India’s Personal Data Protection Bill 2019 – after having been thoroughly analysed and deliberated upon by a 28-member joint parliamentary committee over 66 sittings – is expected to be tabled in the upcoming budget session commencing on 29 January.
However, it’s unlikely the country will see the bill being passed and notified to become an act, dashing hopes of citizens and companies expecting the imminent rollout of India’s first dedicated privacy and data protection law.
“The Personal Data Protection Bill may be tabled in this budget session, but getting notified if tabled will take some more time,” said cyber and privacy law expert, Advocate (Dr.) Prashant Mali.
Furthermore, doubts about the bill being passed were raised at Carnegie India’s Global Technology Summit last month, when a member of the joint parliamentary committee, Rajeev Chandrasekhar, said that the current version of the bill will not be approved. He hinted that the bill will have to be redrawn as the committee, after 52 sittings at that point in time, was still not in agreement.
From pillar to post
The bill, which started its journey close to two-and-a-half years back as the Personal Data Protection Bill 2018, was drafted following the review and recommendations of the Srikrishna Committee report. The bill was finally approved on 4 December of the following year, and renamed the Personal Data Protection Bill 2019.
Since then, a joint parliamentary committee—comprising 19 members of the Lok Sabha (lower house of the parliament) and 9 members of the Rajya Sabha (upper house)—has held 66 sittings, 32 of which were allotted for “clause by clause consideration”, according to the Parliament of India website.
After the final sitting on 29 December the chairperson of the joint parliamentary committee, Meenakshi Lekhi, told The Economic Times that the final draft of the data protection bill includes 89 amendments and one new clause. This comes after the joint parliamentary committee, with recommendations from various experts and stakeholders reached a common consensus on all aspects of the draft.
What’s the holdup and what needs fixing
A fundamental roadblock that’s prevented unanimous agreement on the Personal Data Protection Bill (PDPB) stems from the debate around privacy.
Article 21 of the Constitution of India states that privacy is a fundamental right. This though, is currently in contention with two sections of the PDPB: First, Section 35, which gives the central government the authority to exempt certain agencies from the bill’s provisions for purposes of national security and public order. The second is Section 91, which permits the government to access anonymised and non-personal data gathered by private data fiduciaries.
However, “national security” is a broadly-defined term and can be cited by the government to carry out surveillance on citizens, Saikat Datta, a visiting fellow with Observer Research Foundation’s National Security Programme, said at a recent roundtable conducted by the Internet and Mobile Association of India.
“Information is power: This should be the bedrock for any privacy and data regulation act. The PDPB attempts to create a balance between the power of the people and the government, but we do not have a concrete definition of what is national security. Section 35 is not well-defined,” he said, adding: “Surveillance will continue to exist and the PDPB will do very little to protect citizens’ rights.”
Prashant Mali
“Exemptions citing ‘national interest’ should not extend to the entirety of the PDP bill.”
– Advocate (Dr.) Prashant Mali, cyber and privacy law expert
Mali too believes in taking a more nuanced approach. When it comes to addressing privacy, he said, the data protection bill should not attempt to paint in broad strokes: “National interests may in some cases override an individual’s interest in privacy. Exemptions citing ‘national interest’ should not extend to the entirety of the PDP bill and must be limited to specified portions. Exemptions must be granted under the authority of law, as opposed to blanket executive orders,” he said.
Why PDPB matters to India Inc.
The last draft of the Personal Data Protection Bill that was approved by the cabinet in December 2019 states that company executives found violating privacy and data protection guidelines could face up to three years’ imprisonment and a penalty of up to ₹150 million.
Additionally, Clause 40 of the bill mandates every data fiduciary to appoint a Data Protection Officer (DPO) – a trend that could spark a flurry of new appointments, especially among rapidly-growing fintech companies and food ordering and delivery platforms.
Vinayak Godse, Vice President of the Data Security Council of India, took a slightly more optimistic point of view than Datta at the Internet and Mobile Association round table, saying that the bill will serve to create trust in users’ minds, and that this could get more users to turn to digital media. He added that banks have started setting up divisions to overlook PDP norms.
Furthermore, he predicts RegTech (regulation technology) will come into focus and data anonymization could prove to be a great tool for companies to use.