Explained: The Lifecycle of the Personal Data Protection Bill, 2021 – till withdrawn

In our last 2 (two) newsletters, we had explained on the impact, business in India may see, due to new laws enforced in the European Union.

As you all must be aware that yesterday i.e., on 3 August 2022, in a statement to the Lok Sabha, The Minister of Electronics and Information Technology, Mr. Ashwini Vaishnaw moved a motion at the Lok Sabha with a requested to withdraw The Personal Data Protection Bill, 2021 (“PDP Bill”) as the Joint select Committee of both the houses of Parliament (“JCP”) had flagged several issues to the current PDP Bill and had suggested changes to the PDP Bill to make it more comprehensive.

The said motion was approved by the House of Parliament – to withdraw the PDP Bill and to replace it with a new data protection bill with comprehensive framework and contemporary digital privacy laws.

In today’s newsletter, we wish to explain in brief –

• the journey of the PDP Bill from the day of its origin;
• to the reasons for its withdrawal;
• to the implications the withdrawn PDP Bill will have on business, if any and;
• what to look out for in the next privacy legislation proposed by the government.

On 24 August 2017, a nine-judge bench of the Supreme Court in the case of Puttuswamy v. Union of India declared that the right to privacy is a fundamental right protected under Part III of the Constitution of India. This landmark judgement coupled with the express directions of the Supreme Court, gave way for the need for India Inc. to enact a comprehensive law of privacy, based on the recommendations of the Justice Srikrishna committee.

In 2018, a committee of high-level experts headed by former Supreme Court Judge BN Srikrishna, constituted by the Indian government, issued a first draft of a proposed law on data protection i.e. The Data Protection Bill, 2018.

The Personal Data Protection Bill, 2019 (“2019 Bill”), a revised version of the draft proposed in 2018, was presented before the lower house of the Indian Parliament on December 11, 2019, which sought to provide for the protection of personal data of individuals and establish a Data Protection Authority.

On 12 December 2019, the 2019 Bill had been referred for examination to the JCP and, on 16 December 2021, the JPC chaired by Member of Parliament Shri P.P. Chaudhary tabled the report on the 2019 Bill along with the amended Bill (i.e., the PDP Bill) before both Houses of Parliament.

The JPC deliberated on the 2019 Bill for over two years, during which time the 2019 Bill underwent substantial changes in both scope and nature. A total of 188 amendments were recommended to the 2019 Bill, out of which 91 amendments were of significant nature, while the rest were editorial or technical in relation to the drafting of the 2019 Bill.

As per the Recommendation No.1 of the 542 pager report of the Joint Committee on the Personal Data Protection Bill, 2019 (“JCP Report”) – “The Committee approves the objects and reason of the 2019 Bill as these are in the nature of public policy as these suitably address the concerns that emerge out of the Puttuswamy judgement on privacy as a fundamental right and the broad recommendations of the BN Srikrishna Committee and the desire that contractual provisions must adhere to the same accordingly.”

However, considering the report of the JCP, Minister of Electronics and Information Technology, Mr. Ashwini Vaishnaw said that, a comprehensive legal framework is being worked upon. Hence, in the circumstances, it is proposed to withdraw ‘The Personal Data Protection Bill, 2019’ and present a new bill that fits into the comprehensive legal framework.

Basis the said recommendations to the JCP Report, the JCP had tabled a revised draft of 2019 Bill that then came to know as the PDP Bill.

Please note that the PDP Bill was a draft legislation that that still required many amendments to:

• not only comply with the recommendations of the Justice Srikrishna committee, before gaining approval from the both houses of the Parliament and the President but;
• it has also failed to gain any positive review from the industry in India; global business including large Tech companies; data companies; and
• it had also received criticism from the European Data Protection at the Board German Conference of Independent Data Protection Supervisors of the Federal Government and the Länder, where India’s level of data protection was analysed from a government access standpoint

and hence, was withdrawn.

If the PDP Bill had been enacted, it would have replaced Section 43 of the Information Technology Act, 2000 and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 and prevail over any other inconsistent laws in this regard (e.g., any sector-specific laws).

However, please note that a ‘bill’ under discussion or passed by parliament just is the outline of a law that may come into effect, if enacted.

As the PDP Bill, was – as the name states, a bill that was under discussion by the Parliament and was withdrawn before it could be enacted as a law, therefore it has no implications on the industry, other than the time and resources spent previously in understanding – what business would have had to do, if the PDP Bill was enacted and enforced.

Whilst IT Minister Mr. Ashwini Vaishnaw has said that, a comprehensive legal framework is being worked upon, there is currently no new draft legislation on data and privacy – that has been provided, in place by the Government.

As Justice BN Srikrishna has rightly said – “This time they should consider all the criticisms by the internet activists, foreign companies, and the social activists that the bill was not giving enough thought to the data privacy right” – as the PDP Bill was withdrawn after 4 years of work had been put in by industry and experts alike.