Journey's End or Never-ending Voyage: The Collapse of India's Proposed Data Privacy Legislation

Journey's End or Never-ending Voyage: The Collapse of India's Proposed Data Privacy Legislation

The draft Personal Data Protection Bill (PDP Bill) of India, which had been in development for over a decade, was withdrawn in 2022 by the Union Electronics and Information Technology Minister Ashwini Vaishnaw[1]. The Bill, which underwent several iterations and was referred to a joint parliamentary committee for two years, aimed to establish a comprehensive data protection framework for India[1].

The reasons behind the withdrawal appear connected to the evolving regulatory strategy of the Indian government regarding personal data protection. The government has instead opted to introduce a new, more streamlined legislation, the Digital Personal Data Protection Act (DPDP Act) 2023, which received presidential assent in August 2023[2][3]. This shift reflects a recalibrated focus to balance individual consent and data processing needs, considering the reality of "zero price markets" where services are offered free but paid for through personal data[2].

Key factors influencing this change were:

- Concerns over the complex consent mechanisms in the PDP Bill, such as the bundled consent mechanism, which the Ministry of Electronics and IT (MeitY) planned to phase out in favor of clearer, user-friendly processes allowing real-time management and withdrawal of consent for cookies and data use[1]. - The need to align data protection with practical realities of data usage, including provisions enabling data processing without explicit consent under legitimate scenarios (e.g., government services, emergencies)[3]. - A desire for tighter oversight on cookies and behavioral tracking, real-time user control over consent, and an escalation mechanism for unresolved complaints, all aimed at enhancing user privacy and trust while not unduly burdening service providers[1]. - The urgency to address data security and surveillance concerns, including safeguarding against government misuse of data, which had increased public and political attention on data governance[4].

In summary, the withdrawal of the PDP Bill in 2022 was part of a strategic pivot to introduce a more practical, consent-based data protection regime via the DPDP Act, simplifying compliance and focusing on operational clarity while addressing longstanding privacy concerns in India's fast-evolving digital landscape[1][2][3][4].

The opposition to cross-border data flows provisions in the Bill was reflected in the involvement of the US Government, including flagging the "harms" of the PDP Bill in the United States Trade Representative's Special 301 report in 2022. India's Minister for Information Technology, Ashwini Vaishnaw, has stated that the Government is planning a new, comprehensive legislative package[5].

It is important to note that the PDP Bill was not the first attempt to create comprehensive national privacy legislation in India. Three versions of proposed privacy legislations were leaked between 2011 and 2014, but these efforts stalled during an election year and were never resurrected[6]. Attempts to create privacy legislation were made a decade ago, following the release of the Government's 2010 Approach Paper on the Legal Framework for Privacy[7].

Currently, India lacks meaningful statutory data protections or privacy protections. The withdrawal and subsequent re-introduction of the data protection legislation underscore the importance of data privacy in India's digital landscape and the ongoing efforts to establish a robust regulatory framework.

[1] The Economic Times. (2022). Personal Data Protection Bill 2019: Why it was withdrawn. https://economictimes.indiatimes.com/news/politics-and-nation/personal-data-protection-bill-2019-why-it-was-withdrawn/articleshow/94095438.cms [2] The Hindu. (2023). Draft Digital Personal Data Protection Bill 2023: Key changes and highlights. https://www.thehindu.com/sci-tech/technology/draft-digital-personal-data-protection-bill-2023-key-changes-and-highlights/article66791107.ece [3] Livemint. (2023). What's new in the draft Digital Personal Data Protection Bill 2023. https://www.livemint.com/technology/tech-news/whats-new-in-the-draft-digital-personal-data-protection-bill-2023-11684202100914.html [4] The Wire. (2023). India's draft Digital Personal Data Protection Bill: A brief explainer. https://thewire.in/tech/indias-draft-digital-personal-data-protection-bill-a-brief-explainer [5] Business Standard. (2022). Government planning a new, comprehensive legislative package: Ashwini Vaishnaw. https://www.business-standard.com/article/current-affairs/government-planning-a-new-comprehensive-legislative-package-ashwini-vaishnaw-122072400897_1.html [6] The Hindu. (2021). Personal Data Protection Bill 2019: A timeline. https://www.thehindu.com/sci-tech/technology/personal-data-protection-bill-2019-a-timeline/article36141946.ece [7] Ministry of Electronics and Information Technology. (2010). Approach Paper on the Legal Framework for Privacy. https://meity.gov.in/writereaddata/files/Approach_Paper_on_the_Legal_Framework_for_Privacy.pdf

1. The withdrawal of the PDP Bill in 2022 marks a strategic shift towards a more practical and consent-based data protection regime in India, as demonstrated by the introduction of the Digital Personal Data Protection Act (DPDP Act) 2023.
2. The DPDP Act aims to balance individual consent and data processing needs, with a focus on simplifying compliance and addressing longstanding privacy concerns in India's digital landscape.
3. Key changes in the DPDP Act include clearer, user-friendly processes for managing and withdrawing consent for cookies and data use, provisions for data processing without explicit consent in certain circumstances, and tighter oversight on cookies and behavioral tracking.
4. In addition, the DPDP Act addresses data security and surveillance concerns, including safeguards against government misuse of data, and enhances user privacy and trust.
5. The withdrawal of the PDP Bill and the subsequent introduction of the DPDP Act underscores the importance of data privacy in India's digital landscape and the ongoing efforts to establish a robust regulatory framework for privacy and data protection policies and legislation.

Read also: