With the chairperson of the committee joining the ministry, there are doubts about the timing of the new bill
Four years after India’s official action began towards creating a privacy regulation in India, the nation is still waiting for this elusive piece of legislation. The latest twist in the tale is that the chairperson and four members of the joint parliamentary committee have been absorbed as ministers in the Central Cabinet, creating five more vacancies in this committee of 30 – and raising the total vacancy to seven.
However, what has created the gap is not the number of vacant positions, but the fact that the chairperson position has become vacant with Meenakshi Lekhi joining the ministry as MoS for Culture and External Affairs.
The journey for a personal data protection regime or privacy regime, as it is often labeled, began in July 2017, with the constitution of an experts committee under the Chairmanship of Justice B N Srikrishna, former judge of Supreme Court of India, to identify key data protection issues in India and to ‘make specific suggestions for consideration of the Central Government on principles to be considered for data protection in India and suggest a draft data protection bill.’
Barely a month after that, Supreme Court, on 24 August 2017, ruled that right to privacy is a fundamental right.
“The right to privacy is protected as an intrinsic part of the right to life and personal liberty under Article 21 and as a part of the freedoms guaranteed by Part III of the Constitution,” the bench ruled in its order while over-ruling two earlier decisions by the apex court. The government had argued against privacy being a fundamental right.
This decision really accelerated the journey.
The expert committee published a whitepaper on data protection issues in December 2017, in just four months of it being constituted. The government released the whitepaper, inviting public comments on the issues. Based on the consultation, the committee submitted its report and a draft data protection bill in July 2018—exactly a year after the SC judgment—and invited comments on it within two months.
The Indian draft data protection bill caught global attention because of a few reasons. One, it insisted on all organizations dealing with personal data of Indians to have one copy of that data within the shores of India, which created a lot of furore. Two, unlike the GDPR and UK Data Protection Act, the Indian draft bill was comparatively softer on government agencies when it comes to the rights of data owners, as compared to private organizations.
Due to General Elections, tabling of the Bill was delayed. After the General Elections in 2019, the Government did some changes in the version submitted by Srikrishna Committee, which drew further criticism from many activists.
In the first week of December 2019, the Union Cabinet has cleared the bill, and the new bill was introduced in Lok Sabha on 11 December 2019. The new bill, by that time called Data Protection Bill 2019 brought about some significant changes.
One, it extended the obligations of significant data fiduciaries to what it called social media intermediaries. The Bill defined a social media intermediary as ‘an intermediary who primarily or solely enables online interaction between two or more users and allows them to create, upload, share, disseminate, modify or access information using its services’ while specifically excluding e-commerce companies, ISPs, on-line storage service providers, online encyclopedias, and search engine operators. In short, while Facebook, Twitter, LinkedIn could come in its definition, Wikipedia, Amazon and Google would not. It further clarified that such intermediaries are entities those ‘whose actions have, or are likely to have a significant impact on electoral democracy, security of the State, public order or the sovereignty and integrity of India.’ It also talked about social media verification of accounts (even though voluntary), which were criticized by many.
Two, while the earlier draft bill submitted by Srikrishna Committee allowed access of personal data to the government for security purpose, based on principles of necessity and proportionality, the new bill made stated that the Central Government may ‘direct that all or any of the provisions of this Act shall not apply to any agency of the Government in respect of processing of such personal data’. The Srikrishna Committee draft was seen by many as giving too much concessions to government agencies. This took it a few steps further.
However, it diluted on data localization requirements mandated by the earlier draft bill. While the earlier draft required that a copy of all personal data to be stored in India, the new bill restricted it only to sensitive and critical personal data. It also added right to erasure, a major provision in most privacy legislations across the world, which was a good change.
While there were many other changes, what attracted a lot of criticism was the removal of the mandatory inclusion of a judicial member (the CJI or another Supreme Court judge) from the selection committee empowered to give recommendations to the Central Government for the appointment of members of the Data Protection Authority, reducing it to a panel of secretaries – Cabinet Secretary, Secretary Law and Secretary IT – thus handing it over to the government. What was questioned was how a body appointed solely by the Government would ensure enforcement of the provisions by the government agencies.
Amidst the discussion, the bill was referred to a Parliamentary committee set up for the purpose on 11 December 2019. The deadline for the committee was the first day of the last week of the Budget Session in 2020. Since then, the deadline has been extended four times.
The Current Impasse
With the Chairperson joining the Central government, there has again been question mark on when the committee will submit its report.
Between January to December 2020, the Committee had had 66 sittings. After the initial briefing by the Ministry of Electronics and Information Technology, the committee has heard the oral evidence from the representatives of ministries and government agencies, regulators, associations, companies, law firms and other stakeholder groups.
Ministries of Electronics and Information Technology, Law & Justice, Home Affairs are among the ministries who have presented. Other government bodies and regulators who have presented include Unique Identification Authority of India, Reserve Bank of India, National Crime Record Bureau. Among associations, ASSOCHAM, NASSCOM have given oral evidence, while groups such as Dr APJ Abdul Kalam Centre, Forum for Integrated Security (FINS) have also presented. Among companies, Facebook, Twitter, Amazon, Google, Uber, Ola, Paytm, Jio Platforms, Reliance Jio Infocom, Bharti Airtel, and TrueCaller have presented oral evidence.
Between November and December last year, the committee had had 40 sittings to discuss and examine the bill clause by clause. This means probably the time-taking work is over.
Yet, all these have to be summarized in a report and should be presented by the Chairman of the committee, the position for which is now vacant.
While that has created some disappointment, Lok Sabha Speaker Om Birla has said on the record that there would be no more extension for the committee, which raises some hopes.
Also, while talking about the need to refresh the IT Act (amidst the controversy with Twitter and WhatsApp) Meity Secretary Ajay Prakash Sawhney has publicly said that the immediate focus (and priority) is the Personal Data Protection Bill.
But till we see the bill getting passed, it is just another dream. As of now, the bill is caught up in the tarikh pe tarikh web, as Bollywood puts it.
Yet, with the provisions being largely clear, it is time for the organizations dealing with personal data to start taking the next steps.