The long saga of the data bill holds crucial lessons

Nine years ago, Indians voted out the United Progressive Alliance (UPA) after being aggrieved by policy paralysis, scams and corruption, according to post-poll surveys by Lokniti-CSDS and the Center for the Advanced Study of India (CASI-UPenn). These grievances may no longer be relevant but are at the very heart of the Digital Data Protection Bill, 2023 that was introduced in Parliament on Thursday.

In its second term, the UPA set into motion a string of significant events that snowballed into a contentious legislative cycle, all prompted by the expansion of the biometric ID programme, Aadhaar. The first was the legislative introduction of the National Identification Authority of India Bill, 2010. A standing committee report on it stated that the “enactment of national data protection law.. is a prerequisite for.. large scale collection of information from individuals and its linkages across separate databases.”

Two weeks later, the justice AP Shah committee on privacy was constituted, and it published a report on October 16, 2012, recommending a privacy act. The department of personnel was also working on a similar privacy bill, touching on surveillance reform, but it never came to fruition. In this vacuum, Aadhaar was challenged less than a month on, with a petition by justice KS Puttaswamy on November 10, 2012, in the Supreme Court. Against the backdrop of a government fighting for survival amid allegations and parliamentary disruptions, all progress on a data protection law was stymied.

Promising decisiveness, the National Democratic Alliance (NDA) government was sworn in on May 20, 2014. Before the election, the prime minister had called Aadhaar a security threat. But a change of mind was apparent later, and the administration promised legislative backing for Aadhaar. Some hoped this would include a data protection law. But, on the contrary, the institutional gridlock was further cemented.

On August 11, 2015, the attorney general disputed the constitutional basis of the fundamental right to privacy, which both fuelled the continuing expansion of Aadhaar, and deepened uncertainty on the legal status of privacy. In this vacuum, enrolments grew, Aadhaar expanded and so did the private sector’s unregulated use of our personal data.

During this period, the only legislature movement was the enactment of the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016. It legalised widespread private sector use, exclusion and surveillance. Introduced as a money bill, it denied voting rights to the Rajya Sabha, and its five amendments were ignored. A carefully worded opinion authored by MR Madhavan of PRS Legislative Research juxtaposed its provisions to constitutional articles for money bills and came to the conclusion that they “did not seem to fit”.

On August 24, 2017, there was a twist in this tale, when a nine-judge bench of the Supreme Court affirmed the fundamental right to privacy. But curiously, mere weeks before the verdict, the ministry of electronics and information technology constituted another expert committee under justice BN Srikrishna.

The notification of this committee was first furnished to the apex court during proceedings in the Aadhaar case and it was even argued that “any right to privacy is conceptually unsound, and only comprehensive data protection legislation can effectively address concerns of data protection and privacy.” Disregarding such submissions, the Puttaswamy judgment clearly stated that it hoped a data protection law would be made with, “due regard to what has been set out in this judgment”. By now, delay had turned into denial.

There was much to disagree with the justice BN Srikrishna committee report. It failed to follow the pre-legislative consultation policy that required greater transparency, omission of surveillance reforms, undermining the Right to Information Act and exemptions for public authorities. Even then, the draft personal data protection bill, 2018 that it proposed offered a substantive framework with a regulatory body to enforce data protection. Subsequent changes made the exemptions broader and the protections narrow. In December 2019, the Personal Data Protection Bill was introduced in the Lok Sabha and referred to the joint parliamentary committee (JPC) the same day. The formation of this JPC appeared to have sidestepped a standing committee on IT that should have ordinarily received such a reference. JPC tabled its report in Parliament on December 16, 2021 with 97 amendments, 93 recommendations, and seven dissenting notes. Rather than considering implementing changes, the 2019 bill was withdrawn on August 3, 2022, with a statement by the minister that a comprehensive legal framework would be re-introduced.

This promise was broken when the Digital Data Protection Bill, 2022 was made available for public consultation on November 18, 2022. It substantially deviated both from the Puttaswamy judgement and recommendations by parliamentary committees.

The Data Bill, 2023 now expanded ministerial power on implementation “as may be prescribed”, provided vague and perpetual exemptions, without a regulatory authority for enforcement. After public consultation, this version became worse. It was introduced in Parliament on Thursday as the Data Bill, 2023, to calls from the Opposition asking for it to be sent back to the standing committee on IT. But in the same week, the parliamentary standing committee on IT, had already, without an express reference or even having a copy of its final text, commended it in a report accepted by the speaker.

This timeline demonstrates an aggravated and intentional form of policy paralysis over the past nine years. A lack of fairness in institutional practices explains why each version of the bill became worse. Closure, if achieved, will be tilted towards a law that narrows protections for citizens and expands the powers of the State and exemptions for corporate firms. The data bill is a product of the subversion of the democratic process that will cause lasting damage to the privacy of Indians while also damaging transparency requirements under the Right to Information Act. It will certainly lead to litigation; ordinances and amendments will surely follow and a cycle of uncertainty will extend. In it hides the lesson that we can never achieve just outcomes by unjust means.

Apar Gupta is an advocate and founder director of the Internet Freedom Foundation. The views expressed are personal