No place for privacy in India as government withdraws Personal Data Protection Bill

The wait for meaningful legal protection of people’s privacy in India — a fundamental right long under ever-increasing attack — has just gotten longer. The government has withdrawn the Personal Data Protection Bill, which had been in the works for three years, slamming the brakes indefinitely on privacy safeguards in India. This decision, and the government’s consistent failure to advance a meaningful, people-centric data protection law, comes with a steep cost to human rights in the world’s largest democracy.

The initial 2019 version of the legislation, and the following 2021 draft with recommendations by a parliamentary committee, each failed to adequately protect privacy and granted excessive discretionary powers to the government. However, these iterations could have served as a basic foundation that lawmakers could subsequently improve, creating a law that would have strengthened Indians’ rights and control over their personal data. The government’s withdrawal of the bill without any discussion in parliament, and without presenting a concrete replacement, deepens the uncertainties and risks surrounding privacy and erodes people’s confidence in the government.

“As India celebrates 75 years of independence, we are also marking 12 years since policymakers first proposed a federal-level privacy and data protection law, and over five years since the Supreme Court of India ruled that privacy was a fundamental right, requiring government action to safeguard our personal data,” said Raman Jit Singh Chima, Asia Pacific Policy Director and Senior International Counsel at Access Now. “Today, far too many sessions of parliament have passed with zero progress on the Personal Data Protection Bill, when it should have been the top priority. The government’s withdrawal of legislation and failure to say when we will move forward on a strengthened, people-centric data protection law — one that does not privilege the interests of government and the tech sector over fundamental rights — is wholly unacceptable.”

The lack of a data protection law is especially dangerous given the government and tech sector’s unabating efforts to collect, retain, and utilise an increasing amount of people’s personal data. India is the third most-impacted country by network security attacks in the world, and we are seeing a dramatic increase in the number of data leaks and breaches. Without data protection, the attacks and leaks will only increase, as will the harm they cause to India’s internet infrastructure and people’s privacy. 

“The government’s vision of Digital India is accelerating, but any endeavour to protect people’s privacy as more of their data is exploited is decelerating,” said Namrata Maheshwari, Asia Pacific Policy Counsel at Access Now. “The failure to pass a federal privacy and data protection framework exemplifies the government’s approach of putting the horse before the cart — mandating increased collection and utilisation of personal data, without first ensuring people’s information will be safe and secure. The delay in implementing meaningful data protection is costing people their right to privacy.”

The government must explain publicly, and in detail, why it’s withdrawing the Personal Data Protection Bill, a clear disservice to all stakeholders and parliamentarians who have been engaged in the process. It must also prioritise developing new legislation that takes into account the input so far, and immediately share a timeline for implementation.