Pakistan has a draft bill ready, and Bangladesh has a proposed act. India therefore, cannot afford any delays here, especially because it is a hub of data processing and the BPO industry.
Tweaks in the new Bill
Information Technology and use of data now cut across all industries and society. Different regulators have had different norms for parameters like data storage, data localization, encryption, etc. Besides these sectoral regulations, the Information Technology Act (“the IT Act”) also provides a patchwork of regulations for the protection of sensitive personal data. But an overhaul of the IT Act has been long overdue especially with the emergence of the latest technologies such as AI and blockchain.
Bringing out a data protection law without concomitant changes in the IT Act could have led to a legal infirmity. It appears that the Government might wish to simultaneously revamp the IT Act and bring the patchwork of regulations across a spectrum of different regulators under a unifying code.
The new Bill may also seek to protect the interests of the start-up ecosystem by carving out regulatory sandboxes and keeping the threshold of significant data fiduciary high enough to protect them.
Guidance for Firms:
1. Data is now recognized as a critical asset for every form of human enterprise (industry, government, NGOs, etc.). Hence, its proper handling has become the subject of legislation and debate around the world.
2. Since this is an unstoppable trend, all enterprises should start thinking in terms of their data estate, the role of data in its operations, and its safe storage and disposal.
3. Being compliant with data protection standards is gradually becoming a basic requirement to do business with companies in Europe and other geographies as well. Therefore, not being compliant with data protection regulations could be detrimental to business.