India withdraws personal data bill that alarmed tech giants

The Indian government has withdrawn its long-awaited Personal Data Protection Bill that drew scrutiny from several privacy advocates and tech giants who feared the legislation could restrict how they managed sensitive information while giving government broad powers to access it.

The move comes as a surprise as lawmakers had indicated recently that the bill, unveiled in 2019, could see the “light of the day” soon enough. New Delhi received dozens of amendments and recommendations from a parliamentary panel, which includes lawmakers from Prime Minister Narendra Modi’s ruling party, that “identified many issues that were relevant but beyond the scope of a modern digital privacy law,” said India’s Junior IT Minister Rajeev Chandrasekhar.

The government will now work on a “comprehensive legal framework” and present a new bill, he added.

The Personal Data Protection Bill sought to empower Indian citizens with rights relating to their data. India, the world’s second-largest internet market, has seen an explosion of personal data in the past decade as hundreds of citizens came online for the first time and started consuming scores of apps. But there has been uncertainty on how much power the individuals, private companies and government agencies have over it.

“The Personal Data Protection Bill, 2019 was deliberated in great detail by the Joint Committee of Parliament 81 amendments were proposed and 12 recommendations were made toward comprehensive legal framework on digital ecosystem. Considering the report of the JCP, a comprehensive legal framework is being worked upon. Hence, in the circumstances, it is proposed to withdraw ‘The Personal Data Protection Bill, 2019’ and present a new bill that fits into the comprehensive legal framework,” India’s IT Minister Ashwini Vaishnaw said in a written statement Wednesday.

The bill drew criticism from many industry stakeholders. New Delhi-based privacy advocacy group Internet Freedom Foundation said the bill “provides large exemptions to government departments, prioritises the interests of big corporations and does not adequately respect your fundamental right to privacy.”

Meta, Google and Amazon were some of the companies that had expressed concerns about some of the recommendations by the joint parliamentary committee on the proposed bill.

The bill also mandated that companies may only store certain categories of “sensitive” and “critical” data, including financial, health and biometric information in India.

“I hope that the bill isn’t junked altogether, given all the work that went into it. Junking the bill altogether will create a limbo of sorts from a privacy protection standpoint. Nobody wants that,” said Nikhil Pahwa, the editor of MediaNama, which covers policy and media, in a series of posts on Twitter.

“The new bill should be put up for public consultation. Government should realise that civil society and wider industry participation helps improve laws and rules. The JPC didn’t involve many key civil society stakeholders. Government has already made a mess with IT Rules 2021 and CERT-in directions. It needs to be reasonable with regulations else this will hurt India’s digital future.”