India Scraps National Data Protection Bill, to Present New Draft

Indian Flag Waving in the Wind

The Indian government withdrew its heavily criticized Personal Data Protection Bill on Wednesday, stating that it plans to introduce new legislation instead.

India has worked on creating a personal data protection framework for over five years. India’s IT Minister, Ashwini Vaishnaw, who announced that the Bill has been withdrawn, said work is ongoing to create a comprehensive legal framework for India’s digital ecosystem.

Vaishnaw told Reuters that a draft of the new data protection bill will be presented to Parliament in early 2023.

The defunct Personal Data Protection Bill was widely scrutinized after it was first presented to Parliament in December 2019. Policymakers, the private sector, and advocacy groups expressed concerns about certain sections of the Bill.

It is unclear if the Bill will be scrapped altogether, or if it will serve as a basis for the new draft. In the short term, this means that India continues to function without a data protection law.

India’s Personal Data Protection Bill: The Story So Far

The Personal Data Protection Bill was India’s attempt to control how individuals, businesses, and the government treat the personal data of its citizens. Much like the GDPR, the EU’s personal data protection law, the Bill laid out stringent requirements for cross-border data flow—i.e., the transfer of Indian citizens’ data outside the country.

The data protection bill was the result of a long process that began in 2017 when India’s Supreme Court ruled that the right to privacy is a fundamental right. Although the government presented the Bill to Parliament for discussion in December 2019, it was never officially made law.

The Bill has been dissected by stakeholders. It was sent to a Joint Parliamentary Committee (JPC) for their comments and recommendations. During this time, the bill was subject to a rigorous public consultation process, where private organizations and civil society bodies sent in their comments and made presentations to the JPC.

Concerns About the Personal Data Bill

The Bill received a lot of backlash for providing broad exemptions to the Indian government. Under the Bill, government agencies could bypass data processing requirements for the benefit of “national security” and the “sovereignty of India,” neither of which was clearly defined.

A key point of contention for tech companies was the inclusion of non-personal data in the bill. Companies consider non-personal datasets their intellectual property.

In November 2021, the JPC submitted its report, containing its recommendations and a new draft of the Bill. The new draft officially sought to extend the scope of the law to include non-personal data, and also regulate hardware manufacturers, and IoT devices.

However, this draft came under heavy criticism. Many stakeholders complained that it put the government’s interests ahead of actually protecting Indians’ personal data. Consequently, the government did not put the new version of the bill up for a vote in Parliament.

“The Personal Data Protection Bill, 2019 was deliberated in great detail by the Joint Committee of Parliament 81 amendments were proposed and 12 recommendations were made towards comprehensive legal framework on digital ecosystem. Considering the report of the JCP, a comprehensive legal framework is being worked upon. Hence, in the circumstances, it is proposed to withdraw the ‘Personal Data Protection Bill, 2019′ and present a new bill that fits into the comprehensive legal framework,” Vaishnaw said.

Government to Widen Ambit, Create Law for India’s Digital Ecosystem

The Indian government’s focus seems to have shifted from personal data protection to the broader Internet ecosystem. The new framework will likely cover subjects such as non-personal data, cybersecurity, data breach reporting, and regulations for hardware manufacturers.

Member of Parliament, PP Chaudhary, who was the chairperson of the JCP, pointed out the need for a completely new bill to properly incorporate all the committee’s recommendations.

“The JCP had recommended a number of changes to the Bill and it would have been difficult for the government to add all those things in the final legislation. It would have also made it very complex to debate in Parliament,” Chaudhary explained.

Technology policy researcher
Prateek is a technology policy researcher with a background in law. His areas of interest include data protection, privacy, digital currencies, and digital literacy. Outside of his research interests, Prateek is an avid reader and is engaged in projects on sustainable farming practices in India.