A new data protection law must strike a balance between privacy, sovereignty and commercial interests

Early last month, the Centre scrapped the Data Protection Bill, 2021. Minister for Electronics and Information Technology Ashwini Vaishnaw informed the Parliament that the Joint Committee of Parliament (JCP), which had deliberated on the legislation, had proposed 81 amendments and 12 recommendations to the Bill.

What Ailed Data Protection Law?

Many exemptions from the law for State agencies

Private entities overburdened with needless compliances resulting surging costs

Technology companies peeved by data localisation requirement

Unrelated provisions unnecessarily crammed into a single law

“Considering the report of the JCP, a comprehensive legal framework is being worked upon. Hence, it is proposed to withdraw the Data Protection Bill, 2021 and present a new Bill that fits into the comprehensive legal framework,” Mr Vaishnaw disclosed.

The Bill was in the making for nearly five years now. It was originally mooted in 2017 following the Supreme Court’s historic verdict in Justice K S Puttaswamy and others Vs the Union of India. The nine-judge bench had unanimously ruled in August 2017 that privacy was a constitutionally-protected right that emerged from the right to life and personal liberty which was enshrined in Article 21 of the Constitution. Mr Puttaswamy had challenged the Centre over infringement of privacy in the use of Aadhaar in multiple contexts. The Supreme Court had, however, clarified that like most other fundamental rights, the right to privacy was not an “absolute right”. It had added that a person’s privacy interests could be overridden by competing State and individual interests.

The Personal Data Protection Bill, 2019 – drafted by the Srikrishna Committee – was tabled in the Parliament in 2019. The legislation was referred to the JCP, which held wide consultations with several stakeholders, discussed the Bill, came up with 81 amendments and submitted a revised draft Bill to the government in November 2021. The JCP had incorporated many other issues into the revised Bill, including non-personal data. Hence the Bill was renamed as Data Protection Bill, 2021 – after dropping “personal” from the original Bill – and tabled in the Parliament.

The Bill was aimed at ensuring that there was a framework to abide by when it came to handling of personal data by institutions and big-tech companies. Companies were supposed to inform consumers about how they would utilise their data and take consent from them. The Bill had given consumers the right to withdraw consent whenever they wanted and companies had to oblige and provide a mechanism to enable it.

Personal data was divided into three categories: sensitive personal data (like health, sexual orientation and finances, etc), critical personal data (left to be defined by the government) and basic personal data. The revised Bill also dealt with monetisation of non-personal data. The scrapped law called for setting up a Data Protection Authority to deal with data privacy, its infringement and other related issues.


Many drawbacks

The withdrawn data protection legislation had attracted sustained criticism from several stakeholders, including social and rights activists as well as big-tech companies. The Bill was modelled on the European Union’s (EU) data protection law but was flawed on many counts.

The EU’s data law is quite stringent on individual privacy, and it mandates both government and private (big-tech companies) agencies to formulate safeguards to protect individual data and its privacy. On the other hand, the US’ data protection law is quite lenient with the private sector. It allows self-regulation of big-tech companies. However, the US’ law is more concerned about misuse of data by government agencies, and it puts many restrictions on the government’s use of individuals’ data. While the EU’s law increases compliance and cost of operation, the US’ law requires lower compliance and keeps the operational cost down.  

Though India modelled its law on the EU’s legislation, it exempted State-owned entities from the provisions of the data protection law. On the contrary, the private sector was required to comply with all the provisions.

This lacuna in the Indian law has been roundly criticised by both big-tech companies as well as social activists. In fact, Justice B N Srikrishna – whose committee had drafted the first data protection law of 2019 – was severely critical of the new Bill of 2021 and went so far as to say that the Bill could turn India into an “Orwellian State”.       

The technology companies had particularly questioned a proposed provision in the Bill called data localisation. Under this provision, it would have been mandatory for companies to store a copy of certain sensitive personal data within India. They saw these provisions further increasing their compliance burden and adding to higher costs. Moreover, many experts saw the futility of cramming various unrelated provisions – such as inclusion of non-personal data, treating social media as publishers and the like – in a single law.

Experts have voiced grave concern that India, one of the world’s largest internet markets, still does not have a basic framework to protect people’s privacy. “The withdrawal of the Data Protection Bill, 2021 is concerning, for a belated regulation is being junked. It’s not about getting a perfect law but a law at this point,” stresses Apar Gupta, the executive director of Internet Freedom Foundation.


Right balance

Every success or innovation brings with it challenges that need balanced solutions. The internet revolution has resulted in volumes of information being created and consumed daily across the world. Data is undoubtedly the modern oil or perhaps more precious than the black gold. There are genuine concerns over how businesses may use millions of terabytes of data generated daily for their own commercial interests. There could be dire consequences if vital personal information falls into wrong hands. Data privacy and data protection assume significance in this context.

Technology companies have been providing information and entertainment on a very large scale free of cost. But as there are no free lunches, huge data generated in consuming information and entertainment is monetised, most often without the knowledge and consent of data consumers. Data protection law seeks to prevent consumers from being short-changed. It makes them aware of the specific value of their data and enables them to have control over how their data is used. 

“The Data Protection Bill, 2021 did have imperfections which need to be reconsidered. We hope that the government will re-look at all the aspects of data governance in the new Bill, and arrive at progressive principles to govern India’s digital ecosystem,” notes Kazim Rizvi, the founder of policy think-tank The Dialogue.

A new data protection Bill provides better opportunities for policymakers to engage with larger sections of stakeholders and incorporate provisions that reflect the sea changes unfolding in the modern digital world. The new data law should strike a right balance between privacy of individuals, sovereignty of the State and commercial interests of businesses. A lot of time has already been frittered away. India cannot afford to lose more time and be without a data protection law.

Report By