The Indian government withdrew the Personal Data Protection (PDP) Bill, 2019 from Parliament on August 4, 2022. The bill had been pending in Parliament since 2019 and a Joint Parliamentary Committee (JPC) had submitted a detailed report on it. The sudden move to withdraw the bill has been met with cautious optimism in some quarters and disappointment in others. The withdrawal indicates the desire for a serious rethink on the shape and scope of data regulation within the government.
Typically, once a bill is in Parliament, the government is free to make changes before the bill is taken up for final discussion and voting. Governments usually do so if, for example, they wish to incorporate suggestions from parliamentary committees. This would have been the most likely process if it were just a question of incorporating the JPC’s recommendations. In this case, however, the government has withdrawn the bill completely. IT Minister Ashwini Vaishnav has stated that the PDP bill will be replaced by a new one that is part of a “comprehensive legal framework.”
He explained in a later interview that the new legislation is likely to be one of the four new laws that will cover telecom, digital technology, privacy, and social media. The government intends to have specific legislation for different aspects of the digital technology landscape, rather than an omnibus legislation. This makes sense, given how the PDP bill did not just remain limited to data privacy and had gradually evolved to become an omnibus legislation with a much wider scope.
History of the Bill
The immediate driver of a data protection legislation in India was the Supreme Court’s judgment declaring privacy to be a fundamental right. With the constitutionality of India’s biometric identification program, Aadhaar, under challenge, the Indian government assured the court that it would bring in a law to protect personal data privacy. While the case was being decided, the government constituted a committee under former Supreme Court justice Srikrishna to propose a data protection law for India.
The draft Personal Data Protection Bill, 2018, formulated by the J. Srikrishna Committee, proposed an expansive data protection law, adapted from the European Union’s General Data Protection Regulation (GDPR). The draft bill introduced many new ideas, terms, and concepts that had not been part of Indian jurisprudence on privacy or data regulation. Many new rights for consumers and significant new obligations for businesses were proposed. Large technology businesses were proposed to be regulated as “significant data fiduciaries.”
The bill proposed a horizontal application of data protection regulation to all private and government entities, with narrow carve-outs for the latter and certain specific purposes. The bill also proposed a cross-sectoral regulator, the Data Protection Authority (DPA), which would ensure compliance with the bill.
The government introduced its own version, the Personal Data Protection Bill, 2019, in Parliament after consulting stakeholders for a year. This bill retained the overall framework of the 2018 version, rationalized some compliance requirements, created large carve-outs for the government, and introduced more new ideas like the governmental power to expropriate non-personal data. Another significant addition was the regulation of social media intermediaries, who faced new reporting requirements under the 2019 bill. Critically, though there were significant compliance costs, there was no regulatory impact analysis of the bill undertaken by either the J. Srikrishna Committee or the government.
This version of the bill was sent to the JPC, which after two years of deliberations, agreed in principle with the government’s version of the bill, but doubled down on issues such as protecting data sovereignty and data regulation for economic benefit. To highlight the mission creep in the bill’s drafting, the JPC recommended that the name of the bill be changed and the word “Personal” be dropped from the title of the bill.
Some provisions, such as data localization requirements, non-personal data regulation, and carve-outs given to government entities, became points of heated debate during this process. The bill became a lightning rod for discussions related to data sovereignty, data security, and economic benefits of data in India. As these discussions made their way into the bill, it increasingly reflected incipient thinking about additional aspects of technology policy that were not always relevant to personal data protection.
The government’s stated approach of taking a step back and focusing on technology policy in a holistic manner could therefore be beneficial compared to passing the existing version of the bill. However, there are deeper issues with regard to the personal data protection framework that require reconsideration. The most important of these is the question of whether an expansive and compliance-heavy legal framework under the supervision of a powerful but capacity-constrained regulator is the best way to protect privacy in India.
Regulatory Revolution in Data
The magnitude of regulatory change proposed by the bill was significant. Over the past few decades, data privacy laws have evolved gradually in most countries that are members of the Organisation for Economic Co-operation and Development. For example, the EU’s 2018 GDPR was only a consolidation and harmonization of preexisting privacy regulation. Along with preexisting regulation, the EU also had data privacy jurisprudence that had developed over decades before the GDPR was formulated. Finally, many EU member countries had preexisting regulatory authorities for data protection before the GDPR was implemented.
India has bare-bones privacy regulation under the Information Technology Act, 2000; almost no jurisprudence on specific data regulation issues; and minimal regulatory capacity for data regulation. The PDP bill was a GDPR-style law in its scope and approach but with none of the prerequisites. The DPA would have faced significant problems in interpreting the bill and its own powers. In the absence of any prior jurisprudence, the probability of incorrect regulatory decisions and overreach would also have been much higher.
Compliance and Uncertainty
In addition, the compliance required of all businesses in the economy would have increased significantly. Again, the increase in compliance—requirements for collecting consent, mechanisms for storage and classification of data, responding to user requests for portability, implementing privacy by design requirements, conducting data audits, and so on—would have required significant expenditure by businesses in some cases. This may have been prohibitive for many Indian businesses, since most of them are small.
This issue of compliance would have also placed asymmetric burdens on different classes of businesses. Large technology firms that operate across multiple jurisdictions have already internalized the costs of data protection regulations. The compliance costs in India would have been incremental, and the magnitude of increase in these costs would have been a lot more significant for small businesses and startups.
Some important provisions in the bill were unclear and required improvements. One such provision was the one proposing data localization. The relevant provision proposed escalatory levels of restrictions on personal, sensitive personal, and critical personal data. However, it did not define what critical personal data was. This uncertainty would have left businesses in a lurch, since they would not be able to estimate the systems they would need to build to comply, or the costs that localization of critical personal data would require.
Another such provision was the section on non-personal data. Ostensibly, to enable government access to non-personal data for public purposes, the provision allowed the government to mandate private businesses to share non-personal data but without any explanation about the purposes for which the data would be used, or what compensation, if any, would be paid.
The DPA proposed under the bill was problematic. It would have to implement a vast, cross-sectoral law that suffered from the infirmities discussed above. It would have to implement numerous data protection rights, ensure compliance with a large number of obligations, and handle grievances from across the economy. In doing all this, it would be hobbled by both the scope of the law and the uncertainties inherent in the legislation.
In addition, data protection regulation is different because of the inherent dynamism and innovativeness of technology. The volume of data and the kinds of products and services, along with the risks emanating from them, are constantly changing. For example, data regulators in countries that have already had data protection regulation for years have found it difficult to do regulatory impact assessments.
Building state capacity in the Indian regulatory ecosystem has anyway proved hard in the best of circumstances. It would have been doubly so for a DPA set up under the existing version of the bill. The DPA would have had difficulties in identifying its regulatory priorities and building its capacities accordingly. The consequences would have either been overreach and the consequent economic pain for businesses or an undersupply of regulation where necessary.
Given these issues, the fresh approach to thinking about data protection regulation signaled by the government is an opportunity to be pragmatic about how data protection regulation can be designed to best suit India’s needs.