Personal Data Protection Bill

Personal Data Protection Bill

News: The government of India has withdrawn the Personal Data Protection Bill from Parliament as it considers a ‘comprehensive legal framework’ to regulate the online space to boost innovation in the country through a new bill.

What are the reasons for withdrawals of the Bill?
• The tech companies had questioned a proposed provision called data localization, under which it would have been mandatory for companies to store a copy of certain sensitive personal data within India.
• Prohibition on export of undefined “critical” personal data.
• Some activists had criticized a provision that allowed the government and its agencies blanket exemptions from adhering to any and all provisions of the Bill.
• The Bill was also seen as being too compliance intensive by many startups of the country. The fear was it may hamper their growth and increase compliance costs.
• The government says following the recommendations of Joint committee of Parliament (JCP) they are working on a comprehensive legal framework.

What were the recommendations made by JCP?
• Non-personal data should also be included within the ambit of the law.
• Data protection authority (DPA) which is to be setup under the law to regulate how data is to be managed and processed, should be bound by directions of the Union government in all cases – not just questions of policy.
• Companies will need to report a data breach within 72 hours, additional compliance for companies that deal exclusively with children’s data.
• The JCP’s report also recommended changes on issues such as regulation of social media companies, and on using only “trusted hardware” in smartphones, etc.
• It proposed that social media companies that do not act as intermediaries should be treated as content publishers, making them liable for the content they host.

Is the explanation given by the government justified?
• The government suggested that it has withdrawn the bill as it seeks to implement JPC recommendations in the revamped bill. However, the JPC has nowhere suggested a withdrawal in favour of a ‘comprehensive legal framework’, but on the contrary pitched the bill to ‘be passed’.
• Secondly, the government fears that compliance burden can impede innovation and growth in the country. However, detailed reasoning is available in the Srikrishna committee’s report as well as a growing international consensus suggesting that next-generation innovation in technology needs data protection.
• Thirdly, with the imperfections within the bill and even the JPC report, there exists a reasonable argument that if passed into law, it may institutionalize bad privacy practices. Over here seeking changes in the law at a later date may be difficult. Such a reasoning fails to recognize that institutional memory develops through reasonable due diligence and experience. Legislative foresight is limited and no law is perfect, which is why there exist parliamentary amendments and judicial review.
• Lastly, there is omission of the contours of this ‘comprehensive legal framework’ and any timeline assured from the government which makes it reasonable to ask who benefits from further delay and a status quo in the unregulated data collection and exploitation of personal data of millions of Indians.

What are the things to remember from prelims perspective?
• Justice A P Shah committee report on Privacy
• Justice K.S Puttuswamy vs Union of India – Article 21  Right to privacy recognized as Fundamental right
• Justice BN Srikrishna committee report
• Section 43A of IT act, 2000 – Protects user data from misuse but it is applicable to only corporate entities and not on government agency.