As India scraps its PDP bill, the scope of the new framework still remains unclear

The scrapping of the PDP Bill by the Indian government has met with mixed reactions from the industry. But what is even more challenging is to arrive on a common consensus on deciding the ambit of the new bill -

The 2019 Personal Data Protection Bill (PDP Bill), touted as one of the most ambitious bill governing the country’s cybersecurity landscape was withdrawn in the first week of August at the Indian Parliament. It is going to be replaced with one, according to Ashwini Vaishnaw, Minister of Electronics & Information Technology for the Government of India that has a “comprehensive framework” and is in alignment with “contemporary digital privacy laws”.

The PDP Bill was introduced in the Lok Sabha on December 11, 2019.

“The decision of the Central Government to withdraw the 2019 PDP Bill is a welcome one for several reasons. The most key issue is the practicality of a Bill becoming the law of the land. India is a plural country and represented by members of Parliament from various regions and political affiliations. Unless each one of these, or at least a majority, is on the same page a Bill can languish as a Bill and never see the light of day as a statute,” says Sajai Singh, Partner, JSA (Law Firm).

Abhishek Malhotra, Managing Partner - TMT Law Practice says, “In my opinion, it is correct to have the bill to be withdrawn. The bill suffered from shortcomings that required a complete overhaul. Also, the fact that it considered regulating non-personal data and allowed for the government to seek access to anonymized data sets, a stark departure from any other jurisdiction required that a new law be brought to the fore.”

Why was the Bill withdrawn?

The previous Bill had many flaws, as pointed out by the global tech trade association, ITI (The Information Technology Industry Council). A few months back, just before the bill was withdrawn, ITI signed a joint letter addressing to Minister Ashwini Vaishnaw. The group, in the letter, while welcoming the Government’s commitment to data protection cautioned the current bill’s potential negative impact on India’s innovation ecosystem and the promise of a trillion-dollar digital economy.

“The Report’s recommendations run counter to global standards for data protection and competition, and the absence of a formalized and robust public debate on these significant new provisions deviates from good regulatory practices,” the coalition wrote. “Mandates for companies to locally store their data in India will degrade the privacy and cybersecurity protections by limiting state-of-the-art solutions that are globally available. When these and other recommendations in this Report are considered as a whole, their result, if enacted, would lead to a significant deterioration in India’s business environment, degrading the Ease of Doing business in and with India, and negatively impacting India’s domestic start-up ecosystem and global competitiveness.”

COVID and the sheer developments in technology have brought to the fore several other issues and the drafting of the PDP Bill needed to be made current with the ground realities – issues like ransomware becoming more sophisticated, crypto and NFT’s adding a commercial dimension to blockchain technology and the like. Various multinationals, on the other hand, are interested in seeing how Indian law will address issues like cross-border data flow, data localisation requirements and restrictions placed on certain services, like VPN.

As part of its first move, the Government had set up a 30-member Joint Parliamentary Committee (JPC) to ensure all stakeholders got a chance to air their views and comment on the proposed legislation. The JPC had recommended 81 amendments to it, which has 99 sections while making 12 recommendations. It was possible to implement some amendments by tweaking the draft, but several required a rethink of the legislation itself, like whether to include non-personal data in the PDP Bill or not. This was cited as the main reason why PDP Bill was withdrawn at the first place.

The JPC report presented has also stirred a debate after it proposed a single law for dealing with both personal and non-personal datasets, while mandating a complete local storage of data. It is also stated to have given sweeping powers to the government in certain segments.

“Till there is movement on the PDP Bill, privacy will continue to be addressed by the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011,” explains Sajai Singh. “The wait should not be too long, as I believe the Government is working overtime to make this a reality sooner than later.”

While it is hailed as a wise decision by many, it does send everything to square one to start everything afresh.

Cyber Security Law expert, Pavan Duggal, while speaking at a recent security conclave in New Delhi remarked that India is at a very interesting, contrasting, and tough 2023 now that the country is going to be prepared for a new eco-system. “After five years of working on the Personal Data Protection Bill, the government decided to unilaterally withdraw the bill,” he said. “A lot of hours, months, years that went into deliberating it, first in the form of the Justice Srikrishna Committee and thereafter the joint Parliamentary Committee have all come to a grinding halt. Citing that the old bill was not sufficient enough, the govt. says that the new law is going to cover not just personal data but sensitive non-personal data. So now a new ecosystem is going to be prepared. Let’s be prepared for a humongous legislation that is going to come up and the need for tightening our belts is going to be very high. Let’s be prepared for a humongous amount of legislation that is again going to come up,” he added.