Here are nine key things that you must know.
When was the Data Protection Bill first drafted?
A special committee was appointed and formed under former Supreme Court of India judge, Justice B.N. Srikrishna, in 2017. It is this committee that submitted the first draft of the Data Protection Bill to the Parliament in July 2018.
What was it initially called?
The initial draft of the Bill was largely focused on the handling of personal data of users, and in line with this philosophy, was called the Personal Data Protection Bill of India.
What significance did its renaming carry?
The shift from the Personal Data Protection Bill (PDPB) to the overarching Data Protection Bill was undertaken with the advice of a Joint Parliamentary Committee (JPC). While the initial draft was focused on data privacy, the JPC revisions brought in segregations in terms of personal and non-personal data, and within that, an understanding of sensitive data and the way companies could handle the same.
What is the Joint Parliamentary Committee in this regard?
The JPC was constituted in December 2019 to inspect and offer feedback on the PDPB. The committee was afforded a two-year extension window to come up with a comprehensive recommendation to the Bill, which it eventually did before its final submission to the Parliament in December 2021.
What recommendations did the JPC make towards it?
The JPC made a host of recommendations, beginning with clearly defining digital privacy under the Bill — as opposed to a broader understanding of individual privacy. The recommendation was made in light of the Supreme Court’s landmark Puttaswamy verdict of 2017, which recognised an individual’s right to privacy as a ‘fundamental’ right in India. In this regard, the JPC sought to clearly define the purview of the Bill as digital (and not overall) data belonging to an individual.
Citing interests of national security and sovereignty of the country, it said the clauses of data protection would be nullified for a user. The clause attracted plenty of controversy from activists and free internet advocates, who called it out for the government’s access to user data without accountability. Notably, eight members within the JPC opposed the Bill for adding blanket exemptions to government departments, which allowed the latter to access private user data.
Other recommendations made by the JPC included defining how internet companies were required to handle data belonging to users in India, and a consent mechanism that companies could be mandated for gathering user data. It also suggested treating social media companies as content publishers for liability of the content published on them.
The JPC proposals suggested that internet companies could only hold on to data belonging to a user for only a stipulated, ‘necessary’ period of time. There were also recommendations on using “trusted hardware” in smartphones.
Why was the Bill scrapped?
In a note sent to Members of Parliament, Union IT Minister Ashwini Vaishnaw explained the reason behind the withdrawal of the Bill. “The Personal Data Protection Bill, 2019 was deliberated in great detail by the Joint Committee of Parliament. 81 amendments were proposed and 12 recommendations were made towards a comprehensive legal framework on the digital ecosystem. Considering the report of the JCP, a comprehensive legal framework is being worked upon. Hence, in the circumstances, it is proposed to withdraw ‘The Personal Data Protection Bill, 2019′ and present a new Bill that fits into the comprehensive legal framework.”
Startups across the country called the Bill too “compliance intensive”. The government is now trying to come out with a new Bill that will be easier to comply with, as per sources. As announced by IT minister Ashwini Vaishnaw, a new framework is already underway and could be introduced quite soon.
Do social media and cyber security also fall under the new framework?
While there is no definite clarity on this matter at this very moment, it is likely that the framework will bring India’s existing laws on social media and cyber security under its ambit as well. Social media intermediaries in India are already regulated under the revised Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 — simply known as the IT Rules, 2021. Cyber security, meanwhile, is defined by new rules notified by the Ministry of Electronics and IT (MEITY) in June this year. All of this could be brought under a new digital law framework, as many of the rules would be interlinked between each other.
Will the new framework also regulate data localisation?
Data localisation was a contentious issue in the last Bill, where companies objected to the provision that called for storing a copy of users’ sensitive personal data within India and disallowing the export of “critical” data. It is likely that data localisation will be a part of the new legal framework to regulate technology and data protection. Industry stakeholders state that while various sectors (such as financial operators) already have their own data localisation law, the upcoming framework for data protection could offer clearer definitions for internet companies to localise user data storage and processing in India as well.
When will the new framework be introduced?
At the moment, there is no definite timeline that has been mentioned by the central government. However, IT ministers of the union government have stated that the framework is already being worked on. As stated before, industry experts expect that it could be introduced this year itself, in the Parliament’s Winter session.
For all the latest Technology News Click Here
For the latest news and updates, follow us on Google News.
