The government on Wednesday withdrew the Data Protection Bill from the Lok Sabha after a joint parliamentary committee suggested over 90 changes to it.

According to government sources, considering the report of the parliamentary committee, a comprehensive legal framework is being worked upon that will pave the way for a new bill.

The Bill, which aims to regulate how an individual's data can be used by companies and the government, was introduced on December 11, 2019. It was referred to the Joint Committee of the Houses for examination and the report of the committee was presented to the Lok Sabha on December 16, 2021.

The Bill, withdrawn by IT Minister Ashwini Vaishnaw, aimed to provide digital privacy to individuals relating to their personal data, specify the flow and usage of data, and create a relationship of trust between persons and entities processing the data.

The bill had been sent to the panel in 2019 after it faced vehement protests from the Opposition Congress and Trinamool Congress among others who said the data privacy law violated fundamental rights of citizens.

The Opposition parties said the law gave sweeping powers to the government to access personal data of individuals under opaque conditions, citing national security and other reasons.

The report of the joint parliamentary committee with its 93 recommendations amplified concerns about the central government’s powers to invade an individual’s right to privacy.

The chief concern is that the new legislation fails to provide adequate protection, for it does not stymie the government and its agencies from overriding an individual’s right of consent before processing his personal data.

India is one of the fastest-growing data-generating nations in the world with over 700 million Internet users and over 400 million smart phone users. Together, they generate over 150 exabytes of data annually.

One exabyte is one billion gigabytes (GB). Let us put that in context: some experts estimate that all the words ever spoken by mankind would be equal to just five exabytes.

Four basic sources of data

The data that is generated comes from four basic sources: personal data includes our profiles and demographic data from bank accounts to medical records to employment data. Some more data is generated from web searches and sites visited, which help identify preferences and purchase histories.

There is another large cache of data that comes from tweets, posts, texts, emails, phone calls, photos and videos as well as coordinates that reveal our real-time location.

Finally, there is another stack of data that establishes spending patterns that are thrown up by online purchases, modes of transactions, and preferred payment gateways.

Many individuals may want to keep some parts of that data private, exercise control on who can access it and have a consent mechanism before anyone can process it.

Exceptions to the consent rule

The proposed legislation works in a consent mechanism but it also carves out exceptions to the consent rule which the committee failed to address. The report clearly shows that the majoritarian view drowned dissent within the committee.

The big beef within the committee was over Clause 35, which empowers the committee to exempt any agency of the government from the application of the act for certain legitimate purposes such as security of the state, friendly relations with foreign countries, and public order. The committee tacked on a sub-clause that said the procedure for overriding consent for processing personal data should be “just, fair, reasonable and proportionate” – which tends to cloud the entire procedure with a poorly defined, vague phrase.

“It is important to note that such protection is limited since it applies only as a procedural safeguard and not as a condition to exercising the grounds of exemption,” said the Internet Freedom Foundation, which raised 10 key objections to the report.

Bill undermines privacy of individual

The IFF said the bill undermined the primacy of an individual’s privacy by adding the words “to ensure the interest and security of the State” in the first paragraph of the preamble.

“This clearly marks a primary objective of the law to serve security interests that are misplaced within a data protection law,” it said.

However, the IFF welcomed a change in Clause 62 that gives all citizens the right to complain to a Data Protection Authority and secure compensation.

Not everyone has been happy that the bill contains certain provisions that can severely compromise the independence of the Data Protection Authority.

At least seven opposition MPs from the 30-member panel gave dissent notes and these were appended to the report. Their main objection was that the Centre would end up controlling the Data Protection Authority.

The IFF said: “Fresh language has been inserted in various sub-clauses to exercise such power in consultation with the central government.”

Wider expemptions

It said the “fresh insertions” increased government power over the Data Protection Authority, thereby reducing its independence.

Supreme Court advocate and the founder of online child safety firm Cyber Saathi, N.S. Nappinai, said: “The scope has now been unequivocally expanded to include non-personal data…. This would certainly spell good news for India-based businesses, particularly start-ups. I hope, however, that this addition does not delay implementation.”

Trishee Goyal of the Vidhi Centre for Legal Policy told The Telegraph Online: “The bill currently provides exemptions that are wider than what the Justice Srikrishna Committee draft had provided for…. Given the recent controversies around state surveillance, for example, in the context of Pegasus, this is one of the issues that have the potential of stalling the bill and resulting in constitutional challenges.”