While the withdrawal of the contentions Personal Data Protection Bill has raised a lot of questions, it seems to have come as a relief for start-ups in India.
In place of the old bill, which was tabled in the parliament for discussion in December 2021 and had rattled big tech companies and policy activists alike, a new bill would be brought out soon, said the government. The Bill was first introduced in 2019.
For start-ups, the bill would have come with the tangles of compliance and meddled with their ease of doing business, the complaints raised by them in the past have pointed out.
The data localisation norms under the bill were one of the key contention for Indian start-ups as well as the big tech companies as they prohibited the movement or export of data outside the country.
Under the scrapped bill, data localisation would have included both sensitive and critical data of the individuals, companies or entities in local data centers. All foreign and Indian companies were recommended to be included in the purview of data localisation, with the government citing national security, privacy, employment generation and bargaining power as some of the reasons behind it.
This would have particularly impacted Indian start-ups that often use third-party services or companies which are based outside India.
Elaborating on how the data localisation norms would have impacted them, a start-up founder had earlier told news publication Indian Express: “As a start-up, you end up using online tools and software – from analytics to entire cloud-based servers – that may not be based in India. These services often need to access your core database. Besides this, many start-ups have customers outside of India and a localisation mandate could make it tricky for them to do business with international customers.”
In the case of the disgruntled big tech firms, Meta, while criticising the proposed data localisation norms in May this year, had said that it could increase the cost and complexity of delivering the services, thus making it difficult for the company to provide its services in India. Google had also opined that the norms should be as “narrowly tailored as possible”.
Several industry leaders had written to the government saying that the norms would degrade the business environment in the country and reduce the inflow of foreign investments. The regulation of the hardware of companies that store data had also been a point of contention between the government and industry players.
In a historic 2017 judgment, when the Supreme Court declared that Right To Privacy was a fundamental right, it asked the government to formulate a law that would protect the data and privacy of individuals.
The first draft of the Personal Data Protection Bill was presented by an expert committee, set up by the Ministry of Electronics and Information Technology and headed by former Supreme Court Justice B.N. Srikrishna in 2018.
The bill was tabled in the winter session of parliament in 2019 following which, it was sent to a Joint Parliamentary Committee (JPC) that proposed 81 amendments. The revised bill was then introduced in the parliament as the Personal Data Protection Bill, 2021.
The bill aimed to protect individuals’ privacy related to their personal data, create a framework for organisational and technical measures in the processing of data, lay down norms for social media intermediary, cross-border transfer, accountability of entities processing personal data, offer remedies for unauthorised and harmful processing and establish a Data Protection Authority of India.
The JPC report had recommended the expansion of the scope of the bill to include both personal and non-personal data like information collected by the government, NGOs and other private sector entities.
Union Communication and IT Minister Ashwini Vaishnaw has said that the new Data Protection Bill would be introduced soon.
Talking to news agency PTI, Vaishnaw said, “Over and above that, there are 12 more major recommendations. So, with this as background, there was no way but to put a fresh draft. Without compromising any of the principles of privacy or with the SC judgement... we have prepared a new draft. We have completed the Parliament's process today and very soon we will be taking the new draft through the approval process. Very soon hopefully by the Budget session, we should be able to get a new law passed.”
Minister of State for Electronics and IT Rajeev Chandrasekhar has claimed that the new bill would include a comprehensive framework that will cover all aspects of the digital economy with dedicated rules for data privacy, emerging technology and data governance framework.
