DNA Explainer: What is Personal Data Protection Bill? Analysing its provisions, issues and experts' opinion

The government on Wednesday withdrew the Personal Data Protection Bill from Lok Sabha and said it will come out with a “set of fresh legislations” that will fit into the comprehensive legal framework.

The government would hold a wide public consultation before putting the new legislation to Parliament, news agency PTI quoted sources as saying.

The Bill could be replaced by more than one bill, dealing with privacy and cyber security and the government may bring the new set of bills in the Winter Session of Parliament, they added.

The government circulated among members a statement, containing reasons for withdrawal of the Bill, which was introduced on 11 December 2019 and was referred to the Joint Committee of the Houses for examination. 

The report of the joint parliamentary committee was presented to Lok Sabha in December 2021. The withdrawal of the Bill was made part of the supplementary agenda of Lok Sabha this afternoon. 

According to the statement circulated to Lok Sabha members on Wednesday, the 2019 Bill was deliberated in great detail by the joint parliamentary committee, which proposed 81 amendments and 12 recommendations for a comprehensive legal framework for the digital ecosystem.

What the Bill proposed?

The withdrawn Bill had proposed restrictions on the use of personal data without the explicit consent of citizens. It had also sought to provide the government with powers to give exemptions to its probe agencies from the provisions of the Act, a move that was strongly opposed by the opposition MPs who had filed their dissent notes.

The withdrawn data protection Bill had also proposed the setting up of a Data Protection Authority.

It had also proposed to specify the flow and usage of personal data, protect the rights of individuals whose personal data are processed, as it works out the framework for the cross-border transfer, accountability of entities processing data, and moots remedies for unauthorised and harmful processing.

The original Bill, which was first tabled in 2019, included exemptions for processing data without an individual’s consent for “reasonable purposes”, including security of the state, detection of any unlawful activity or fraud, whistle-blowing, medical emergencies, credit scoring, operation of search engines and processing of publicly available data.

Who had to comply?

Indian as well as foreign companies dealing with data of Indian citizens had to comply with the now-withdrawn Bill.

Almost all businesses including E-commerce, social media, IT companies, brick-and-mortar shops, real estate companies, telecom, hospitals, and pharmaceutical companies. The only exceptions were “small entities” (businesses like small retailers that collect information manually and meet other conditions to be specified by the Personal Data Protection Act). 

If found in violation, companies were to cough up to Rs 15 crore or 4 per cent of the annual turnover of the company that controls the storage of your data. There is also a fine of Rs 5 crore or 2 per cent of the annual turnover if the company fails to conduct a data audit.     

.

Why the outcry against the proposed law?

The Opposition and others, including tech companies, had majorly expressed concern over Article 12(a) and Article 35 of the Bill.  

Article 35 allows the Central Government to exempt any government agency from the law's provisions "in the interest of India's sovereignty and integrity, the state's security, friendly relations with foreign states, public order, and if it is satisfied that it is necessary or expedient to do so, subject to procedures, safeguards, and oversight mechanisms to be prescribed by the Government."

Article 12(a) eliminates the need for the data principal's informed consent for the processing of her data when it is required "for the performance of any function of the state authorised by law for I the provision of any service or benefit to the data principal from the state; or (ii) the issuance of any certification, licence, or permit by the state for any action or activity of the data principal by the state."

Following the centre’s decision to withdraw the Personal Data Protection Bill, Congress MP Manish Tewari said that he had rejected the Bill from the beginning. He added that better legislation would have emerged if it had been debated in the parliament.

Tewari, who was a member of the Joint Parliamentary Committee on the Bill, had authored a detailed dissent note on the issues he has with the Bill in its current form.

Last year, both Congress MPs Jairam Ramesh and Manish Tewari added their dissent notes pertaining to the wide-ranging exemptions to the government from complying with the Bill in the name of public interest. 

Tiwari said the Bill creates two parallel universes -- one for the private sector where it would apply with full rigour and one for the Government where it is riddled with exemption.  

Experts’ Opinion

Kazim Rizvi, Founding Director at The Dialogue, opines that withdrawing the Bill is an “opportunity for the government to engage in more multi stakeholder consultations and introduce a new law that is better adept to support the growth of India’s digital economy in line with emerging technologies along with adequate protection of user rights.”

“It is important that the new Bill, while carving out the mandates around state exemptions for accessing personal data, aligns with the overarching principles of necessity and proportionality as explicated by the Supreme Court in the Puttaswamy judgement,” he added. 

Supreme Court advocate Satya Muley also called for a “more refined personal data protection law”, which falls in line with the global standards and also “within the comprehensive framework of Indian laws” .

Highlighting the “grey areas” in the withdrawn Bill, Muley said: “The PDP bill intended to give right to the government to access personal data under certain situations, classified the personal data into categories of personal data, sensetive personal data and critical personal data. It was also envisaged that the PDP bill would give the citizens the right to access, correct and erase their personal data stored by various entities. The bill also madated that the sensetive personal data must be stored in India.”