The center looks at three aspects that will make up the new legislation – the national data protection framework, the new data protection law and the new IT law. One of the officials said that while one of the three aspects – the national data governance framework, which addresses regulation of non-personal data – is almost ready with public consultation on its draft, the other two now need to be finalized.
The government wants to introduce the new data law in the winter session of parliament.
Consultations and meetings take time
However, two other officials said the next budget session could be a “more realistic target” as the bill will require extensive industry consultation and careful drafting.
The government on Wednesday withdrew the 2021 Personal Data Protection Act, saying it would be replaced with “a comprehensive legal framework” designed “to address all current and future challenges of the digital ecosystem”.
Discover the stories of your interest
“The draft of the new bill is completely ready,” an official said. “We have examined all aspects of the old bill, the recommendations of the JCP (Joint Committee of Parliament) and the input we have received from experts. It’s a comprehensive framework.”
The new legislation could eliminate clauses and sections not directly related to data and privacy, another government official said.
Officials said the reason the government may need to press ahead with the bill for the budget session is that it doesn’t want to rush into creating legislation that isn’t comprehensive, future-proof and may not serve the purpose five years from now.
“There is the part of the public consultation that will obviously take some time,” said a senior government official. “Then there will be meetings with various political groups, which will also need to be given time for comments and counter-comments, for which there must be at least 30 days.” The winter session normally begins in November, while the budget is presented on February 1st.
IT Minister Ashwini Vaishnaw said in an interview with ET on Wednesday that the government will go through the approval process very soon and “will present (it) in the coming (winter) session or the forthcoming (budget) session of Parliament”.
On Wednesday, after the bill was withdrawn, Minister of State for IT Rajeev Chandrasekhar said the government would seek wide consultation on the legislation and be “transparent and open” as it has been on other bills.
Although the bill’s repeal is viewed by many as a nod to continued opposition from global and local tech companies, policymakers and privacy advocates to the legislation, first discussed as a “privacy law” in 2017, government officials have claimed it is “a procedural issue” and that not much is being read into it should.
“There can’t be two bills of the same kind,” said one of the officials quoted above. “If the old bill is not replaced, the new one could not possibly have been introduced. The possibility of making changes to the old bill was discussed, but there were so many clauses and sections that needed updating that we felt it best to rewrite it.”
Privacy and policy experts, who flagged the earlier bill as problematic, said the new one should conform with the Puttaswamy ruling, which made privacy a fundamental right while creating state exceptions.
“It has been almost 10 years since the AP Shah Committee’s report on data protection, five years since the Puttaswamy ruling, and four years since the report of the Srikrishna Committee (on data protection legislation),” said Apar Gupta, executive director of the advocacy group Internet Freedom Foundation . “They all signal the urgency of a privacy law and surveillance reforms. Every day lost causes more injuries and damage… It’s not about getting a perfect law, it’s about getting any law at this point.”
Co-founder Kris Gopalakrishnan, who supported the pullout, said a single law “covering privacy, data protection and data sharing” is needed.
Digital civil rights activist Mishi Choudhary, also a founder of SFLC.in, said the government must act quickly and ensure legislation comes into force as soon as possible.
“This ongoing dithering leaves citizens vulnerable, a wide field open for companies to exploit data, and a government rampant in mass surveillance,” she said in a statement. “The timing for the passage of this bill was the day before yesterday, but we continue to address this inexplicable failure to act and protect citizens.”
IT industry lobby group Nasscom said key requirements of the new bill will be to “operationalize the fundamental right to privacy and enable data protection in a way that trust in data-driven businesses grows and data-driven services grow in a safe.” knowledgable and trusting manner.”
Companies such as Google, Twitter, Meta (Facebook) and domestic companies such as Koo did not immediately comment on the development.
The legislation, originally aimed at protecting the digital privacy rights of the country’s growing base of Internet subscribers and an emerging data economy, has undergone a series of changes to include elements regulating social media, hardware companies, data localization regulations and to non-personal data. After the JCP review, the legislation drew criticism from global tech companies and local start-ups, citing the “high cost of compliance”. Some provisions even violate the fundamental rights of the country’s citizens, they said.
ET had reported that a study commissioned by the European Data Protection Board (EDPB) called India’s data policies, particularly exemptions the government requested under section 35 of the bill, of concern. In 2022, US-based trade and technology bodies had met with Department of Information Technology officials and expressed concern about the provisions of the PDP law, including those related to local storage of data.