Are we there yet? The long road to nowhere: The demise of India’s draft data protection bill

In August 2022, the Government of India withdrew the country’s draft Personal Data Protection Bill from the Parliament’s consideration. This was a surprise move, coming after more than four years of consultations, as well as several statements from top officials that its passage was imminent and that there were no plans to scrap the Bill given the extensive deliberations undertaken.

With the withdrawal, India finds itself in a paradoxical position: privacy is a constitutionally protected right, but no meaningful statutory data protections or privacy protections exist. What could explain this volte-face by the Government, after it led four years of public consultation and ministerial deliberation to develop the draft Bill? How did India arrive at this point, and what lies ahead?

In this post, we canter through the history of India’s much-awaited (and now defunct) Personal Data Protection Bill (PDP Bill) and its withdrawal. We tease apart the reasons and realpolitik behind the withdrawal and consider what lies ahead for data protection in India.

How did we get here?

The PDP Bill was not the first time that attempts had been made to create a comprehensive national privacy legislation for India.

A decade ago, attempts were made to create privacy legislation following the release of the Government’s 2010 Approach Paper on the Legal Framework for Privacy. The paper identified the need for privacy and data protection legislation given the privacy risks of several largescale national ICT-based programs being initiated, especially India’s universal digital identity program called Aadhaar. The Government then constituted a Committee of Experts (chaired by Justice AP Shah) to consider these issues, who in their final report of 2012 also recommended the creation of privacy legislation for India. Three versions of proposed privacy legislations were “leaked” between 2011 and 2014, but these efforts stalled during an election year and were never resurrected.  

The public and legal debate around privacy, however, continued in this period, coming to a head in 2017—once again in connection with Aadhaar. The Supreme Court of India had been hearing a raft of petitions that challenged the constitutionality of the Aadhaar system on the basis that it infringed on Indians’ right to privacy. A central question facing the Court was whether privacy was a fundamental right in India. The reference to this question was made to a nine-judge constitutional bench to definitively settle the question in Indian law.

In the 2017 decision of Justice K.S. Puttaswamy v Union of India, the Supreme Court affirmed that privacy (including informational privacy) was protected under the Constitution of India. More practically, the decision played a role in forcing the hand of the Executive to create legislation on privacy and data protection.

In the background of the debates around the Puttaswamy matter, the Government had created a Committee of Experts (chaired by Justice BN Srikrishna) in 2017 to suggest a draft data protection law. The Supreme Court specifically referred to the efforts of this Committee and noted its expectation (see para 185, page 260 of the lead judgment) that the Government would create a data protection regime. This renewed process to create a data protection law for India resulted in widespread discussion around the substantive principles that India should operationalize into a law.

The Srikrishna Committee undertook public consultations to produce its White Paper in 2017 and Final Report in 2018, presenting the first draft of the draft PDP Bill in 2018. A further round of public consultation with the Ministry followed in 2018.

In December 2019, following internal ministerial consideration, an updated draft of the PDP Bill was introduced into the lower house of Indian Parliament. It was referred to a Joint Committee of Parliamentarians in the Upper and Lower House, who considered the Bill for two years before presenting their final report in December 2021.

So 2022 dawned with much excitement that the next (and potentially final stage) for the Bill would arrive, with its re-introduction into Parliament for further consideration or passage.

So why was the PDP Bill withdrawn?

The Government’s reported reason for the withdrawal of the PDP Bill was that the changes suggested by the Joint Parliamentary Committee were so numerous, that it was deemed fit to remove and replace it with a new over-arching legislative package. The Joint Committee’s report proposed over 80 changes to the text of the Bill. However, commentators have noted that many of these could have been incorporated into the draft if the Government had the will. Few expected that these changes would result in wholesale eschewing of the Bill. So what could be the reason for this unexpected withdrawal?

A closer look at the unresolved issues in the PDP Bill at the time of its withdrawal, and responses from certain stakeholders, provide some clues to interests behind the move.

First, a key issue facing resistance related to cross-border data flows. Broadly, the PDP Bill sought to put in place (soft) data localization with a “green lighting” system overseen by the Central Government, which had been a major source of discomfort for many global industry players with major commercial and foreign policy implications for India. This opposition was also reflected in the involvement of the US Government, including flagging the “harms” of the PDP Bill in the United States Trade Representative’s Special 301 report in 2022.  

Second, the PDP Bill was squarely in the crosshairs of the broader stand-off between the Indian Government and US-based large technology companies, especially social media intermediaries, given their perceived role in a range of recent political and social events. The traditional “safe harbour” from liability for content for intermediaries is being questioned and revisited. We wrote about new rules for intermediaries passed in 2021, to which amendments are already being considered. The remit of the PDP Bill had expanded during its evolution to include norms for a category of “social media intermediaries” with provisions for additional oversight over their data processing which had faced pushback.

The withdrawal of the Bill is seen by some as the result of this dynamic.  Within industry in India, reactions to the withdrawal were mixed, with many disappointed at being thrown back into legal uncertainty after years of engagement and preparation for the Bill.

A third major issue that had been a source of concern related to the unprecedented exemptions for Government agencies from the provisions of the supposedly “horizontally-applicable” data protection framework. These exemptions were so wide that they risked setting up a “two-speed” data protection law, with widely varying obligations and standards for public and private sector entities. These exemption had raised concerns in India of both industry players and civil society. Outside India, a 2021 report commissioned by the European Data Protection Board on government access to personal data in third countries called out the Indian proposals for their wide exemptions and differential data protection obligations for the Indian government.

However, it is unclear whether the withdrawal of the Bill signals a recognition—or subversion—of these concerns. The Joint Parliamentary Committee failed to recommend constraints to draft section 35 of the PDP Bill that enabled blanket exemptions to Government, despite six of the Committee members filing dissent notes to mark their concerns with the provision.

Lastly, an overarching concern was that the PDP Bill’s mandate had grown unmanageably in the course of its negotiation. The Bill faced the “kitchen sink” problem: a range of issues that are not traditionally in the remit of data protection regulation were added into the draft legislation through its various iterations. A flavor of some of the additions to this “kitchen sink” were:

• proposals to include the regulation of the use of “non-personal data” within the mandate of the Bill (even while a separate committee was considering the appropriate regulatory framework for this);
• proposals to create a “sandbox” administered by the Data Protection Authority, even while other regulators (notably in the financial sector) are already running sandboxes;
• recommendations in the Joint Parliamentary Committee’s report to create an Indian equivalent to SWIFT (the global payments instructions system); and
• recommendations in the Joint Parliamentary Committee’s report for new regulations for hardware manufacturers of devices collecting personal data.

The widening of the ambit of the Bill seemed to have led it astray from its early mandate of protecting informational privacy and providing a data protection framework for a fair digital economy in India.

Apart from creating tensions and dissonances within the Bill, this over-extension also ultimately seems to signal the difficulties for the Government to consider wider digital economy issues independently of a data protection framework. As the view of personal data as a national asset to be harnessed for growth and innovation takes deeper roots among decision-makers, it seems clear that any future data protection regime for India will necessary evolve only alongside broader frameworks around data accessibility and use.

What happens next?

While withdrawing the PDP Bill, India’s Minister for Information Technology, Ashwini Vaishnaw stated that Government is planning a new, comprehensive legislative package. The Minister of State for Electronics and Information Technology, Rajeev Chandrasekhar, has made several statements regarding plans for a new “Digital India Act” to re-vamp India’s broader Information Technology Act 2000.

Legal commentators closely following these developments, such as technology law firm Ikigai Law, have noted the exceptionally wide range of issues that this new package is set to cover: from cybercrime to emerging technologies, intermediary regulation, and digital competition issues. This reflects the broader position of the Indian Government, as it seeks to keep its regulatory options open even while it evolves a coherent stance on various aspects of technology government.

Especially in the post-pandemic environment, there has been increased appetite among policymakers to see data as an asset that can propel growth and innovation. The trend is seen in other jurisdictions, too, including the direction in recent European proposals flowing from the European data strategy. However, the concern is that the accent on data use and monetization for growth could limit the political will to introduce privacy protections. Old narratives that pitch privacy protections in opposition to innovation and private-sector business opportunities are re-emerging. Meanwhile, the underlying issue of carve-outs for the State’s data use, and state surveillance in the aftermath of the Pegasus scandal in India are yet to be substantively addressed by Government and policymakers.

The withdrawal of the PDP Bill comes as an increasing number of countries adopt comprehensive data protection legislation. Others in India’s neighborhood, including China, Indonesia, and Bangladesh, have enacted – or are very close to enacting, their data protection laws. Even traditional outliers like the US have made moves towards considering a federal data protection regime, making it increasingly hard to defend the absence of a robust data protection regime in India in the global arena.

With India assuming the presidency of the G20 in December 2022, the Government’s approach to existing G20 efforts, such as the Data Free Flow with Trust initiative (spearheaded by Japan), will be sharply back in focus. In the past, India has opposed and deferred joining such efforts, on the basis that it is in the process of preparing its regulatory frameworks on data protection and e-commerce. With the withdrawal of the PDP Bill, the Government’s real intent to create clarity on these frameworks will be scrutinized in the international community and locally.

Reports now suggest that the Government plans to introduce the new package of legislation on data governance in the Winter session of Indian Parliament (which generally begins in November each year). Senior Ministers are once again promising that new data privacy legislation will be created for India. The waiting game begins again for watchers of technology policymaking in India, with the recognition that when it comes to data governance frameworks: truth is often stranger than fiction!