On August 03, 2022, in a significant move, the Central Government withdrew the Personal Data Protection Bill, 2019 tabled before the Lok Sabha (lower house of the Indian Parliament) on December 11, 2019 (‘2019 Bill’). With this announcement, the Central Government also stated that a fresh data privacy legislation is being worked upon which will include a ‘comprehensive legal framework’ for the entire digital ecosystem.
Genesis of Data Privacy Legislation in India
The genesis of India’s efforts towards formulating a comprehensive data privacy legislation can be traced back to the landmark decision of the Indian Supreme Court in 2017 in Justice K.S. Puttaswamy & Ors. v. Union of India & Ors. which held that right to privacy was a fundamental right guaranteed under the Indian Constitution. The Supreme Court in this case also emphasised the need for a data protection law. This prompted the Central Government to set up a committee of experts under the chairmanship of Justice B. N. Srikrishna (‘Committee of Experts’). The Committee of Experts came up with the first draft of the Personal Data Protection Bill, 2018 which was released on July 27, 2018 (‘2018 Bill’). The 2018 Bill was revised substantially by the Central Government, before it was tabled in the Lok Sabha in the form of the 2019 Bill.
The 2019 Bill was widely criticised for significantly deviating from the 2018 Bill drafted by the Committee of Experts. One of the key concerns arising out of the 2019 Bill was the wide powers provided to the Central Government to exempt its agencies from some or all the provisions of the 2019 Bill. The Central Government, was in effect, allowed to bypass all privacy safeguards on broad grounds which included protecting the sovereignty and integrity of India, security of the State, friendly relations with foreign states or maintenance of public order etc. Certain other concerns arising out of the 2019 Bill were the strict data localisation requirements as well as restrictions on transfer of sensitive data which required approval from the data privacy regulator. The 2019 Bill also contained certain onerous requirements on certain categories of data fiduciaries i.e., ‘significant data fiduciaries’ in terms of (i) undertaking data protection impact assessment; (ii) audit of data protection policies and practices; and (iii) appointment of a data protection officer etc., which could have resulted in enhanced compliance burden. Therefore, to address such concerns, the Indian Parliament referred the 2019 Bill to the Joint Parliamentary Committee (‘JPC’). The JPC came out with a report in December 2021 suggesting more than 80 amendments to the 2019 Bill. This was perhaps one of the main reasons behind withdrawal of the 2019 Bill.
The JPC Report was also met with severe criticism as some of the key recommendations in the report went beyond the scope of a data protection legislation, such as:
i. Recommendation to bring non-personal data within the ambit of the data privacy legislation and to have a single regulator dealing with both personal as well as non-personal data;
ii. Regulation of hardware manufacturers and certification of digital and internet of things (IoT) devices;
iii. User verification process prescribed for social media intermediaries; and
iv. Social media intermediaries being treated as publishers of content.
Separate Legislations for Each Subject Matter Now Proposed
Since the announcement of the withdrawal of the 2019 Bill, the Ministry of Electronics and Information Technology has clarified that a complete overhaul of the legal landscape governing digital technology is being envisaged. As such, the fresh legislation on data protection may form part of a set of legislations which will govern data privacy, social media, information technology and telecom law, separately. The Central Government has also indicated that the fresh data protection bill may be released for public consultation soon and introduced in the Parliament during the next budget session, i.e., in February 2023.
India is one of the fastest growing major economies in the world. Millions of users in India are continuously sharing data across the internet with growing incidence of data breaches every year. At present, more than 120 countries of the world have a data protection legislation in place. India is lagging while technological advancement races ahead.
Therefore, there is an urgent need for a comprehensive and a meaningful data protection legislation which is in line with globally recognised best practices of transparency, accountability, reasonableness, and proportionality.
 Justice K.S. Puttaswamy & Ors. v. Union of India & Ors., (2017) 10 SCC 641.