In the immediate aftermath to pull the plug on the Personal Data Protection Bill (PDP Bill), 2019, the government said that compliance for startups would have become significantly more difficult had the bill been passed into law.
Apart from personal data protection, the bill also included policies such as cybersecurity, data management and safety and a national data governance policy.
Rajeev Chandrasekhar, the Minister of State for Electronics and Technology said, “Big tech firms would have just hired more lawyers to comply if there was a complicated privacy law. The burden of such legislation would have hurt startups.”
However, Chandrasekhar restated the Indian government’s bullishness on data privacy.
“I have always emphasised that data privacy is anyway a fundamental right of all citizens, according to the Supreme Court’s ruling. What the data protection law does is it just specifies do’s and don’ts for those who collect the data,” the minister said.
At a press briefing, Chandrasekhar said that the bill in its current form was designed in 2018 for the limited purpose of privacy after the Right to Privacy was recognised as a fundamental one by the Supreme Court in 2017.
Chandrasekhar commented on the joint parliamentary committee’s report, stating, “It was found that there is a need for a comprehensive redrawing of the laws and rules, taking into account some of the JPC’s comments and the contemporary challenges and future opportunities that arise here.”
To be sure, last year, the additional secretary of the IT Ministry Dr Rajendra Kumar said that the Personal Data Protection Bill was set to boost India’s digital economy.
At a November 2021 event, Kumar claimed that the concept of ‘data fiduciaries’ within the bill could help Indian startups. A reasonable assumption would also include India’s tech startup ecosystem as part of the digital economy. Hence, pulling the bill by saying it will hurt startups is just a little oxymoronic.
Other shortcomings notwithstanding, the Personal Data Protection Bill, 2019, provides a ‘backdoor’ to the government. In the bill’s provisions. The bill gives certain rights to the individual, referred to as a data principal. Data fiduciaries, or the companies that collect and process personal data, can only do so with the consent of the data principal.
However, in certain circumstances, the data can be processed without consent, including instances when the state asks for it. This point has been called into question as being an enabler of government surveillance.
For the uninitiated, New Delhi pulled the PDP Bill on Wednesday (August 3) after a joint parliamentary committee suggested 81 amendments to the bill. The bill had been in discussion in India’s Parliament since 2019. The government is now working on a new data protection bill from scratch.