India’s Digital Personal Data Protection Bill passed: “it’s a bad law”

India’s proposed data protection bill: further work is needed to ensure true privacy for the next billion users

India, the largest democracy in the world and second-largest internet user base, has been engaged in trying to frame and enact a national data protection law for quite some time now. The Personal Data Protection Bill, 2019 (PDP Bill) has been approved by the Union Cabinet and was placed in the Lok Sabha (lower house of the Indian Parliament). During the deliberations in the Lok Sabha, it was decided that the bill would be sent for review to a Joint Parliamentary Committee, consisting of members from the Lok Sabha (Lower House) and Rajya Sabha (Upper House). The Joint Parliamentary Committee is currently holding consultations and deliberations on the merits of the bill. 

In an exercise which started through an assurance provided by the Government of India in the case of Justice Puttaswamy vs. the Union of India, the government set up an expert committee chaired by Justice Srikrishna in July 2017. This committee, over the next year, published a draft report, along with a final report and bill in July 2018. Access Now published an analysis of this bill: Assessing India’s Proposed Data Protection Framework. This analysis was a result of an exercise of evaluating the final bill presented by the Srikrishna committee, against the principles in our paper, Creating a Data Protection Framework: a Do’s and Don’ts Guide for Lawmakers, which draws on our experiences from the negotiation process for the European Union’s General Data Protection Regulation (GDPR).

Attached here is our analysis of the PDP Bill. In the analysis we consider the changes made to the bill submitted by the Justice Srikrishna Committee, along with the principles outlined in the above-referenced “Do’s and Don’ts” guide.

Amidst discussions of the pros and cons of the PDP Bill, users and activists in India are pushing for amendments before it is presented in the Parliament. Initiatives such as the #SaveOurPrivacy, an Indian advocacy movement, have provided constructive feedback through  a model draft law called the Indian Privacy Code, 2018. The model law — drafted by a committee of volunteer lawyers from the digital rights community in India — covers the specific and nuanced issues of privacy, data protection, interception, and surveillance, and builds on seven privacy principles the drafting committee identified as the pillars of the legislative effort. Such efforts are notable towards enabling citizen-centric and rights-respecting legislation. 

While the draft bill draws from various sources, most notably the GDPR, our analysis shows there are multiple areas of concern for its efficacy in protecting the rights of the users in India. A rights-respecting regime would empower the citizens to assert their rights, along with creating contours of agreeable actions by data fiduciaries. We hope this bill will be amended to unlock that potential.