The Run-up to India’s first Personal Data Protection Legislation

Recent Developments

The biggest case regarding the fallibility of the Indian regime on privacy and data protection was concerning the effects of the Aadhaar project. This led to the two decisions of the Supreme Court, Puttaswamy I  and Puttaswamy II. Puttaswamy I, declared the right to privacy as a fundamental right and churned the conversation on the multiple aspects of privacy, which was divided into 3 categories in Chalameshwar, J.’s opinion as bodily, informational and privacy of choice. Puttaswamy II, however, endorsed the Aadhar project, striking down Sections 33(2), 47 & 57 of the Aadhar Act, upholding that the right to privacy was not absolute. 

Following the decision in Puttaswamy I, a  Committee of a panel of experts was formed, tasked with the responsibility to provide recommendations for the data protection regime in India, which resulted in the Srikrishna Committee Report of 2018. Alongside the same, the Personal Data Protection Bill, 2018 was also placed for public comments, which was drafted by the same committee. The Bill attempted to address the protection of data comprehensively and brought forth a heated debate on the data localization mandate. This was followed by a consultation process open for stakeholders to present their concerns to the government. During this time, Dr. Ravikumar, Member of Parliament, Lok Sabha tabled the Personal Data and Information Privacy Code Bill, 2019. Drafted in collaboration with the Internet Freedom foundation, it was an updated version of the Indian Privacy Code, which was a civil society attempt at pushing forth for a comprehensive legislation on privacy and data protection.

After consultations over the Personal Data Protection Bill, 2018, spanning over a year, the Personal Data Protection Bill, 2019 was introduced in the Lok Sabha on 11th December 2019 by the Minister of Information and Technology. The Bill has made critical amendments to the original draft, with a widened scope for government access to data. It aims to regulate the increased availability of data for business purposes, and prevent breaches. The same is punished with the high amount of fines and damages of up to 15 crores. Although the mandate of the Bill is to look into Personal Data, it also addresses non-personal data considerably. 

Post the introduction of the Bill in the Parliament, the Standing Committee on Information and Technology has not been given a chance to scrutinize the Bill. Instead, it has been sent to a Joint Select Committee, constituted by members from the Lok Sabha and Rajya Sabha. The final outcome of the Joint Select Committee’s scrutiny is expected to rectify the excesses and miscalculations of the Bill. It is only with their report, which is expected to be tabled in the Parliament by the 2020 Budget Session, that India will finally have its first data protection legislation. One could only hope that the lapses and lacunae in the present draft are considered at length, and the amendments proposed to this effect are accepted, when the Bill will be considered in the next session of the Parliament.