Data protection is a dynamic field constantly challenged and influenced by technological advances and innovation in business practices. Globally, there is a general recognition that there should be some law regarding cross-border data transfers, but a wide variety of perspectives exist. Likewise, India has patiently awaited a meaningful legal discourse on Data Protection. Almost after five years, on 3 August 2022, the Government of India withdrew the Data Protection Bill 2021. The Minister for Communications and Information Technology, Mr Ashwini Vaishnaw, said, at the time of withdrawal that the Joint Committee of Parliament (JPC) had proposed 81 amendments and 12 recommendations for the Bill. It is evident that the Government of India felt it needed to take a fresh look at the proposed legal framework. Unfortunately, this decision comes after spending years and hours deliberating, debating, setting up committees, observations by civil society organisations and white papers, just to lead to a major setback. The withdrawal also comes with a heavy cost on account of people enjoying their fundamental right to informational privacy. The question remains unanswered: What really went wrong, considering the amount of time and resources invested in the Bill?
The reception to the Bill had been mixed from its inception. The proposed law had “inherent design flaws”.[i] It could have turned India into an “Orwellian State”[ii] as it provided the Government with sweeping exemptions.[iii]Unfortunately, instead of going through the amendments suggested by the JPC, which would have been a less time-consuming and less expensive process, the complete withdrawal of the Bill has again created uncertainty. It also raises far more fundamental questions about India’s overall legislative strategy [iv]. India has been working to develop a robust data protection regime for the last few years. Even though India’s privacy jurisprudence goes back several decades [v], the notion of informational privacy has only become relevant in the past decade. The jurisprudence changed in 2017 when India’s Supreme Court, in Puttaswamy vs UOI [vi](2017), held a citizen’s right to privacy as a fundamental right under Article 21 of the Constitution of India. The judgment also declared that informational privacy is a subset of the right to privacy.
Indian Data Protection regime timeline:
On 31 July 2017, the Ministry of Electronics and Information Technology (MeitY) Constituted a Committee of Experts(J. Srikrishna Committee), which was chaired by Justice B.N. Srikrishna, to recognise the importance of the data protection regime in India. Later that same year, on 24 August 2017, the Supreme Court in Justice KS Puttaswamy V. Union of India (Right to Privacy Judgement) unanimously declared privacy a fundamental right protected under the Indian Constitution. Subsequently, on 27 July 2018, The J. Srikrishna Committee proposed the Draft Personal Data Protection Bill, 2018. A revised Draft of the Personal Data Protection Bill 2019 was introduced on 11 December 2019. Soon after, this draft was sent to the JPC for review from both houses of Parliament. After two long years, the JPC shared the new and revised version of the Data Protection Bill, 2021, only to be withdrawn on 3 August 2022 after years of deliberations. An observation to keep in mind while we reflect on the timeline is that, after a series of discussion, the drafts hardly seem to be in sync with all the recommendations and suggestions laid down by the JPC.[vii]
Initially, when the Personal Data Protection Bill 2019 was introduced in the Indian Parliament on 11 December 2019, its provisions were similar to the EU’s General Data Protection Regulation (GDPR).[viii] The Bill was designed to protect citizens’ data and the cross-border flow of data. The Bill carved out many rights and obligations concerning businesses and individuals. It created a Data Protection Authority (DPA), which would have been responsible for regulating the interests of individuals when it came to data protection. The Bill was also modelled around the Asia-Pacific Economic Cooperation (APEC) Privacy Framework.[ix] The objective of the Bill was to develop a regulatory framework to ensure the growth of the digital economy while keeping citizens’ personal data secure and protected.
After multiple revisions, the scope of the Bill was broadened in 2021 to include non-personal data as well. This was not envisioned in the previous versions of the draft bill. Referring to the J. Srikrishna Committee’s report, the committeehad refrained from including non-personal data to be governed under the same ambit as personal data.[x] They even set up the Non-Personal Data Committee (NPD Committee) to handle all issues concerning non-personal data.[xi] This move was unprecedented compared to international legal frameworks such as the General Data Protection Regulation(GDPR). The GDPR applies only to personal data, whereas a separate regulation on the free flow of non-personal data governs the free movement of non-personal data in the EU.[xii]
Generally, the data protection law at its heart has the principle of consent.[xiii] It is imperative that while collecting as well as processing any personal data, consent from the data subject should be taken freely.[xiv] Secondly, the purpose or the reason for collecting and processing data should be worded clearly.[xv] The Bill had adopted a few standard clauses; however, in its present form, it had allowed the non-consensual processing of data but failed to address the reasons behind the broad exemptions. There were apprehensions about the misuse of the exemption clause concerning “public order”.[xvi] Any exemptions made by a government entity must stand the test of proportionality and necessity. Such extensive exemptions may also lead to mass surveillance cases without a procedure laid down by law.[xvii] The exemptions which empower governments to exempt “any agency” of the Government would only hamper the rights of individuals under the garb of data protection, making the regime trivial.
Similarly, clauses 12 and 35 of the Bill gave the Central Government overreaching powers that could undermine the fundamental right to privacy provided under Article 21 of the Indian constitution. The Central Government’s ability to process individuals’ personal data without their consent is outlined in clause 12 of the Bill. This clause would have allowed the Government to process personal data for the provision of any service or benefit provided by the state to the data principal under any law currently enforced by Parliament or by the state legislature and in compliance with any order by India’s courts. Clause 35 of the Bill renders the Central Government, or any of its agencies, exempt from the act in circumstances where it is necessary to protect the sovereignty, integrity and security of the Indian state. This clause effectively removes the Central Government from the full scope of the Bill. Central Government could have used this exemption as a surveillance tool as well. The Government of India failed to appreciate or ignore the significance of the proportionality principle in data protection. Furthermore, the Bill also made a separate classification of “government data fiduciaries”, which would be liable for any breach. This would have led the head of the government data fiduciaries to conduct an in-house enquiry to decide on the penalties and liabilities.[xviii] Such instances would have only led up to distrust in the state.
Another point of contention was the selection of members under the Data Protection Authority (DPA). The DPA was the regulatory authority established under the Bill, which regulated and governed the rights of individuals.[xix] The independence of the DPA should have been one of the topmost priorities. Conversely, the composition of the members was based on the executive-led committee. Contrary to the suggestions made by the Expert Committee, which suggested the DPA be an independent body, the Bill still advocates the intervention by the executive and is bound by the decisions of the Central Government.[xx] As the responsibility of the DPA would have been to regulate not only the private entities but also the processing of data by government entities, the independence of the DPA from the Government is non-negotiable. Secondly, in addition to the large volume of data produced in India, the scope of the DPA’s powers was so wide, that the implementation of every aspect would have been burdensome. We have noticed that countries with a data regulation system find it challenging to conduct regulatory impact assessments.[xxi]
Additionally, the Bill went ahead and broadened the scope of social media intermediaries by making them equivalent to publishers accountable for the content they host. Previously, the J. Srikrishna Committee report did not refer to social media intermediaries except for setting a process for children’s personal data.[xxii] Section 79 of the Information Technology Act (IT Act) currently provides a ‘safe harbour’ against liability for content posted on their platforms by third parties, including users, so long as the intermediaries keep specific due diligence in mind.[xxiii] The Bill seems to be pushing for stringent liabilities for social media platforms. This step would have created another layer of compliance for social media platforms leading to additional costs and challenges such as lack of anonymity online.[xxiv]
In the day and age of globalisation, the Bill also proposed strict regulations on cross-border data flow beyond the Indian jurisdiction. A mandate related to Data Localisation might strengthen state control. Still, it negatively impacts the rise of digital disruptions, trade and investments.[xxv] Under the reasons for withdrawal, the Ministry of State for Electronics and Technology made it clear that the current form of the Bill would have hurt the start-up culture as it was too “compliance intensive”.[xxvi]
What does the Future hold for Data Protection in India?
As India marked the fifth year of the Puttaswamy verdict last month, the sentiment behind the formation of the Bill was undoubtedly positive; hence, the withdrawal of the data protection bill comes with a huge setback. Currently, the Information Technology Act 2000 (IT Act, 2000) governs disputes related to a data breach; however, the ambit of the IT Act 2000 is not wide enough to encompass sensitive issues involving data breaches. There are deliberations that the IT Act, 2000 is going under a makeover, ensuring that we are moving in the right direction in employing policies around technological advancements.
With corporates around the world working towards implementing compliance in line with the GDPR, it becomes a necessity for India to introduce a policy to govern citizens’ personal data sooner than later. A delay in introducing a data protection law would only cause a delay in the individual’s enjoying their right to informational privacy. Recently, the Delhi High Court dismissed the plea against WhatsApp and Facebook, challenging a Competition Commission of India (CCI) order calling for an investigation into the messaging apps’ new privacy policy.[xxvii] The new privacy policy of WhatsApp( owned by Facebook) has left users in a dilemma of choosing between convenience and privacy.[xxviii]Similarly, the Indian Railway Catering and Tourism Corporation (IRCTC) has also withdrawn a contentious tenderintroduced to monetise customer data over privacy concerns. This step was after the non-approval of the data protection bill. With no policy around data protection, it seems that the courts and other governing bodies are unsure how to handle the cases related to data breach and privacy. Thus, indicating an urgent need for a data protection law in India.
The MeitY has stated that the draft of the new data protection bill has already begun and is likely to be one of the four new laws related to digital technology, telecom, social media and privacy.[xxix] It will soon be released for public consultation and presented in the forthcoming sessions.[xxx] Looking back at the journey of the data protection regime in India, one can only be hopeful that the new draft does not overlook the past flaws and does not take another half a decade to be introduced. For now, India has to wait and watch until the new and improved data protection law is presented to ensure that the right to informational privacy is not up for sale.
[i] See Data Protection Bill Has “Design Flaw”: Congress MP To Joint Parliamentary Panel. https://www.ndtv.com/india-news/manish-tewari-data-protection-bill-has-flaw-congress-mp-to-joint-parliamentary-panel-2621535. See also http://dpa2021.in/dpa2021_ed.pdf
[ii] See Mahua Moitra says Data Protection Bill is ‘Orwellian’, files dissent note, https://www.indiatoday.in/india/story/mahua-moitra-data-protection-bill-orwellian-dissent-note-1879773-2021-11-23
[iii] Data protection bill: Five MPs file dissent notes in final report. https://www.hindustantimes.com/india-news/data-protection-bill-five-mps-file-dissent-notes-in-final-report-101637606270285.html, See also
[iv] Dipika Jain, Law-Making by and for the People: A Case for Pre-legislative Processes in India, Statute Law Review, Volume 41, Issue 2, June 2020, Pages 189–206, https://doi.org/10.1093/slr/hmz005
[v] Gautum Bhatia, State Surveillance and The Right to Privacy in India: A Constitutional Biography. National Law School of India Review, Volume 26, Issue 2, 2014, Pages 127–158. http://www.jstor.org/stable/44283638
[vi] K. S. Puttaswamy (Retd.) & Anr. v. Union of India & Ors. (2017)10 SSC 1
[vii] See Clause-wise mapping of the JPC’s recommendations on India’ data protection law https://www.ikigailaw.com/wp-content/uploads/2021/12/Clause-wise-JPC-recommendation-cover_merged.pdf
[viii] https://gdpr.eu/tag/gdpr/
[ix] See APEC Privacy Framework. https://www.apec.org/docs/default-source/Publications/2005/12/APEC-Privacy-Framework/05_ecsg_privacyframewk.pdf
[x] The J Srikrishna Committee Report had left the ambit of non-personal data to the ‘wisdom of a future committee in the hope that they will be duly considered.’ See Page 13 https://www.meity.gov.in/writereaddata/files/Data_Protection_Committee_Report.pdf
[xi] Report by the Committee of Expert on Non-Personal Data Governance Framework https://static.mygov.in/rest/s3fs-public/mygov_160922880751553221.pdf
[xii] Regulation (EU) 2018/1807 of the European Parliament and of the Council of 14 November 2018 on a framework for the free flow of non-personal data in the European Union. http://data.europa.eu/eli/reg/2018/1807/oj See also https://digital-strategy.ec.europa.eu/en/policies/non-personal-data
[xiii] Article 7 of GDPR, https://gdpr-info.eu/issues/consent/
[xiv] Article 7 GDPR read with recital 32 of the GDPR. https://gdpr-info.eu/recitals/no-32/
[xv] Ibid.
[xvi] Ibid.
[xvii] Ibid.
[xviii]Cl. 86 of the Data Protection Bill, 2021(Now Withdrawn).
[xix] Cl. 41 and 42 of the Data Protection Bill, 2021(Now Withdrawn).
[xx] Cl. 86 of the Data Protection Bill, 2021(Now Withdrawn).
[xxi] Data Sharing code of Practice, (Impact Assessment), 18 May 2021 https://ico.org.uk/media/for-organisations/2619796/ds-code-impact-assessment-202105.pdf
[xxii] A Free and Fair Digital Economy: Protecting Privacy, Empowering Indians, Committee of Experts Under the Chairmanship of Justice Srikrishna, see Page 43. https://www.meity.gov.in/writereaddata/files/Data_Protection_Committee_Report.pdf
[xxiii] Section 79 of The Information Technology Act, 2000. (Exemption from Liability of Intermediary in certain cases)
[xxiv] Deep Dive: How India’s Data Protection Bill Impacts Social Media Platforms, https://www.medianama.com/2022/03/223-deep-dive-data-protection-bill-impact-social-media-platforms/
[xxv] GDPR -loving EU says India’s data localisation unnecessary https://economictimes.indiatimes.com/tech/internet/gdpr-loving-eu-says-indias-data-localisation-unnecessary/articleshow/66725579.cms
[xxvi] Complicated data protection bill would have hurt startups: Rajeev Chandrasekhar, https://www.moneycontrol.com/news/business/complicated-data-protection-bill-would-have-hurt-startups-rajeev-chandrasekhar-8947571.html
[xxvii] WhatsApp, Facebook Plea Against Probe into Privacy Policy Dismissed. https://www.ndtv.com/india-news/delhi-high-court-whatsapp-facebook-plea-against-probe-into-privacy-policy-dismissed-3284684
[xxviii] WhatsApp’s New Privacy Policy: Should You Accept It? https://gadgets360.com/apps/features/whatsapp-privacy-policy-update-facebook-chats-may-15-2441943
[xxix] Govt ‘readying 4 comprehensive laws to cover digital tech space’-Business Journal. https://business-journal.in/economy/govt-readying-4-comprehensive-laws-to-cover-digital-tech-space-business-journal/
[xxx] New data bill draft is almost ready: IT Minister Ashwini Vaishnaw. https://economictimes.indiatimes.com/tech/technology/new-data-bill-draft-is-almost-ready-it-minister-ashwini-vaishnaw/articleshow/93330800.cms
Pardon Our Silence! 