Where is India’s Data Privacy Law?
Despite being in the news for several years, the new data protection law is far from being enacted. What’s taking so long?
You either care about data privacy or you don’t understand it. I know this is a bold statement. But it explains how most of India perceives data protection.
We’ve written a previous post on why our current data protection law is broken. The tl;dr version is that the law is ineffective. Even though it was enacted less than a decade ago, it has failed to address today’s privacy challenges.
Let’s come to the Personal Data Protection Bill (‘PDP Bill’). This legislation is supposed to do for India what the General Data Protection Regulation did for Europe – ensure better protection of personal data, hold companies accountable, and punish non-compliance.
The problem is that the draft law is in parliamentary limbo. Today’s story explains what’s going on.
Power of the PDP Bill
The reason much of India doesn’t understand data privacy is because corporations who collect data do a poor job of explaining why it matters.
Take Facebook. Despite having over 310 million users in India, most people aren’t sure about how the social network leverages data to make money. One can argue that this is intentional. If everyone knew exactly how their personal information was being monetized, they would share less of it. That’s bad for Facebook’s business.
Lawmakers and legal experts understand this. Which is why they pushed for the PDP Bill so strongly. This legislation redefines India’s data protection framework in many ways, such as –
(a) Making user consent central to data collection, storage, processing, or transfer;
(b) Giving users the right to access, correct, and erase their data;
(c) Requiring “sensitive personal data” to be stored in India; and,
(d) Introducing penalties that can go up to crores of rupees and imprisonment.
Given the obvious benefits, why is the PDP Bill still pending?
Parliamentary Battles
If there’s one word to describe the law-making process, it would be “complex.” This is especially true for sensitive subjects like farming and citizenship.
Data protection is no different.
Members of the joint parliamentary committee (‘JPC’) have pushed back on various provisions of the PDP Bill. A key contention is clause 35 which allows the government to exempt itself from statutory obligations in national interest. For instance, if a government agency wants to access someone’s personal data because it feels that there’s a threat to national security, then it’s free to do so.
However, opposition members want this clause to be removed because it gives too much power to the government.
Other provisions – like the one requiring certain data to be stored in India (called data localization) – have also been scrutinized closely. According to reports, 228 amendments have been submitted to the JPC.
What Next?
Members of the JPC want an overhaul of the draft since they believe that the current version is lacking in many areas. The JPC may even invite representations from stakeholders to get clarity on their interests.
The way things are going, it’s difficult for us to say when the PDP Bill will see the light of day. Reports suggest that the JPC may submit its recommendations to the parliament before the next session starts.
Will 2021 be the year of data privacy? We sure hope so.
Stay WorldWise!
We’re just finalising the members for cohort 2 of our Law Firm Boot Camp and the inaugural cohort of the Litigation Boot Camp. If you’ve been procrastinating, now is a good time to apply.