Apar Gupta

On Wednesday, the Minister for the Ministry of Electronics and IT (MEITY), Ashwini Vaishnaw, withdrew the Personal Data Protection Bill, 2019. The reasons for the withdrawal were circulated in a note to MPs, which stated that,“considering the report of the JPC (Joint Parliamentary Committee), a comprehensive legal framework is being worked upon…”. The decision lays waste years of labour and deliberation on a law essential for the protection of every Indian in a digitised society. Hence, it is important for us to understand its implications by first taking into account why the Personal Data Protection Bill, 2019 was introduced in Parliament, and second, whether its withdrawal is justified.

A proposal for a data protection framework was first considered in 2011 when a draft was coordinated through the Ministry of Personnel, Public Grievances and Pensions. Alongside this, an expert committee headed by Justice (retd) A P Shah recommended in October, 2012,“a detailed framework that serves as the conceptual foundation for the Privacy Act”. This did not come to fruition, with proposals buried by 2014 due to objections from the intelligence establishment on surveillance reforms. While petitions on the constitutionality of Aadhaar and the right to privacy were pending before the Supreme Court, the Union government constituted an expert group headed by Justice (retd) B N Srikrishna in July, 2017. At the time of the constitution of this panel, the then minister for MEITY, Ravi Shankar Prasad stated that “data protection law… will set a global benchmark.” (IE, September 9, 2017). In August, a nine-judge bench unanimously pronounced the Puttaswamy judgment that reaffirmed the fundamental right to privacy for the autonomy, dignity and liberty for every Indian. Justice D Y Chandrachud, who authored the majority opinion, noted the formation of the Srikrishna Committee as a positive obligation on the government to enact a law for informational privacy. This buoyed hopes when the report by the Srikrishna Committee was submitted in July 2018, as it was welcomed by Prasad, who said, “It is a monumental law and we would like to have the widest parliamentary consultation”.

In December 2019, Prasad introduced the Personal Data Protection Bill, 2019 in Parliament. It contained changes that were termed “Orwellian” by Justice Srikrishna. Entering a parliamentary labyrinth, the draft law was referred to a JPC of 30 MPs that submitted a report after two years and 78 sittings on December 16, 2021. The JPC report available contains 97 amendments, 93 recommendations and seven dissent notes. There was a clear tilt in favour of national security and corporate profit at the cost of a citizen-centric law. Thereafter, Justice Srikrishna remarked, “I said earlier when I saw the 2019 draft that it is sliding into the Orwellian state, and this proves my point.” Rather than fixing such flaws, the Union government has decided to withdraw the proposal itself. What is obvious is a public policy paralysis on data protection with conflicting statements emerging from MEITY. For instance, as recently as February this year, Vaishnaw had stated that “our target (to pass the Data Protection Bill) was actually this Budget session itself. But, definitely, by the Monsoon Session”. With the withdrawal in Parliament on August 3, it almost seems institutional processes, in which all three branches of government worked for years, are being jettisoned in favour of “a comprehensive legal framework”. Is this justified? Surely, with the exponential pace in the technology sector, a government can change its mind. What if the draft bill and JPC recommendations were awful and the government acted responsibly to proceed with a tabula rasa?

Let us first deal with the express reasoning provided to justify the withdrawal of the bill. That it draws support from JPC recommendations. This is incorrect as the final recommendation by the JPC is for, “the Bill as amended after inclusion of suggestions/recommendation made by the committee be passed”. The JPC has nowhere suggested a withdrawal in favour of a “comprehensive legal framework”, but on the contrary pitched for the Bill to “be passed”. The proper course was to consider the JPC’s recommendations including the dissent notes and expert analysis, redraft and introduce a new Data Protection Bill. To build stakeholder confidence and clear doubts on specific provisions, a public consultation could have been organised.

Second, with the government setting the goal of a one trillion dollar digital economy, fears of a compliance burden can impede innovation and growth. Here, detailed reasoning is available in the Srikrishna Committee’s report as well as a growing international consensus suggesting that next-generation innovation in technology needs data protection. Just like renewable energy or green emission norms, regulatory intervention will improve business practices requiring engineering decisions that focus on user trust.

Third, with the imperfections within the Personal Data Protection Bill, 2019 and even the JPC report, there exists a reasonable argument that if passed into law, it may institutionalise bad privacy practices. Here, seeking changes in the law at a later date may be difficult. Such a line of reasoning fails to recognise that institutional memory develops through reasonable due diligence and experience. Legislative foresight is limited and no law is perfect, which is why there exist parliamentary amendments and judicial review. Today, there is a relentless pace of digitisation that relies on gathering personal data in all spheres of our lives — agriculture, education, financial records, health, welfare and labour benefits. This is through portals, policies and even laws that have been passed in haste. A case in point is the collection of biometric samples for storage in electronic databases under the Criminal Procedure Identification Act, 2022 or the linking of Aadhaar with voter records under the Election Laws (Amendment) Act, 2021. All of this is done in a legal vacuum without any oversight or remedy.

Finally, there is a conscious omission of the contours of this “comprehensive legal framework” and any timeline assured either on the floor of Parliament or through an official statement published by MEITY. It’s reasonable to ask: Who benefits from further delay and a status quo in the unregulated collection and exploitation of personal data of millions of Indians?

Gupta is the Executive Director and Panjiar is an Associate Counsel at the Internet Freedom Foundation