Personal Data Protection Bill likely to be introduced in June

Tech Economic Times, January 04, 2019

The current session of parliament ends on January 8. “Tabling it in the Budget Session is also ruled out,” said the official.

The Personal Data Protection Bill, 2018, is now likely to be introduced in parliament in June, after the general elections, a top official told ET.

The bill, which sets out how the personal data of individuals is processed by the government and private entities incorporated in India and abroad, was initially supposed to be tabled in the ongoing winter session.

The ministry of electronics and IT has sent the draft of the bill to the law ministry for vetting after making a few changes, according to the official. The law ministry has sought more time to study the bill and give its feedback since it doesn’t have to be introduced in the current session, the official said on condition of anonymity.

The current session of parliament ends on January 8. “Tabling it in the Budget Session is also ruled out,” said the official.

After the Justice BN Srikrishna Committee submitted the draft data protection bill in July last year, the ministry of electronics and IT (MEITY) opened another round of public consultation, which attracted almost 600 sets of feedback, including from the US government.

Experts said Indian citizens shouldn’t have had to wait about nine years across two governments for a central law to protect their digital privacy. The first version of the privacy bill was drafted in 2010 and since then, multiple versions and drafts have been prepared, none of which has seen the light of day.

While the government has speedily tabled amendments in the current session of parliament to allow voluntary usage of Aadhaar by customers as a means of authentication by telcos and banks, the data protection bill mandating strict rules for use of personal information and data such as biometrics has not been introduced yet.

According to Ramanjit Singh Chima, Asia Policy Director of Access Now, the present government had repeatedly committed to parliament, the Supreme Court and the public that it would introduce and enact a data protection law.

“Instead, MEITY appears to have prioritised overboard amendments to the Aadhaar Act, interception notifications and additional regulations on online speech platforms. This is an unfortunate and disturbing disappointment,” Chima said.

The Supreme Court, in a landmark judgement in August 2017, had ruled that privacy is a fundamental right, although it is not absolute. About a year later, the apex court limited the use of Aadhaar for only welfare payments, filing of income tax returns and linking it with PAN cards.

The bill’s mandate on data localisation is one of the most watched provisions by foreign technology companies. The panel on data protection, which took almost a year to prepare its report and the draft bill, had recommended that a copy of all personal data should be stored in India, while all information of a critical nature could only be kept locally.

The committee left it to the government to define critical personal data. ET had reported earlier that sector regulators and relevant departments would get to define what constitutes sensitive personal information. Such data will have to be necessarily stored only in India.

As per the draft bill, citizens and internet users will have the final say on how and for what purpose their personal data can be used and they will have the right to withdraw consent. There will also be the option of ‘right to be forgotten,’ subject to certain conditions.

Some of the committee’s recommendations have raised concerns among companies. These include the move to restrict cross-border flow of personal data and criminal prosecution, along with stiff penalties of up to 4% of a company’s global turnover, against those violating data privacy rules.

This news can also be viewed at: