In India, the Ministry of Electronics and Information Technology (Meity) has proposed several legislations for the regulation of tech industry and has also proposed some social media guidelines.
Data Protection Bill
In July 2017, the ministry set up a 10-member panel to examine the need for data protection law. Justice Srikrishna Committee in August 2018 submitted its draft report. In December, 2019, a bill was tabled in the parliament, which was sent to a joint parliamentary committee for further deliberations. The parliamentary committee suggested that data protection law should include non-personal data too. In 2021, the parliamentary committee adopted a report, signs off it, and called the new bill Data Protection Bill instead of Personal Data Protection Bill. The bill was studied by the Ministry. In July 2022, the government withdrew the Personal Data Protection Bill, 2019. The government is likely to propose four large buckets of digital rules and regulations with a data privacy bill. The government will come back to the parliament with a comprehensive framework of laws, including the privacy too and other contemporary challenges.
IT Act, 2000
Since the SC accepted privacy as a fundamental right, the government in 2017 decided to change the IT Act to reflect the same. In the meantime, the PDP Bill goes to parliamentary committee. The government could ask the committee to suggest changes in the IT Act too , in 2019. In February 2020, the minister feels the IT Act needs revision as it is more than 20 years old. There are new aspects of cybercrime. The same issue was emphasised in February 2022 too. In June 2022, the government declares that a new IT Act is being drafted.
Social Media Intermediary Guidelines
In February 2021, the ministry proposes a new policy to be followed within 60 days. In May 2021, the ministry asked the social media intermediatries to follow the law. In June 2022, the government released a draft of another set of changes to IT Rules. But it was withdrawn immediately. The same was re-released after some minor changes. In July 2022, the public consultation was conducted and there was a proposal of grievance appellate body. The final report is being prepared and may be released soon.
Data Governance Framework
The government constitutes a panel for suggesting data governance framework in September, 2019. In July 2020, it submits its report. Feedback was called for a revised framework was suggested by the ministry in December 2020. There was fresh public consultation in May 2022. The ministry in June 2022 says that the work is being given finishing touches.
In the proposed bill on data, the focus should be on personal data — name , phone number, chat history, credit history, profile details etc. Non-personal data is not about an individual — data about traffic, weather patterns, cab users data etc. A parliamentary committee suggested inclusion of non-personal data. This could dilute the objective of protecting personal data. Personal data protection is about allowing an individual to control how information about him/her is used. Non-personal data has economic goals. Both the objective are wide apart, and treating them on par in a single law dilutes both.
There should be checks on the way the government uses data. It has to respect the privacy principles. There should be provisions about the data collection, its storage and its safeguarding. The government surveillance must have checks and balances.
There is over-reliance on consent of an individual for data processing. Data processing for product improvement may be legitimate. Therefore, such processing may not be dependent on consent.
The IT Act rules regulate the sensitive personal data. These rules have yet not been enforced. When a data regulator is established, it has to co-ordinate with several agencies.
Data localisation should be restricted to critical data. Or else, there should be cross-border flow of data.
Some provisions of data protection bill are likely to be dropped or fine-tuned — regulation of hardware and devices, localisation of data with retrospective effect, regulatory consent for cross-border flow of data every time, and penalty on global turnover for any violation.