India’s government is withdrawing its long-awaited Personal Data Protection Act, which drew scrutiny from several privacy lawyers and tech giants who fear the law could give the government sweeping powers and restrict how it manages sensitive data.
The move comes as a surprise as lawmakers recently indicated that the bill, which was unveiled in 2019, could see the “light of the day” soon. New Delhi has received dozens of amendments and recommendations from a joint parliamentary committee that “identified many issues that are important but outside the scope of a modern digital privacy law,” India’s junior IT minister Rajeev Chandrasekhar said.
He said that the government will now work on a “comprehensive legal framework” and present a new draft document.
The Personal Data Protection Act sought to empower Indian citizens with rights related to their data. India, the world’s second-largest internet market, has seen an explosion of personal data over the past decade as hundreds of citizens have gone online and started using multiple applications. But what is uncertain is how much power individuals, private companies, and government agencies have.
“The Personal Data Protection Bill 2019 has been proposed by the Parliamentary Joint Committee with 81 amendments and 12 recommendations on the overall legal framework on the digital ecosystem. Taking into account the JCP report, a comprehensive legal framework is being developed. Therefore, under the circumstances, it is proposed to withdraw. Personal Data Protection 2019 Bill and come up with a new law that is consistent with the overall legal framework, India’s IT minister Ashwini Vaishnau said in a written statement on Wednesday.
The bill has drawn criticism from many industry stakeholders. The Internet Freedom Foundation, a New Delhi-based privacy advocacy group, said the bill “gives broad leeway to government departments, favors the interests of large corporations and does not adequately respect your basic right to privacy.”
Meta, Google and Amazon are some of the companies that have raised concerns about some of the recommendations made by the Joint Parliamentary Committee on the proposed bill.
The bill mandates companies to store only certain “sensitive” and “critical” data in India, including financial, health and biometric data.
“I hope that the bill is not a complete wreck in terms of the jobs that have been put in. Disrupting the account entirely creates a confusion of sorts from a privacy perspective. No one wants it,” Nikhil Pahwa, editor of Media Nama, which covers policy and media, said in a series of tweets.
“The new draft law should be submitted for public consultation. The government should recognize that civil society and broad industry participation can help improve laws and regulations. The JPC did not involve many key civil society stakeholders. The government has already made a mess of IT Rules 2021 and CERT-in directions. It should be reasonable with the rules, otherwise this will affect India’s digital future.
