Industry experts are divided over the government’s decision to withdraw the Personal Data Protection (PDP) Bill, 2019, and replace it with a new ‘comprehensive legal framework’ and ‘contemporary digital privacy laws’ for regulating online space.
The bill was revoked after nearly four years of it being in the works, where it went through multiple changes including a review by a Joint Parliamentary Committee and faced pushback from a range of stakeholders including tech companies and privacy activists.
“The withdrawal of the PDP bill is personally disappointing to me, especially since the industry has already been waiting for four years for this draft to be taken forward,” Dr Rishi Bhatnagar, Chairman, IET Future Tech Panel told indianexpress.com.
According to experts, the proposed Bill stressed on the localization of data and lacked a bifurcation to accommodate personal and non-personal datasets separately. “There were parts of the proposal that included obtaining of citizen-consent for the usage of personal data and special exemptions to probing agencies from the Act. These aspects of the Bill seem to be collectively responsible for triggering the withdrawal of it,” said Bhatnagar.
However, for Kazim Rizvi, Founding Director, The Dialogue, a New Delhi-based think tank, the withdrawal of the “Data Protection Bill 2021 is the right move as it had various shortcomings and concerns, notably around the lack of independence of the Data Protection Authority (DPA), restrictions on cross-border data flow, the inclusion of non-personal data and broad exemptions to the executive for data processing.”
The Bill had been widely criticized for being biased toward the data collection entity. For instance, if any user wants to withdraw their consent from sharing their data, it is possible but the user will have to give “a valid reason” or bear the legal consequence for such withdrawal. Moreover, what constitutes a “valid reason” is also subjective.
Another major drawback of the Bill was a proposed provision called data localization, under which it would have been mandatory for companies to store a copy of certain sensitive personal data within India, and the export of undefined “critical” personal data from the country would be prohibited.
Experts hope that a new privacy law will be enacted by next year. “The new bill must balance state interest, business interest, and individuals’ privacy concerns on the same keel,” notes Rizvi.
Meanwhile, Bhatnagar believes that the new Bill can only stand out if the framework contains regulations that are at par with global standards. “The re-framing of the Bill can also be enhanced by the inputs of IT thought leaders and experts, where ground realities and existing problems in the IT ecosystem can be touched upon with clarity,” he adds.