Skip links

India scraps data protection law in favor of better law coming … sometime

The government of India has scrapped the Personal Data Protection Bill it’s worked on for three years, and announced it will – eventually – unveil a superior bill.

The bill, proposed in 2019, would have enabled the government to gather user data from companies while regulating cross-border data flows. It also included restrictions on sharing of personal data without explicit consent, proposed establishment of a new Data Protection Authority within the government, and more.

On Wednesday, telecom minister Ashwini Vaishnaw tweeted that the bill was nixed because the Joint Committee of Parliament (JCP) recommended 81 amendments to the Bill’s 99 sections.

“Therefore the bill has been withdrawn and a new bill will be presented for public consultation,” said Vaishnaw.

Union minister Rajeev Chandrasekhar also tweeted about the cancellation and the need to develop a more modern successor:

The Bill was not admired by Big Tech or digital rights orgs. Asia Internet Coalition – a trade org whose members include Apple, Facebook, Google, Amazon, Twitter and more – sent a letter [PDF] to lawmakers last January calling the data localization requirements in the bill “onerous” and asserting cross-border transfer decisions should be free of political interference.

Anushka Jain, a lawyer for New Delhi-based Internet Freedom Foundation told The Reg in May that digital liberties organizations worried the bill exempted India’s government and local authorities from data protection requirements, and thereby could facilitate unchecked surveillance.

“We feel that data protection and surveillance are extremely interconnected,” said Jain, adding “It might end up working towards the interest of the government which might not be in congruence with what is in the best interest of the citizens.”

However, just because critics had concerns about the bill, it did not mean they wanted it totally scrapped.

IFF’s executive director Apar Gupta told The Register:

Gupta added that he was disappointed the ministerial statements on withdrawal, both in parliament and public, avoid any commitment to timelines for development of a new law.

“The statement notes work on a ‘comprehensive legal framework’. This is attributed to the JPC (Joint Parliamentary Committee) report on the Data Protection Bill, 2019. This is incorrect as the remit of the JPC was limited to the Data Protection Bill, for which it did not recommend a withdrawal,” said Gupta.

Other critics of killing the bill accused the government of giving over too much power to Big Tech – a situation that prime minister Narendra Modi seems keen to avoid as he continually seeks to regulate tech giants operating in India, sometimes ending in lawsuits. ®