India’s Data Protection Bill goes back to the drawing board

A man with a bike checks his mobile phone as he stands on a busy road in Kolkata, Indi

A man checks his mobile phone as he stands on a busy road in Kolkata, India January 6, 2017. REUTERS/Rupak De Chowdhuri

Now that the process of drafting the bill has started afresh, concerns around data localisation and exemptions given to the government must be addressed.

By Mishi Choudhary, founder of the Software Freedom Law Center, and Prasanth Sugathan, legal director at Software Freedom Law Center.

Five years after the process of drafting the Personal Data Protection Bill began, the bill has been withdrawn by the Indian government. The reasons cited are the major changes recommended by the Joint Parliamentary Committee, and the need to have a comprehensive legal framework. The time to enact this legislation was the day before yesterday, as everything from food rations to taxes to health, to all aspects of our civil, economic and political lives are increasingly digital. Yet, when it comes to protecting our data and its security, India is years behind the rest of the world.

Over the past few years, the government of India has been rolling out a number of schemes that necessitate large-scale collection and processing of data by state agencies and the private sector. We have seen several such initiatives in varied sectors like health, agriculture and education. The lack of a robust cybersecurity infrastructure and unbridled collection have also led to many data breaches. Unlike other countries, however, there is no legal recourse for citizens affected by such breaches.

Go DeeperOnline DNA tests are upending anonymous sperm donations
Go DeeperSexual and reproductive rights on the internet are under attack
People pass their time at a cafe which has dozens of screens showing the latest trends and prices on various cryptocurrencies for their crypto investors' customers in Nakhon Ratchasima, Thailand, January 21, 2022
Go DeeperCyber criminals hold Asian tech workers captive in scam factories

Collection of mobile phone numbers and other personal details is already rampant in India. From restaurants to grocery stores, every vendor feels entitled to collect data and use it as it sees fit without expending any efforts on its protection. Since the judgment on privacy by the Supreme Court in 2017, many experts had been pinning their hopes on the Personal Data Protection Bill, 2019, to protect citizens from the ever widening reach and greed of companies and other entities for our data. But the constant dithering and changing scope of the bill had raised questions about the intent of the government. Not that a law is a guarantee for actual protection, but it’s the first step towards any framework.

The draft bill, which was introduced in the parliament in December 2019, drew valid criticism from all quarters for the excessive exemptions given to the government. There were also other contentious issues like data localisation and the constitution of the Data Protection Authority.

The pervasive surveillance brought to light by the Pegasus spyware revelations highlighted the lack of parliamentary or judicial oversight of the government’s powers. The bill also did not address how digital social infrastructure should be designed and built so as to ensure that fundamental rights are respected.

The Joint Parliamentary Committee report, submitted in December 2021, proposed 81 amendments and 12 recommendations, including the observation that there should be no differentiation between personal and non-personal data, and that the bill should be titled Data Protection Act.

Hence, the government’s going back to the drawing board after all these years is a major concern. Now that the process of drafting the bill has started afresh, it is hoped that the government will consider the concerns expressed by stakeholders.

The large carveouts granted to government agencies in the previous bill for “security of the state” would have resulted in dilution of citizen’s rights and legalising mass surveillance. The misplaced focus on data localisation was another area of contention, and the regulation of non-personal data that was suggested by the Joint Parliamentary Committee should be carried out based on the principles of protecting data subjects, and not those of data collectors or those who see “data as the new oil”.

The government should not be using the earlier consultations as an excuse to introduce a new Data Protection Bill without fresh consultations. The new bill should be put up for public consultation, with sufficient time for public feedback.

Landmark legislation should result from this process, because without the Right to Privacy, there is no possibility of exercising any other rights.

Any views expressed in this opinion piece are those of the author and not of Context or the Thomson Reuters Foundation.


Digital IDs
Tech and inequality
Tech regulation
Data rights

Get our data & surveillance newsletter. Free. Every week.

By providing your email, you agree to our Privacy Policy.

Latest on Context