After 4.5 years of work, Modi govt could start over on data protection Bill, says media report

New Delhi: After nearly five years of work on a data protection Bill, the Narendra Modi government is thinking of scrapping the draft now on the table in Parliament— with all its recommendations from a Joint Parliamentary Committee — and bringing in a fresh piece of legislation.

According to a report in the Economic Times, the government is considering starting from scratch on a new data protection Bill because the current version isn’t seen as adequately addressing the needs of start-ups and established technology companies. 

Officials quoted in the report cited a need to maintain momentum in India’s start-up and technology ecosystem, which created 42 unicorns — start-ups valued at or over a billion dollars — in the last year alone. The structure envisaged by the current Bill would be “very bureaucratic” with compliance requirements that could “cripple” the industry. 

It was in August 2017 that the government appointed retired Supreme Court Justice B.N. Srikrishna as head of a committee to study and recommend a draft data protection bill. The Srikrishna Committee submitted its recommendations in 2018.

However, the IT ministry then tabled the Personal Data Protection Bill, 2019, in Parliament. This had changes that made it substantially different from the Srikrishna Committee’s recommendations, with Justice Srikrishna himself decrying it as “Orwellian”.

Then, in 2020, a Joint Parliamentary Committee with members from both Houses was appointed to study the Bill. It submitted its recommendations in December 2021.

Concerns over non-personal data, social media intermediaries

The recommendations and changes the Joint Parliamentary Committee asked for included bringing both personal and non-personal data under the ambit of the Bill, and requiring government approval for sensitive personal data of Indians that is to be taken out of the country.

It also mandated a strict timeline of 72 hours in which to report data breaches, and required intermediaries such as social media companies to be responsible for content posted by users on their platforms.

The Economic Times report stated that the committee’s recommendations have received “sustained criticism” from stakeholders in India and abroad. This criticism includes concerns over the attempt to govern non-personal data under a Bill originally intended just for personal data, and the possibility that social media platforms will be held responsible for what users post. 

In addition, Meta (formerly Facebook) in its annual filing with the US Securities and Exchange Commission earlier this month, had shared concerns about regulatory hurdles around data storage and transfer in India. Google’s parent company, Alphabet Inc., had expressed similar worries without naming any country. 

Soon after the Joint Parliamentary Committee’s recommendations were published, the Internet And Mobile Association of India, an industry body, stated its concerns in a 17 December statement that was emailed to ThePrint.

“Prima facie, it seems the draft that was put out in 2019 after the widest possible consultations has changed fundamentally, including the title of the Bill from Personal Data Protection Bill to Data Protection Bill,” the statement said.

“Certain other deviations, such as the recommendations that social media intermediaries could become publishers in certain circumstances, and a few aspects of data localisation norms, change the original structure of the Bill substantially,” it added.

Earlier, in 2019, a Facebook India policy executive had said that separate regulators would be needed to oversee non-personal and personal data, and that it is not “appropriate” to mandate requirements for non-personal data under the Data Protection Bill, since it applied only to personal data.

(Edited by Rohan Manoj)

Also read: Social media companies would be liable for harm to kids under new proposal in US Senate