The government of India has scrapped its proposed Personal Data Protection Bill. The bill, proposed in 2019, would have enabled the government to gather user data from companies while regulating cross-border data flows. It also included restrictions on sharing of personal data without explicit consent, proposed establishment of a new Data Protection Authority within the government, and more.
Telecom minister Ashwini Vaishnaw tweeted that the bill was scrapped because the Joint Committee of Parliament (JCP) recommended 81 amendments to the Bill's 99 sections. "Therefore the bill has been withdrawn and a new bill will be presented for public consultation," said Vaishnaw.
Cybersecurity expert Ilia Kolochenko, Founder of ImmuniWeb and a member of the Europol Data Protection Experts Network has spoken out following the news. He said: “Fostered by the success of GDPR, many countries around the globe started implementing national legislation to protect the personal data of their residents. Brazil, South Africa and some states in the US may serve as good examples of GDPR-inspired legislation. The sudden pandemic, however, stringently halted implementations of new privacy legislation in many other countries, as lawmakers and governments were struggling with unprecedented emergencies.
"Today, amid the unfolding economic slowdown, we should expect more efforts aimed to rescue economies, while postponing privacy protection for later. The Personal Data Protection Bill, if implemented, would likely have caused considerable financial hardship for technology companies and other businesses across the country. Proper enforcement and policing of its provisions across the country would likely also be cost-prohibitive. Thus, the decision of the Indian government is, of course, regrettable but is perfectly understandable if regarded through the prism of economic well-being of the country amid the economic turbulence.”
Data protection in India
According to global law firm Linklaters, India has not yet enacted a specific legislation on data protection. However, the Indian legislature did amend the Information Technology Act which gives a right to compensation for improper disclosure of personal information. The Indian Central Government subsequently issued the Information Technology Rules, 2011. The Rules have imposed additional requirements on commercial and business entities in India relating to the collection and disclosure of sensitive personal data or information which have some similarities with the GDPR and the Data Protection Directive.
India has introduced a biometric based unique identification number for residents called ‘Aadhaar’. Aadhaar is regulated by the Aadhaar Act and rules and regulations issued thereunder. Entities in regulated sectors such as financial services and telecom sector are also subject to obligations of confidentiality under sectoral laws which require them to keep customer personal information confidential and use them for prescribed purposes or only in the manner agreed with the customer.
Personal data in the country is protected through indirect safeguards developed by the courts under common law, principles of equity and the law of breach of confidence.