After nearly four years of being in the works, the Personal Data Protection Bill was withdrawn from Parliament by the government on Wednesday. IT Minister Ashwini Vaishnaw, who moved for the Bill’s withdrawal, said the government will come out with a “set of fresh legislations” that will fit into the comprehensive legal framework for the digital economy.
Quoting sources, news agency PTI said the government would hold a wide public consultation before putting the new legislation to Parliament. They added that the Bill could be replaced by more than one Bill, dealing with privacy and cyber security and the government may bring the new set of Bills in the Winter Session of Parliament.
The government circulated among members a statement, containing reasons for withdrawal of the Bill, which was introduced on December 11, 2019, and was referred to the Joint Committee of the Houses for examination. The report of the JCP was presented to Lok Sabha in December 2021. According to the statement circulated to Lok Sabha members on Wednesday, the 2019 Bill was deliberated in great detail by the JCP, which proposed 81 amendments and 12 recommendations for a comprehensive legal framework for the digital ecosystem.
News18 takes a look at the withdrawn Bill and what it proposed:
What did the Bill propose?
The withdrawn Bill had proposed restrictions on the use of personal data without the explicit consent of citizens. It had also sought to provide the government with powers to give exemptions to its probe agencies from the provisions of the Act, a move that was strongly opposed by the opposition MPs who had filed their dissent notes.
It had also proposed to specify the flow and usage of personal data, protect the rights of individuals whose personal data are processed, as it works out the framework for the cross-border transfer, accountability of entities processing data, and moots remedies for unauthorised and harmful processing.
The Bill sets out certain rights of the individual (or data principal). These include the right to: (i) obtain confirmation from the fiduciary on whether their personal data has been processed, (ii) seek correction of inaccurate, incomplete, or out-of-date personal data, (iii) have personal data transferred to any other data fiduciary in certain circumstances, and (iv) restrict continuing disclosure of their personal data by a fiduciary, if it is no longer necessary or consent is withdrawn.
The original Bill, which was first tabled in 2019, included exemptions for processing data without an individual’s consent for “reasonable purposes”, including security of the state, detection of any unlawful activity or fraud, whistle-blowing, medical emergencies, credit scoring, operation of search engines and processing of publicly available data.
Who all had to comply with it?
Indian and foreign companies dealing with the data of Indian citizens had to comply with the now-withdrawn Bill. This included almost all businesses such as e-commerce, social media, IT companies, brick-and-mortar shops, real estate companies, telecom, hospitals, and pharmaceutical companies.
If found in violation, companies were to pay up to Rs 15 crore or 4 per cent of their annual turnover. There was also a fine of Rs 5 crore or 2 per cent of the annual turnover if the company fails to conduct a data audit.
Why was there opposition?
There was an outcry over Article 12(a) and Article 35 of the Bill, with the Opposition and tech companies registering their dissent with the government.
According to Article 35, the central government could exempt any government agency from the law’s provisions “in the interest of India’s sovereignty and integrity, the state’s security, friendly relations with foreign states, public order, and if it is satisfied that it is necessary or expedient to do so, subject to procedures, safeguards, and oversight mechanisms to be prescribed by the Government.”
Article 12(a), meanwhile, eliminated the need for the data principal’s informed consent for the processing of their data when it is required “for the performance of any function of the state authorised by law for I the provision of any service or benefit to the data principal from the state; or (ii) the issuance of any certification, licence, or permit by the state for any action or activity of the data principal by the state.”
Joint committee welcomes move
Members of the erstwhile Joint Committee on Personal Data Protection Bill on Wednesday welcomed the government’s move to withdraw the legislation, saying it was better to bring a new legislation after more than 80 amendments suggested by the panel.
BJP MP PP Chaudhary, chairman of the parliamentary committee, said after so many amendments suggested by the panel, it makes more sense to bring a new legislation which will be comprehensive and will include all suggestions made by the committee.
Echoing similar sentiments, BJD MP Bhartruhari Mahtab, who was also member of the parliamentary committee, said with vast number of amendments the Bill required an overhaul and it can be done only by bringing a new law.
Congress MP Manish Tewari said that he had rejected the Bill from the beginning. He added that better legislation would have emerged if it had been debated in the parliament.
Tewari, who was a member of the Joint Parliamentary Committee on the Bill, had authored a detailed dissent note on the issues he has with the Bill in its current form.
Last year, both Congress MPs Jairam Ramesh and Manish Tewari added their dissent notes pertaining to the wide-ranging exemptions to the government from complying with the Bill in the name of public interest.
IT Industry Seeks Participation
IT industry players have appreciated the government’s move to withdraw the personal data protection bill and sought participation in the consultation process of the fresh draft. The industry was critical of the data protection bill tabled in Parliament by the Joint Committee on Personal Data Protection Bill.
US-based ITI, whose members include all IT majors like Google, Meta, and Amazon, appreciated the government’s move to withdraw the Parliamentary panel version of the bill.
“ITI welcomes Meity’s plan to implement a robust stakeholder consultation as it reconsiders a comprehensive legal privacy framework for the digital ecosystem. ITI participated in all consultative processes during the framing of the PDP bill 2019 and are eager to continue our engagement. We are certain that the government will consider all the views once the consultation on the framework begins and look forward to participating,” ITI country manager for India, Kumar Deep said.
Internet Freedom Foundation (IFF) said that the bill has been withdrawn after four years of deliberations. “We are cautiously watching these developments & hope the Ministry will use this opportunity to address the numerous criticisms of the bill made by various stakeholders during the consultation process,” IFF said.