From UPSC perspective, the following things are important :
Prelims level : European Union’s Digital Services Act
Mains level : Paper 2- Need for personal data protection act
In a surprise development last week, the Government withdrew the Personal Data Protection (PDP) Bill, 2019, thereby abruptly halting the country’s quest for a national data protection law that had been in the works for over five years.
Reasons for withdrawal of the Bill
- The short circular issued by the Minister of Electronics and Information Technology states that considering the report of the Joint Parliamentary Committee (JPC) — it had proposed 81 amendments and made 12 recommendations — “a comprehensive legal framework is being worked on”.
- There is no elaboration on what such a “comprehensive legal framework” entails.
- Possible plan of action: The Government could enact a fresh privacy legislation or a comprehensive data protection law (covering both personal and non-personal data).
- Subsuming data protection in IT Act: Alternatively, it could subsume data protection under its ongoing attempts at revising the existing Information Technology Act, 2000.
- Digital markets law: It could also enact a digital markets law, along the lines of the European Union’s Digital Services Act, focusing on competition and innovation in the digital space.
Background of the introduction of Personal Data Protection Bill
- When the Supreme Court of India affirmed the right to privacy in K.S. Puttaswamy judgment in 2017, the nine-judge Bench of the Court referred to the Government’s Office Memorandum constituting the B.N. Srikrishna Committee to suggest a draft Data Protection Bill.
- The committee released its draft Personal Data Protection Bill in 2018, which was the first public articulation of a data protection law in India.
- When the Supreme Court upheld the constitutionality of the Aadhaar Act, the majority emphasised that it believed that “there is a need for a proper legislative mechanism for data protection”.
- In December 2019, the Government introduced the PDP Bill, 2019 in the Lok Sabha as a comprehensive personal data protection regime.
- The Bill was referred to the JPC for its recommendations.
What were the issues with the Bill?
- Power to exemption with state: The Bill’s expansive exemptions allowed the state to exempt the entire application of the law simply as if it was “expedient” to do so in the interest of national security or public order.
- Powers without accountability: The PDP Bill, 2019 as well as the JPC’s version established a strong regulator (the Data Protection Authority) with a lot of power, but very little independence or accountability.
- Data localisation: The Bill imposed a strong data localisation mandate, requiring companies to store all sensitive personal data and critical personal data (which was not defined) in India.
- Subsuming the personal and non-personal data: The JPC recommended subsuming the regulation of personal data and non-personal data within a single legislation, even though it undermined the Puttaswamy mandate to ensure protection of personal data.
Why we need data protection law?
- Increasing internet use: India currently has over 750 million Internet users, with the number only expected to increase in the future.
- The Government is also making a strong push for a ‘Digital India’, with increased focus on digitisation of access to health, ration, banking, insurance, especially after the COVID-19 pandemic.
- There is a greater focus on the inter-linking of data, whether through facial recognition, Aadhaar, or the Criminal Procedure (Identification) Act, 2022.
- Data breaches: At the same time, India has among the highest data breaches in the world.
- Without a data protection law in place, the data of millions of Indians continues to be at risk of being exploited, sold, and misused without their consent.
- Lack of writ proceeding against corporate action: Unlike state action, corporate action or misconduct is not subject to writ proceedings in India.
- This is because fundamental rights are, by and large, not enforceable against private non-state entities.
- This leaves individuals with limited remedies against private actors.
- A personal data protection legislation would remedy this lacuna by providing individuals with proper grievance redress options and creating sufficient deterrence among private actors.
It is imperative that the Government soon introduces a fresh data protection legislation, drawn after proper public consultation. Such a law should take into consideration the criticisms that have been raised by civil society as well as the private sector.