1. Reads
  2. Deep Dives

The Past, Present and Future of India's Personal Data Protection Bill

Dec 8, 2021 5:58 AM 7 min read

Post a two-year-long wait, the Joint Parliamentary Committee (JPC) - constituted to frame a comprehensive personal data protection (PDP) law for India - has adopted a final version of the proposed Bill.

This final iteration is widely expected to be tabled in the Parliament during the ongoing Winter Session. The latest draft has already sparked controversy, with fears that it may give a “blank slate to the State”.

The What's What of Personal Data Protection

Before we delve into the past, present and future of the PDP Bill, here’s a little data-related etymology that you may want to keep in mind...

  • Personal Data is simply data that comprises personal information. E.g., your Aadhaar card.
  • Non-Personal Data is a little trickier to describe. The JPC is reportedly defining "all data that doesn’t personally identify a user" as non-personal. For e.g., data collected by a website or food-delivery app regarding people's age, gender or product preferences can be considered "non-personal" if it doesn't include identity markers like names or contact information.
  • Data Principal refers to the person to whom the data in consideration belongs to (for e.g., you, if the data in question is your WhatsApp chats).
  • Data Fiduciary is an entity that controls the various aspects related to data storage. It also defines how it can be processed. For e.g., WhatsApp.
  • Data Processor is an entity that processes the data on behalf of someone else. For e.g., WhatsApp again or, if Mr. Zuckerberg decides to sell your data to someone else, that third party.
  • Data Protection Authority (DPA) is a (proposed) regulatory body that would be empowered to oversee the implementation of the future PDP Law, whenever that might see the light of day.


But Why Does India Even Need a Personal Data Protection Law?

An increasingly digital economy requires set guidelines and regulations for market players to follow to avoid the misuse of personal and non-personal data.

For a country that's mobile-first and whose regulations and welfare schemes are built atop the Aadhaar and mobile ecosystem, regulatory unambiguity in the digital space becomes all the more necessary. Especially at a time of increasing data breaches and when issues such as data localisation and data collection by Big Tech companies have sparked diplomatic tensions and tit-for-tat trade levies (remember the Google Tax?).

Significantly, a PDP Law is also necessary to protect citizens from the State and to ensure that the Right to Privacy is a right that every Indian actually enjoys. Case in point: the Pegasus spyware scandal. After all, your data is also not just with Google or Amazon. It's (more so) with GoI - think Aadhaar, Passport Seva, National Digital Health Mission, Aarogya Setu, CoWin, RuPay, NPCI etc.

Simply put, in a democracy with 700 million+ internet users and 400 million+ smartphone users, well-defined and well-guarded digital rights are non-negotiably crucial.

FYI: Presently, India does not have any legislation exclusively governing privacy or data protection. Provisions within the Information Technology Act, the Indian Contract Act and the IPC are currently referred to for precedents on these subjects.

FYI #2: According to UNCTAD, 128 out of 194 countries have in place legislation (both exclusive and otherwise) to secure the protection of data and privacy.


The Road to Personal Data Protection

In 2017, a nine-judge bench of the Supreme Court ruled in KS Puttaswamy vs. Union of India that privacy was a fundamental right under Articles 14, 19 and 21 of the Constitution. Around the same time, the EU began enforcing its General Data Protection Regulation (GDPR) regulation, which in turn inspired privacy-related legislations across other countries (hello, Brussels effect).

During the hearings at the apex court, the Union Government announced the formation of a 10-member expert committee to frame a comprehensive data protection legislation. Retired Supreme Court judge BN Srikrishna was picked by the Ministry of Electronics and Information Technology (MeitY) to lead this group.

However, there were efforts to frame a PDP Law as early as in 2011, when the Department of Personnel and Training (which oversaw privacy regulation before MeitY) proposed a draft - and another one in 2014. And in 2012, the Justice AP Shah Committee outlined nine points that it deemed central to ensuring citizens’ privacy. Just last year, even as the JPC was holding its discussions, a committee formed by the IT Ministry under Infosys co-founder Kris Gopalakrishnan probed the merits of regulating non-personal data.

The Srikrishna Committee submitted its draft (pdf) of the PDP Bill in July 2018, along with a report (pdf) titled “A Free and Fair Digital Economy”. A month later, GoI invited public comments on the draft. While there were reportedly 600+ submissions, these were not made public.

In late 2019, the Bill was referred to the JPC, initially headed by Meenakshi Lekhi, who was earlier this year replaced by PP Chaudhary.

The 30-member JPC (composition) got five tenure extensions and reworked the original Srikrishna draft extensively. During the course of its proceedings, it has heard arguments from Government agencies (UIDAI, NIA, RBI, NCB, various Ministries etc.) as well as representatives from private stakeholders (Facebook, Google, Twitter, Amazon, Visa, Mastercard, Paytm etc.).

All in all, by the time the JPC adopted a final draft last month, it had recorded 78 sittings. The Bill itself counted 99 clauses and at least 93 recommendations.


What Did the First Draft Personal Data Protection Bill Say?

The Srikrishna Committee’s draft of the PDP Bill defined personal data as any information "about or relating to a natural person who is directly or indirectly identifiable" and is linked to any "characteristic, trait, attribute, or any other feature of such natural person's identity, whether online or offline".

When the first draft was finally tabled in Parliament in December 2019, it elicited a fair bit of criticism. Vague data localisation provisions, non-applicability to anonymised aka non-personal data, and the lack of independence of the proposed DPA were some issues (here’s an explainer). The biggest red flag, however, pertained to Articles 12(a) and 35 of the Bill

The first allowed the State to process personal data without the consent of the data principal (i.e., you and me), for “the performance of any function of the State authorised by law [or] the provision of any service or benefit to the data principal from the State [or] the issuance of any certification, licence, or permit by the State.” This exemption was also extended to employers for recruitment, verifying attendance, performance assessment, and other “reasonable purposes”.

Meanwhile, Article 35 gave the Union Government an exemption from the law’s provisions "in the interest of India's sovereignty and integrity, the State's security, friendly relations with foreign states, public order, and if it is satisfied that it is necessary or expedient to do so, subject to procedures, safeguards, and oversight mechanisms to be prescribed by the Government".

Both these clauses raised privacy activists’ eyebrows. Broadly exempting the Government from the law with wide-ranging and ambiguous statements is not a recipe for reliable privacy enforcement. It’s a recipe to give the State enough leeway to violate a fundamental right without the fear of being held accountable. Which was concerning, simply because no entity has as extensive and sensitive a data repository as the Union Government (although Big Tech may give GoI a run for its money...).


What Does the Latest Draft Personal Data Protection Bill Say?

The full version of the latest draft is still not in the public domain, but media reports claim the JPC has widened its scope by including non-personal data (ergo, making it a Data Protection Bill rather than just a Personal Data Protection Bill).

While the flurry of headlines can only be confirmed once the draft is finally released and tabled in Parliament, reports also suggest that the new Bill could recommend that social media companies (1) be barred from functioning in India without setting up offices in the country, and (2) be treated as "publishers" rather than intermediary platforms to hold them accountable for the content distributed on their platforms.

Also on the table are suggestions for the creation of an indigenous payment system à la SWIFT for cross-border payments, digital certification of IoT and other digital devices by the DPA, requiring entities that deal with children's data to register with the DPA, and the localisation of sensitive data.

Expect the new PDP Bill to also elicit strong objections from various quarters. Justice Srikrishna has characterised it as “Orwellian”, saying the “hotchpotch” legislation is “loaded in favour of the Government”. Seven members of the JPC have reportedly dissented to the version adopted. Their reservations, as presently known, can be divided into three categories.

One, the issue with the Bill granting Government agencies too much leeway remains. Two, the possibility that the JPC may be straying beyond its ambit by adding provisions on intermediary liability. And three, the absence of state-level DPAs might lead to the Union Government overriding states on privacy matters.


Will India Have a Personal Data Protection Law By Year-End?

The JPC has reportedly asked for time till the last week of the Winter Session to table its report. Some media reports suggest the Committee could table its report on December 21st - only two days before the session is scheduled to end. While an extension of the session could be moved to debate the Bill, considering the current Lok Sabha's unhealthy predisposition to pass Bills hastily (without even having MPs read it in some cases), it's not unthinkable for the Bill to become a Law on the very same day that it is tabled. :)

That said, it's relatively unusual at this point in time for a legislation to be referred to a committee in the first place. In the 16th Lok Sabha (2014-19), a meagre 25% of Bills were referred to committees. This number for the previous two Lok Sabhas was 71% and 60% respectively. Last year, no Bills were referred to a committee.

So the very fact that the PDP Bill was referred to a JPC might bode well for debate and deliberation in the near-term. But considering Parliament’s record, it’s best not to get your hopes up.


Having a slow day and yearning for some more intellectual stimulation? Our Podcasts can offer some respite! Subscribe to TRANSFIN. E-O-D and get them started!