By Somnath Ingole
Data Protection Bill in India created quite a controversy among the citizens of the country. What is it, and why so much fuss around it?
Recently, the government withdrew the most awaited bill Personal Data Protection Bill, 2019, after four years of lengthy deliberations. This bill sought to protect the personal data of individuals by establishing a Data Protection Authority for the same. In addition, this bill defined the rights of data principals (Data subjects), obligations of data fiduciaries (data handlers) and penalties for non-compliance.
On the with-drawl of this bill from parliament, the government said that JPC (Joint Parliamentary Committee) had suggested some significant amendments and recommendations in the final draft of the bill to make it a more comprehensive legal framework for the digital economic system. So considering the ambiguity on some issues, the government withdrew the present draft and said that soon the new bill will be presented, which will try to fit into the comprehensive legal framework.
The narrative on data protection in India received major attention during the hearings of K. S. Pettaway vs Union of India, “Right to Privacy case” (2017). A bench of nine judges of the Supreme Court of India gave a landmark verdict that the right to privacy is a fundamental right. The government of India came up with an expert committee to draft the framework for data protection in India, which was led by Justice B N Srikrishna, a former Supreme Court judge.
After receiving the committee’s draft, the bill named Personal Data Protection Bill, 2019, got introduced in the Lok Sabha on December 11, 2019. Later it was referred to the Joint Parliament Committee (JPC) for a review, and then JPC submitted its final draft after two years in November 2021.
The joint parliamentary committee had proposed 81 amendments and 12 recommendations to the bill, which was finalized by the Justice B N Srikrishna panel. These amendments and recommendations were included in broadening the discussions of the bill from personal data to non-personal data, thereby broadening the data protection along with some changes in issues related to the regulation of social media companies and other things.
With the rise of awareness related to individual privacy protection around the world, it is indeed necessary to have a comprehensive personal data protection framework for a country. An example can be given by the European Union’s General Data Protection Regulation (GDPR). In a country like India, which is the second most populated country and where the awareness about personal data rights and individual privacy is comparatively lower than in other developed countries, it becomes so crucial to have this kind of framework.

The government of India had taken the initiative of stepping towards making a data protection framework. But due to a lack of clarity on some issues, the proposed bill has been withdrawn again. Given the complexity of data rights and their interconnections, the decision of the government to withdraw the bill to make it more comprehensive makes sense. In the earlier draft, there were significant issues and ambiguity related few things, which need to be cleared to make it sound and comprehensive.
Given the larger difference between personal data and non-personal data, in the new bill, it has become crucial to state whether this bill is for personal data protection or non-personal data as well. Because there is a fundamental difference between personal data and non-personal data. The bill drafted by the Srikrishna committee had focused on personal data and personal privacy, which is a fundamental right as declared by Supreme Court. But later, JPC recommended bringing non–personal data into the same bill, which is outside of fundamental rights. If the non-personal data comes under the same framework, then it will bring restrictions on the free flow of non-personal data, which is supported by the European Union.
Also, there was a major concern from the industry players on the recommendations in the proposed bill, which is related to the local storage, compliance cost etc. In February, Meta (Facebook) raised concern on the condition in the bill that global players need to store data into local storage before transferring it and other processing related requirements could increase the cost and further it can add complexity into delivering their services. So considering the role of these global players in India’s digital economy, the government will have to think about addressing it in this bill’s new draft.
In addition to the compliance cost point of view, there is much concern in the Indian start-up ecosystem. One report has underlined that considering the start-up’s costlier access to the finance, it can lower their ability to mitigate the compliance cost and further, it can affect their business process adjustments. As the evidence from the European Union shows that GDPR (The General Data Protection Regulation) has asymmetrically affected the smaller firms, and it has caused to increase in the market concentration of already established firms. Considering India’s growing start-up ecosystem, the possibility of this effect in India cannot be ignored.
So taking into account all the potential issues with Personal Data Protection Bill, 2021, it is a welcome move that the government has withdrawn this bill and agreed to make it a more comprehensive framework. But considering the previous time lag of four years, which was taken for the drafting and introduction of this bill, the government should work on this bill more cautiously and immediately. There is a critical need for this type of law to come into action because of millions of Indian’s personal data is still vulnerable.
Also Read: How Google’s System-on-a-Chip takes its fight to Apple
(Somnath Ingole is a Project Associate at the Centre for Society & Policy, Indian Institute of Science.)
(Disclaimer: The views expressed in the article above are those of the author’s and do not necessarily represent or reflect the views of Autofintechs.com. Unless otherwise noted, the author is writing in his/her personal capacity. They are not intended and should not be thought to represent official ideas, attitudes, or policies of any agency or institution.)