DATA PROTECTION BILL WITHDRAWN

The Personal Data Protection Bill has been removed from Parliament by the Indian government while it explores a "complete legal framework" to oversee online activity and foster innovation in the nation.

About the data protection bill

On December 11, 2019, the Minister of Electronics and Information Technology introduced the Personal Data Protection Bill, 2019 in Lok Sabha.

Commonly known as the "Privacy Bill," it was designed to safeguard individual rights by limiting the gathering, transfer, and processing of data that is personal or that can be used to identify a specific person.

Challenges:

• According to many, the physical location of the data is irrelevant in the cyber world because national agencies may still not have access to the encryption keys.
• The terms "national security" or "legitimate purposes" are ambiguous and subjective, which could result in the state meddling in citizens' personal affairs.
• Technology behemoths like Facebook and Google oppose it and have criticized the protectionism of the data localization policy because of concern that it would spread to other nations.
• Social media corporations, industry professionals, and even ministers had rejected it, claiming that it had too many flaws to be efficient and advantageous for both customers and businesses.
• Additionally, it can backfire on established companies that process foreign data in India as well as on emerging businesses in India that are striving to go worldwide.

Why the bill has been withdrawn??

Too many Amendments:

• The Personal Data Protection Bill, 2019 was thoroughly examined by the Joint Committee of Parliament.
• 12 proposals and 81 changes were put out to create a thorough legal framework for the digital economy.
• A thorough legislative framework is being developed in light of the Joint Committee of Parliament’s report.
• So, it is suggested that to withdraw.

Compliance-Intensive:

• Startups around the nation have criticized the Bill for being too "compliance-intensive."
• The revised legislation will be a lot simpler to follow, particularly for entrepreneurs.

Data Localisation concerns:

• The IT businesses raised concerns about a proposed clause in the Bill dubbed Data Localisation.
• Data localization would have made it essential for businesses to keep a copy of specific sensitive personal data in India, and it would have prevented the export of unspecified "important" personal data.
• The central government and its agencies would be given broad exclusions from all of Bill's requirements, according to the activists' criticism.

Delay in Implementation:

• The delays in the Bill had been criticized by several stakeholders pointing out that it was a matter of grave concern that India did not have a basic framework to protect people’s privacy.

Recommendation of the joint committee:

• The Srikrishna panel's finalized bill was subject to 81 proposed amendments, as well as 12 recommendations, one of which was to broaden the proposed law's purview to include discussions of non-personal data and shift the focus of the bill from personal data protection to more comprehensive data protection.
• Any collection of data that lacks personally identifiable information is considered non-personal data.

• Additionally, the JCP study made suggestions for improvements to social media company regulation and the use of only "trusted hardware" in cellphones, among other things.
• It was suggested that social media platforms that do not serve as middlemen should be regarded as content publishers and held accountable for the material they host.

Way ahead

Data localization:

• The information must be kept at a location that the Indian government trusts and be available in the event of a crime.
• Additionally, the government may think about restricting cross-border data flows to "trusted regions."

Data classification:

The new Bill might do away with data classification from the standpoint of data localization and limit the use of classification to determine damages for individuals whose personal data may have been compromised by an entity.