Decryption of the data protection bill

The Joint Parliamentary Committee (JPC) on the draft law on the protection of personal data has submitted its report to Parliament. The good news is that two years after the JPC was appointed to review the first draft of the bill, this marks a step forward in filling a crucial legislative void. The bad news is that the law recommended by the JPC is unable to protect individual privacy, leaving much to be desired. The bill still needs to be amended before it can be enacted as a rights-respecting law.


The JPC deviates considerably from the positive recommendations made by the committee chaired by Judge Srikrishna, which spearheaded the development of a personal data protection framework in 2018, and from the Puttaswamy judgment of the Supreme Court (SC) in 2017, which recognized the right to privacy as a fundamental right under the Constitution. Recently, Judge Srikrishna called the bill “Orwellian,” because of the wide and uncontrolled powers given to the state. The CPM’s recommendations do not address this problem and, in some ways, make it worse.

The report adds a provision, which would override any existing law, exempting government agencies from complying with any provision of the draft data protection law. The central government can issue an ordinance granting this general and unqualified exemption on universal grounds such as “public order”, without any control over the substantial merits of such an ordinance. The report only states that the procedure must be “fair, equitable, reasonable and proportionate”, which falls short of the standard of necessity and proportionality adopted by SC and international human rights law.


There are other ways to strengthen the powers of government. The previous draft allowed the processing of data without consent for the exercise of two specific state functions: the provision of any service or benefit; and issuance of any certification, license or permit to the data controller. However, the CPM draft allows such data processing without consent for a much wider range of state functions by inserting the term “including”, suggesting that the two categories mentioned above are purely indicative.

A crucial element of an effective data protection framework is an independent regulatory authority. The independence of the data protection authority from the executive has been a controversial issue since the first bill, but the JPC does not recommend the necessary corrections. Some changes have been made to the selection committee which will appoint the president and members of the Data Protection Authority (DPA). It will include an independent expert and directors of Indian Institutes of Technology, Indian Institutes of Management, appointed by the central government, and the Attorney General. However, all members of the selection committee serve at the discretion of central government or are appointed by central government. This creates a wide margin of government influence and seriously undermines the independence of the DPA.


In addition, the JPC recommends that the DPA be bound by central government guidelines in all cases and take into account the interests of the government when formulating its policies. These obligations, devoid of necessity and proportionality and beyond what existing Indian laws provide regarding the relationship between a regulator and the executive, fundamentally undermine the independence of the DPA.

The JPC further expands the scope of the bill to include the regulation of social media and non-personal data. He is pushing for social media platforms to be treated as content publishers, potentially losing their safe haven protection, which protects them from liability for content posted by third-party users. This recommendation could have a chilling effect on freedom of expression, and it ventures into areas well beyond the mandate of the JPC and the draft law on the protection of personal data.


Dividing the purpose of the bill between personal and non-personal data also results in a dilution of privacy protections and legislation that does not accurately capture the difference between the two categories of data that warrant considerations and regulatory treatment. distinct.

There is no precedent globally for such a catch-all legislation governing personal data, non-personal data and social media – each of these areas requires separate and nuanced consideration, consultation and legislation.

The CPM’s report is sorely lacking a recommendation on supervisory reform. This is a missed opportunity given that India has long faced demands to overhaul its surveillance regime, due to its incompatibility with human rights. A privacy-focused data protection regime is meaningless if it remains immune to invasive surveillance guided by centralized power, opaque procedures and lack of control.


Right now we have a privacy bill on data protection; keeps the government at a much lower level of responsibility than the private sector; and is making unjustified progress in areas beyond its mandate, without sufficiently addressing those that fall within its purview.

MPs will have their work cut out for them to ensure that the bill only passes after further consultation with civil society and with the necessary changes that put people’s privacy and rights where they belong – at the heart of our new data protection regime.

Namrata Maheshwari is Asia-Pacific Policy Advisor, Access Now (with contributions from Raman Jit Singh Chima)

Opinions expressed are personal