New data protection Bill must consider all criticism: Justice Srikrishna

Former judge headed panel that drafted the legislation which the government withdrew yesterday

The government did right by withdrawing India’s first personal data protection bill and a new one should "consider all the criticisms", said on Thursday the retired judge who headed the committee of experts that wrote the first draft of the legislation.

The government, after almost five years of deliberation, yesterday withdrew the Personal Data Protection (PDP) Bill, 2019, saying it will be replaced with one that has a “comprehensive framework” and is in alignment with “contemporary digital privacy laws”.

“This time they should consider all the criticisms by the internet activists, foreign companies, and the social activists that the bill was not giving enough thought to the data privacy right,” said Justice B N Srikrishna. The PDP Bill was introduced in the Lok Sabha in December 2019. It was later referred to a Joint Parliamentary Committee (JPC), which tabled its report in the Lok Sabha in December 2021.

“There was a whole lot of criticism on that 2019 bill that the government had recommended. Instead of doing further amendments, it is worthwhile to withdraw the Bill and come out with a fresh one,” he said. The Bill alarmed big tech companies and advocacy players said it gives the government sweeping rights.

It defined personal data, provided a base for a Data Protection Authority (DPA), and a policy framework for data use. Civil society groups, internet activists, and foreign companies said rather than data privacy, it focused on the government's interests.

The Bill was based on the first draft of a July 2018 report presented by the expert committee headed by Srikrishna, a former judge of the Supreme Court.

The government, when it withdrew the Bill, said the JPC had recommended 81 amendments to it. The JPC also made 12 other recommendations, said Rajeev Chandrasekhar, Minister of State for Electronics and Information Technology (MeitY), on Twitter.

The JPC also recommended having a single law for personal and non-personal datasets, but Srikrishna disagreed with that. “I've already gone on record and said it is wrong. Fundamental Rights declared by the Supreme Court includes only the personal data and personal privacy.”

Srikrishna said the right to privacy was at the central point of his committee when it was drafting the Bill. “The focus was to ensure the privacy rights are protected in terms of the Supreme Court’s statement. That’s why it was called personal data protection. Later on, they watered it down and turned it into data protection, by adding non-personal data, which was not the fundamental right,” he said.