Rajya Sabha

India’s quest for a data protection regime can be traced back to when the idea was first mooted in the Indian Parliament in 2008, when an amendment to the Information Technology Act, 2000 (“IT Act”) was proposed. More than 40 delegates from grade VI-VIII over the course of two will deliberate over the ambit of this law and the necessary amendments that are required as AI become a reality.

What are the limitations placed on Rajya Sabha?

The Constitution of India lays down power of the both houses of the Parliament of India. For example, Article 84 of the constitution lays down the qualifications needed for a member to be a parliamentarian. Similarly, the constitution also places some limitations on the powers of the Parliament and specifically Rajya Sabha.

Another important article of the constitution in this context is the Article 107 of the constitution of India. The aforesaid article lays down the fact that a bill can originate in either of the houses of the Parliament with the exception of financial bills and money bills. The constitution of India lays down that the money bills and financial bills can only originate in the lower house of the parliament or the Lok Sabha.

The Lok Sabha decides on the bill and then votes on the said bill. The passage of the bill takes the same to Rajya Sabha. Although the Rajya Sabha has restricted powers over money bills and financial bills, the upper house can still suggest changes/amendments to the bill on the table. The Rajya Sabha is only given a 14 day time period to return the bill to Lok Sabha.

The Rajya Sabha is allowed to either send back the bill with amendments or without amendments. Regardless, the Lok Sabha will take the final call on the passage of the amendments. If the Lok Sabha decides to accept the recommendations then the bill is voted upon again in the lower house and is deemed to have passed by both houses. If the Lok Sabha decides to reject the amendments then the bill is considered to be passed by the both houses regardless of the rejection.

In a case where the Rajya Sabha does not return the bill in 14 days then the bill is considered to be passed by both houses of the parliament either way. So in totality, the Rajya Sabha has very little say in the matter and the bill will eventually pass at the behest of Lok Sabha. The role of Rajya Sabha is suggestive.

Article 108 provides for a joint sitting of the two houses of Parliament in certain cases. A joint sitting can be convened by the president of India when one house has either rejected a bill passed by the other house, has not taken any action on a bill transmitted to it by the other house for six months, or has disagreed with the amendments proposed by the Lok Sabha on a bill passed by it. Considering that the numerical strength of the Lok Sabha is more than twice that of the Rajya Sabha, the Lok Sabha tends to have a greater influence in a joint sitting of Parliament. A joint session is chaired by the speaker of the Lok Sabha. Also, because the joint session is convened by the president on the advice of the government, which already has a majority in the Lok Sabha, the joint session is usually convened to get bills passed through a Rajya Sabha in which the government has a minority.

Joint sessions of Parliament are a rarity, and have been convened three times in the last 71 years, for passage of a specific legislative act, the latest time being in 2002:

● 1961: Dowry Prohibition Act, 1958

● 1978: Banking Services Commission (Repeal) Act, 1977

● 2002: Prevention of Terrorism Act, 2002

Lastly, in terms of limitations, the Rajya Sabha does not have the authority to bring a no confidence motion to the floor. Only the Lok Sabha can bring a no confidence motion to the floor of the parliament.

Agenda for the session of Rajya Sabha that we are simulating is Reviewing and discussing the passage of the Personal Data protection Bill, 2019

Background of the Data Protection Law in India

India’s quest for a data protection regime can be traced back to when the idea was first mooted in the Indian Parliament in 2008, when an amendment to the Information Technology Act, 2000 (“IT Act”) was proposed. The introduction of the new Section 43A under the Information Technology (Amendment) Act, 2008 (“Amendment”) inter alia put an obligation on companies to protect all sensitive personal data and information that they possessed, dealt with or handled in a computer resource by implementing and maintaining reasonable security practices and procedures. The Amendment also imposed a penalty for non-compliance. The Amendment was followed by the introduction of the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011, which inter alia specify minimum standards of data protection for sensitive personal data, including requiring companies to have a privacy policy, to obtain consent when collecting or transferring sensitive personal data or information, and to inform individuals regarding who the recipients of such collected data are.

Over the years, various sectoral regulations and rules have also introduced suitable remedies and preventive mechanisms for data protection. However, a fragmented set of regulations and the changing trends in technology have exposed India to the loopholes in the prevailing laws.

The foundation for a single statute legislation for protection of data in India was laid down in 2017, in the much-celebrated Supreme Court judgement in K.S. Puttaswamy v. Union of India (“Puttaswamy Judgement''), which recognised ‘privacy’ as intrinsic to the right to life and liberty, guaranteed by Article 21 of the Constitution of India, thus making ‘right to privacy’ a fundamental right. While chiefly dealing with the scope of rights of a citizen as against the State, the Puttaswamy Judgement also touches upon protections to be accorded to individuals in the private sphere. The Supreme Court linked the value of privacy to individual dignity and used long-standing precedence to hold that the State has a positive burden of maintaining and preserving this dignity. As a result, the Puttaswamy Judgement is not only the basis of establishing a prohibition against privacy-violative State action, but also forms a basis for the State’s mandate to regulate private contracts and private data sharing, in the interest of individual privacy.

This led to the setting up of the Sri Krishna Committee which floated the Draft Personal Data Protection Bill in 2018. After amending the bill pursuant to industry and stakeholder feedback, in December 2019, the Ministry of Electronics and Information Technology tabled the Personal Data Protection Bill 2019 (“PDPB”) in the Rajya Sabha.

What is the Personal Data Protection Bill, 2019?

Owing to concerns raised in relation to data protection in India, a committee was set up by the Ministry of Electronics and Information Technology. The Committee was chaired by a retired Supreme Court judge, Mr. B.N. Srikrishna. As per the preamble of the bill as introduced in the Parliament, the end goal of the bill was to “provide for protection of the privacy of individuals relating to their personal data, specify the flow and usage of personal data, create a relationship of trust between persons and entities processing the personal data, protect the fundamental rights of individuals whose personal data are processed, to create a framework for organisational and technical measures in processing of data, laying down norms for social media intermediary, cross-border transfer, accountability of entities processing personal data, remedies for unauthorised and harmful processing, and to establish a Data Protection Authority of India for the said purposes and for matters connected therewith or incidental thereto.”

The bill was needed primarily due to the issues regarding privacy of individuals especially because of the practices of the various companies. The usage of personal data by the companies in India was not properly regulated which led to outcry regarding the privacy of individuals in India.

The Personal Data Protection Bill eventually went to the Joint Committee of the Parliament which was tasked to examine and discuss the bill, and propose any changes that it deems necessary. The committee was initially chaired by Meenakshi Lekhi who is a Member of Parliament for BJP. However, she was replaced by PP Chaudhary as ministers are not allowed to chair parliamentary committees.

The potential law intended to make a trustworthy relationship between the individuals and the companies using or processing their data. It was not only intended for telecom companies but also for social media and related organisations. The bill called for the creation of a specific authority to be made in order to allow proper determination of norms related to usage of personal data of individuals.

The draft bill was inspired a lot from the European Union’s General Data Protection Regulation also known as GDPR. If it would have been translated into law then it would’ve put the multinational social media companies into proper checks. However, currently they remain largely unregulated. The bill intends to supersede the Section 43-A of the Information Technology Act, 2000 by deleting the said provisions in relation to payment of compensation for failure to protect the data.

What are the important parts of the Bill?

One of the most important features of the bill is the applicability of the proposed law. The said law will become applicable on government, any Indian and foreign company, private individuals and any other body incorporated in India. This ensures that all stakeholders who have access to personal data of the people are covered properly under the proposed legislation.

A very important feature of the bill in terms of the responsibilities of the companies and stakeholders is the appointment of a data protection officer within its ranks to ensure there is a trained professional advising on data related matters. Another addition which is impressive is the laying down of redressal mechanisms for complainants with these stakeholders and companies that have access to personal data.

Consent has been made the central feature of this proposed bill by the drafters. The subject will need to give consent for the company or the relevant stakeholder to process their personal data. This has put a host of liabilities on the companies and given the people an extensive protection from data breaches.

However, there is a mention of exceptions in the bill too. The central government has been given the power to exempt any company or stakeholder from the application of this proposed legislation in the interest of “sovereignty” and “integrity” of India.

The Chairperson of the committee that was set up by the ministry criticised this addition to the bill. B.N. Srikrishna opposed the exemption provided under the proposed law. The retired judge said that this provision could turn India into an Orwelian state. He clarified that the power to government agencies to access personal data on the pretext of sovereignty can have dangerous consequences.

While this exemption part remains a concern for a lot of parliamentarians and experts, penalties have been embedded well in the proposed legislation. There are two tiers of penalties and that can act as a good deterrent. However, recently the bill has been withdrawn by the government

Why has the Data Protection Bill been withdrawn?

The government has explained that the bill has been withdrawn due to the large number of amendments proposed by the Joint Parliamentary committee. Reportedly, the large number of amendments from the Joint Parliamentary committee has meant that the parliament needs to conduct an overhaul of the bill and reconsider it.

However, some sections of the society have discussed that the withdrawal has taken place due to pressure from the lobby of digital business majors and other relevant stakeholders. They have expressed the concerns regarding the extremist kind regulations over export of personal data to companies and also pressured to reduce such restrictions.

Meanwhile, civil societies and pressure groups have also called for withdrawal due to the discretionary provisions prevalent in the current draft of the bill. They are concerned about misuse from the government and hence want the exemption provisions to be changed as per recommendations.

he Joint committee of the parliament also suggested inclusion of non personal data in the scheme of the proposed law and not restrict it to personal data. However, the inclusion or addition of non personal data in a European GDPR style regulation is not sensible. This is also one of the reasons why the government felt it is the right thing to withdraw the bill for fresh deliberations.

Important Links for Reading

4173LS(Pre).p65 (prsindia.org) - Draft of the Personal Data Protection Bill, 2019

https://prsindia.org/billtrack/prs-products/prs-legislative-brief-3399 - Legislative Brief for The Personal Data Protection Bill, 2019

https://prsindia.org/billtrack/prs-products/prs-bill-summary-3400 - Bill Summary for The Personal Data Protection Bill, 2019

Committee Report on Draft Personal Data Protection Bill, 2018_0.pdf (prsindia.org) - Committee Report of Experts under the Chairmanship of Justice B.N. Srikrishna

What is the new Digital Personal Data Protection Bill, 2022? (indianexpress.com) What is the new Digital Personal Data Protection Bill, 2022? (indianexpress.com) - Comparing India’s draft law with other laws across the world

Questions to consider for Rajya Sabha

● Is there a need for data protection laws in India?

● What are the incidents that highlighted a need for data protection law in India?

● Was it a smart decision to take inspiration from or base the proposed law on the model of European GDPR?

● What conclusions can be drawn for legislative discussions from the committee report on data protection laws

● Was the 2019 bill introduced in Lok Sabha appropriate for passage as law?

● What other laws can the Indian government take reference from while framing our own data protection law?

● What are the non-negotiables when it comes to data protection legislation?

● What are the changes that need to be brought in the draft of 2019?

● Is there a possibility to include non personal data?

● Should non personal data be included in such a regulation?