Data Protection: A Recap As Stakeholders Await The New Bill
The five-year long wait for a data protection law may end soon with speculations rife that the government may float a new bill.
The five-year-long wait for a data protection law may end soon with speculations rife that the government may float the new bill on Friday.
The newest version of the bill is likely to ease data localisation requirements by providing ‘friendly geographies’ to host user data, according to a report by Mint. It may also provide for heavy penalties, up to Rs 200 crore, for non-compliance, according to a report by The Indian Express.
Earlier this week, Rajeev Chandrasekhar, the Union Minister of State for Electronics and Information Technology, said in a tweet that misuse of customer data will have punitive consequences under the new bill.
Experts expect that the soon-to-be-released bill will, among other things, feature the following:
Focus on personal data and keep anonymised non-personal data out of its ambit.
Have privacy and autonomy as the primary objective and not have national interest and security as the underlying considerations.
Limit exemptions granted to state agencies.
Introduce surveillance reforms.
Apply data localisation requirement to narrowly tailored, clearly defined critical data.
Provide a robust framework for an independent Data Protection Authority.
Watch the entire video here:
Data Protection Law: A Tedious Journey
As stakeholders await the release of the bill, here's a look at the Data Protection Bill's five-year history.
July 2018: Srikrishna Committee Submits Report
First came a report and draft bill by a committee headed by retired Justice BN Srikrishna.
It was lauded for:
Changing the language of privacy by using constructs like 'data principals’ and ‘data fiduciaries’.
Taking a guarded approach to surveillance and recognising that though security of the state is a ground for partial exemption from the data protection law, it must come with certain safeguards to prevent abuse.
Providing a solid data portability framework.
Where it drew strong criticism is its proposals on strict standards for cross-border transfer of data and storage, and gaps in the redressal framework.
Srikrishna Committee: The Good And The Not-So-Good In The Data Protection Committee’s Report
December 2019: The Government Version
The government made certain tweaks to the Srikrishna Committee version and introduced the Personal Data Protection Bill in the Parliament in December 2019.
The changes included some contentious issues, such as:
Wide exemptions granted for the state’s use of data.
No judicial member in the selection committee, which will make appointments to the Data Protection Authority.
Narrowing the list of offences under the law.
Watering down the requirements of data localisation.
The bill presented by the government saw criticism both inside and outside the Parliament.
"This is nothing but giving a blank cheque to the state to say ‘you write whatever you want on that, signature is already there’," Justice Srikrishna had said in March 2020. He had also called the bill a step towards an Orwellian state. The opposition, too, had attacked the government for a growing "snooping industry".
In December 2019, on the same day of its introduction, the bill was sent to the 30-member Joint Parliamentary Committee.
December 2021: JPC Submits Its Report
The Joint Parliamentary Committee submitted its report in December last year, suggesting around 188 amendments and expansion of the scope of the law.
The key proposals included:
Personal and non-personal data to be governed by a single legislation.
Regulating social media companies.
Procedure to exempt government agencies from purview of the bill.
Provisions related to data localisation.
Composition of the Data Protection Authority.
Experts had criticised the JPC version for endorsing wide exemption for state agencies; worsening the independence of the Data Protection Authority; legitimising profiling of adults; and undermining several user rights.
August 2022: Bill Withdrawn
The government withdrew the Personal Data Protection Bill, 2021.
At the time, Chandrashekhar had said that the bill will soon be replaced by a "comprehensive framework of global standard laws including digital privacy laws for contemporary and future challenges".