India scraps data protection law in favor of better law coming … sometime
Tech giants and digital rights groups didn't like it, but at least it was a law
The government of India has scrapped the Personal Data Protection Bill it's worked on for three years, and announced it will – eventually – unveil a superior bill.
The bill, proposed in 2019, would have enabled the government to gather user data from companies while regulating cross-border data flows. It also included restrictions on sharing of personal data without explicit consent, proposed establishment of a new Data Protection Authority within the government, and more.
On Wednesday, telecom minister Ashwini Vaishnaw tweeted that the bill was nixed because the Joint Committee of Parliament (JCP) recommended 81 amendments to the Bill's 99 sections.
"Therefore the bill has been withdrawn and a new bill will be presented for public consultation," said Vaishnaw.
Union minister Rajeev Chandrasekhar also tweeted about the cancellation and the need to develop a more modern successor:
JCP report on Personal Data protection bill had identified many issues that were relevant but beyond the scope of a modern Digital Privacy law— Rajeev Chandrasekhar 🇮🇳 (@Rajeev_GoI) August 3, 2022
Privacy is a fundamental right of Indian citizens & A Trillion dollar Digital Economy requires Global std Cyber laws #IndiaTechade
The Bill was not admired by Big Tech or digital rights orgs. Asia Internet Coalition – a trade org whose members include Apple, Facebook, Google, Amazon, Twitter and more – sent a letter [PDF] to lawmakers last January calling the data localization requirements in the bill "onerous" and asserting cross-border transfer decisions should be free of political interference.
Anushka Jain, a lawyer for New Delhi-based Internet Freedom Foundation told The Reg in May that digital liberties organizations worried the bill exempted India's government and local authorities from data protection requirements, and thereby could facilitate unchecked surveillance.
"We feel that data protection and surveillance are extremely interconnected," said Jain, adding "It might end up working towards the interest of the government which might not be in congruence with what is in the best interest of the citizens."
- WhatsApp sues India over new law requiring ‘traceability’ of messages
- India's ongoing outrage over Pegasus malware tells a bigger story about privacy law problems
- India, Twitter brawl in public as latest content rules begin to bite
- Industry pushes back against India's data security breach reporting requirements
However, just because critics had concerns about the bill, it did not mean they wanted it totally scrapped.
IFF's executive director Apar Gupta told The Register:
It has been close to ten years since the government constituted A.P. Shah Committee report on privacy, five years since the Puttaswamy Judgement and four years since another government constituted Srikrishna Committee report – they all signal urgency for a data protection law and surveillance reforms.
Each day lost causes more injury and harm. Hence the withdrawal of the Data Protection Bill, 2019 is concerning – for a belated, deficient regulation is being junked.
Gupta added that he was disappointed the ministerial statements on withdrawal, both in parliament and public, avoid any commitment to timelines for development of a new law.
"The statement notes work on a 'comprehensive legal framework'. This is attributed to the JPC (Joint Parliamentary Committee) report on the Data Protection Bill, 2019. This is incorrect as the remit of the JPC was limited to the Data Protection Bill, for which it did not recommend a withdrawal," said Gupta.
Other critics of killing the bill accused the government of giving over too much power to Big Tech – a situation that prime minister Narendra Modi seems keen to avoid as he continually seeks to regulate tech giants operating in India, sometimes ending in lawsuits. ®