Moneycontrol PRO
you are here: HomeNewsBusiness

All you need to know about Personal Data Protection Bill 2019, and why it was withdrawn

The latest version of the Bill included both personal and non-personal data in its ambit, which would be dealt with by a Data Protection Authority.

August 04, 2022 / 06:03 PM IST
Representative image

Representative image

On August 3, the Centre withdrew the Personal Data Protection (PDP) Bill. This came after a joint parliamentary committee (JPC) spent two years deliberating the 2019 draft of the Bill before finally tabling its report in December 2021.

For months after the report was tabled, it was expected that the Bill would be enacted, which would give the country its first data protection law.

With the Bill now being withdrawn, it is unclear when the proposed new set of laws that the government is planning to replace the PDP Bill 2019, will come into being.

Let's take a look at what constitutes personal data, the PDP Bill, and what it proposed to do — in chronological order starting from 2017.

What is the Personal Data Protection Bill 2019?


In 2017, after the Right to Privacy was deemed a fundamental right, the Central government set up the Justice BN Srikrishna Committee to assess personal data and its protection. The committee prepared and presented its draft in 2018. Post that, based on the draft and after multiple inter-ministerial consultations, the Personal Data Protection Bill was cleared by the Union Cabinet, and it was tabled in Parliament on December 11, 2019.

The Bill, in its essence, aimed at protecting personal data of individuals and their Right to Privacy by bringing in regulations to oversee the manner in which personal data is processed, as well as for remedies or penalties for people who have been affected by data breaches, unlawful processing of data, and so on.

What is personal data and breach of personal data?

According to the draft Personal Data Protection Bill 2019, ‘personal data’ is any data about or relating to a person, who is directly or indirectly identifiable, whether online or offline, and shall include any inference drawn from such data for the purpose of profiling.

The Bill also categorises certain personal data, such as financial, biometric, caste, religious, etc, as sensitive personal data.

Personal data breach, according the ‘definition’ section of the draft, is “any unauthorised or accidental disclosure, acquisition, sharing, use, alteration, destruction of, or loss of access to, personal data that compromises the confidentiality, integrity, or availability of personal data to a data principal”.

What did the Bill propose?

The Bill proposed the creation of a Data Protection Authority, a government-established, singular data protection body. This proposed authority would look into breaches of personal data, ensure compliance of data fiduciary, and ensure compliance of such fiduciaries with the Bill.

According to the PDP Bill 2019, a data fiduciary is an entity or individual who decides the means and purposes of processing personal data. It also contained provisions of appointing data protection officers (DPO), who would be appointed by data fiduciaries, and would be responsible for adhering to provisions of the Bill.

Overall, the Bill proposed restrictions on the use of personal data without consent of citizens. In terms of processing of data, the Bill proposed a framework that would regulate cross-border transfer of data, and accountability of data fiduciaries handling such data, among others.

Who had to comply?

The now withdrawn Bill would have governed processing of data by the government, companies incorporated in India, and foreign companies dealing with personal data of individuals in India.

Why was it criticised?

The 2019 draft was criticised over concerns regarding Section 35 and Section 12 (a) of the Bill. Let’s see what these sections say:

According to Section 35 of the Bill, the Central government would be empowered to exempt any government agency from the provisions of the law in the interest of India’s sovereignty, integrity, public order, and so on. The exemption could be accorded if the government was satisfied that it was necessary to do so, but albeit, ‘subject to procedures, safeguards, and oversight mechanisms to be prescribed by the government’.

It was criticised by various stakeholders, such as Congress leader Jairam Ramesh stating that the Section would give ‘unbridled powers to the central government to exempt any government agency from the Act itself’.

Similarly, Section 12 of the withdrawn Bill was criticised because it allowed for non-consensual processing of personal data by the State for providing service or benefit to the concerned person.

What did the JPC discuss for two years?

After the Bill was brought in 2019, it was referred to a Joint Parliamentary Committee composed of members of both houses, including the now Minister of State in Electronics and Information Technology (MeitY) Rajeev Chandrasekhar.

According to reports, over the two years, several changes to the draft were proposed by members who went through the 2019 draft clause by clause. It was proposed that the name of the Bill be changed to Data Protection Bill from Personal Data Protection Bill, to reflect the possible inclusion of regulating non-personal data in the regulation.

When was the report tabled?

On December 16, after undertaking discussions for two years, the JPC on the PDP Bill tabled its report in Rajya Sabha.

What did the JPC recommend?

The JPC's report, which was incorporated as a fresh version of the Bill, termed the PDP Bill 2021, retained majority of the provisions of the 2019 version, but added new provisions such as:

Inclusion of personal data: When the Bill was first proposed in 2018, the committee suggested a separate Bill for non-personal data. The final draft report has conflated both personal and non-personal data. Non-personal data includes information collected by government agencies, not-for-profit organisations, and the private sector. The information is usually stored in an anonymised format.

Hardware: With manufacturing spread out globally, the committee suggested that hardware should be regulated, since hardware manufacturers too, were collecting data.

“The committee strongly recommends that the government should make efforts to establish a mechanism for the formal certification process for all digital and Internet of Things (IoT) devices that will ensure the integrity of all such devices with respect to data security,” the report read.

Following tabling of the report, several members of the JPC, including parliamentarians Mohua Moitra, Derek O'Brien, and others, criticised the report regarding provisions such as sections 35 and 12, through dissent notes.

What happened after that?

After that, although several reports citing ministers of MeitY and officials of the ministry said the recommendations of the JPC were being deliberated upon, and that it may soon see the light of day, no developments were observed in that direction.

Why has it been withdrawn now?

One of the major reasons for withdrawing the PDP Bill is that it would have made compliance hard for start-ups, Minister of State for Electronics and Technology Rajeev Chandrasekhar said on August 3.

Sources had also said that many provisions of the Bill, such as data localisation, hardware authenticity clauses, and so on, went beyond data protection, and into the realm of privacy.

What next?

According to a person in the know, a comprehensive set of laws and rules will be enacted to deal with data protection and related subjects.

Other policies under this umbrella would include personal data protection, cybersecurity law, data management and safety, and a national data governance framework policy, among others. No specific time frame has been given by the government for the introduction of these set of laws and rules.
Aihik Sur covers tech policy, drones, space tech among other beats at Moneycontrol
first published: Aug 4, 2022 06:03 pm
ISO 27001 - BSI Assurance Mark