Baba’s Explainer – Withdrawal of PDP Bill

• Restrictions on Processing and Collection of Personal Data
  • The committee recommends that processing (collection, recording, analysis, disclosure, etc) of personal data should be done only for “clear, specific and lawful” purposes.
  • Only that data which is necessary for such processing is to be collected from anyone
• Processing of Personal Data for “Functions of the State”
  • One of the more problematic suggestions of the committee is that they suggest that your personal data may be processed by the government if this is considered necessary for any function of Parliament or State Legislature. This includes provision of services, issuing of licenses, etc.
  • On the face of it, this looks extremely vague and could lead to misuse.
• Right to be Forgotten
  • The committee recommends giving “data principals” (persons whose personal data is being processed) the ‘right to be forgotten’.
  • This means they will be able to restrict or prevent any display of their personal data once the purpose of disclosing the data has ended, or when the data principal withdraws consent.
• Data Localisation
  • Personal data will need to be stored on servers located within India, and transfers outside the country will need to be subject to safeguards.
  • Critical personal data, however, will only be processed in India.
• Processing of Sensitive Personal Data to Require Explicit Consent
  • The Committee recommends that “sensitive” personal data (such as passwords, financial data, sexual orientation, biometric data, religion or caste) should not be processed unless someone gives explicit consent – which factors in the purpose of processing.
• Data Protection Authority
  • The Committee has recommended setting up a Data Protection Authority which is supposed to “protect the interests of data principals”, prevent misuse of personal data and ensure compliance with the safeguards and obligations under the data protection framework.
  • The Authority shall have the power to inquire into any violations of the data protection regime, and can take action against any data fiduciaries responsible for the same
  • The obligations on data fiduciaries include conducting audits and ensuring they have a data protection officer and grievance redressal mechanism – the Authority will need to publish Codes of Practice on all these points.

• India currently has over 750 million Internet users, with the number only expected to increase in the future.
• The Government is also making a strong push for a ‘Digital India’, with increased focus on digitisation of access to health, ration, banking, insurance, especially after the COVID-19 pandemic. There is a greater focus on the inter-linking of data, whether through facial recognition, Aadhaar, or the Criminal Procedure (Identification) Act, 2022.
• At the same time, India has among the highest data breaches in the world.
• As Indians increasingly onboard onto digital platforms, there is an urgent need to protect citizens’ personal data and make the data utilisation process transparent.
• Without a data protection law in place, the data of millions of Indians continues to be at risk of being exploited, sold, and misused without their consent.
• Unlike state action, corporate action or misconduct is not subject to writ proceedings in India. This is because fundamental rights are, by and large, not enforceable against private non-state entities. This leaves individuals with limited remedies against private actors.
  • They can either seek action under the inadequate and ineffective provisions of the Information Technology Act, or file civil/criminal proceedings before a court of law (which itself is time-consuming and expensive).
• A personal data protection legislation would remedy this lacuna by providing individuals with proper grievance redress options and creating sufficient deterrence among private actors.
• For the first time, a Bill was enacted to protect the digital rights and privacy of Indians. Similar kind of attempts at global level include the General Data Protection Regulation implemented by the European Union, and the State data privacy laws in the United States. Even, Brazil has implemented a data privacy legislation.

• Stringent Data localisation norms: Most private enterprises opposed the data localisation norms that were part of the Bill, which they felt were stringent.
  • In fact, many tech giants such as Google and Meta were unhappy with it.
  • Despite concerns around surveillance and increased cost of compliance expressed by civil society and the private sector, the Government did not endorse cross-border data transfer.
• Privileged state exceptionalism over individual privacy: Civil liberties organisations noted that there was significant state overreach in the PDP Bill. The bill allowed the state to exempt the entire application of the law simply as if it was “expedient” to do so in the interest of national security or public order.
  • These exemptions did not need to be tabled before Parliament and there was no provision for review or oversight of the Government’s decision.
  • The Committee report noted that “government agencies are treated as a separate privileged class whose operations and activities are always in the public interest and individual privacy considerations are secondary”.
• Independence of Regulator not ensured: The PDP Bill, 2019 as well as the JPC’s version established a strong regulator (the Data Protection Authority) with a lot of power, but very little independence or accountability.

A. For data localisation

• A common argument from government officials has been that data localisation will help law-enforcement access data for investigations and enforcement.
• As of now, much of cross-border data transfer is governed by individual bilateral “mutual legal assistance treaties” — a process that almost all stakeholders agree is cumbersome.
• Many domestic-born technology companies, which store most of their data exclusively in India, support localisation.
• They have strongly argued that data regulation for privacy and security will have little teeth without localisation, calling upon models in China and Russia.
• Many economy stakeholders say localisation will also increase the ability of the Indian government to tax Internet giants.

B. Against the Bill

• Some contend that security and government access are not achieved by localisation.
• Even if the data is stored in the country, the encryption keys may still be out of reach of national agencies.
• Technology giants like Facebook and Google and their industry bodies, especially those with significant ties to the US, have opposed citing increased compliance cost.
• Opponents say protectionism may backfire on India’s own young startups that are attempting global growth, or on larger firms that process foreign data in India, such as TCS and Wipro.

• After withdrawing the PDP Bill the government plans to introduce four comprehensive laws to cover the digital tech landscape.
• This will include introducing new regulations in the domains of telecom, information and technology, personal data and privacy, and social media accountability.
• The government has committed to submit the draft of the next data protection framework no later than the next Budget session.