Why does India not have a data protection bill yet?

According to Dutch cybersecurity firm Surfshark VPN, India had the second highest number of data breaches in the first half of 2022. 

And on Friday, a Ukrainian cybersecurity researcher claimed that sensitive personal data of 280 million Indian citizens allegedly from the Employees’ Provident Fund Organisation database surfaced online. 

Each record allegedly included personal information like full name, nominee details, marital status, address, bank account numbers, Aadhaar details, income levels etc.

India currently lacks a sound legislation for data protection. After five years in the making, the bill that was designed to protect the privacy of Indians, the Personal Data Protection Bill 2019, was withdrawn by the government on Wednesday. The government assured to table a new bill soon.

A committee led by former Supreme Court Justice BN Srikrishna, constituted in August 2017, submitted the draft PDP Bill 2018 the following year. 

On December 11th, 2019, the Ministry of Electronics and Information Technology tabled the PDP Bill 2019 in Lok Sabha. The same day, it was referred to a Joint Parliamentary Committee, which tabled its report two years later, on December 16, 2021. 

IT Minister Ashwini Vaishnaw said the bill was withdrawn because the panel suggested 81 amendments and 12 major recommendations. 

The bill had alarmed big technology companies like Meta and Google, who feared it could increase their compliance burden, data storage requirements and restrict cross-border flow of data. 

As the bill provided large exemptions to government departments, several privacy advocates said it would allow agencies to abuse access to data.

The parliamentary panel also said that non-personal data should be included in the purview of the bill, which originally focused only on individual privacy in tune with the 2017 Supreme Court verdict that held Right to Privacy as a fundamental right.

Speaking to Business Standard, Tejasi Panjiar, Associate Policy Counsel, Internet Freedom Foundation says, there is no denying the bill was imperfect. But it went through long consultation and review process. What should’ve taken us forward brought us back to square one, he says. 

The delay has consequences for Indian consumers and companies alike

Salman Waris, Managing Partner, TechLegis Advocates & Solicitors, says consumers will be the ultimate sufferers as their data is at risk. Govt may bring two bills for personal and non-personal data. India's outsourcing industry will face hurdles while serving global clients. 

The government says it is working on a “comprehensive legal framework” after considering the parliamentary panel’s report. 

Meanwhile, the Internet Freedom Foundation has argued that the existing legal vacuum on data protection is an infringement of the fundamental right to privacy. 

Whether or not the new bill addresses the existing concerns raised by companies and privacy advocates, the wait for a personal data protection law in India gets longer.