The Narendra Modi government executed another somersault earlier this week when it opted to withdraw the controversial data protection and privacy legislation framed in 2019. Data privacy has been a hot-button issue ever since the Centre rejected a stack of recommendations made late last year by a 30-member Joint Parliamentary Committee to recast some of the Orwellian elements in the original legislation. Back in December, the government chose to press ahead with its deeply flawed bill. Eight months later, it has decided to start the process from scratch as it seeks to create a comprehensive legal framework to protect an individual’s rights over his/her data. Clearly, the government has had deep misgivings about the original legislation. But it has not spelt out when wisdom finally dawned and which pressure groups were able to persuade the authorities to see the folly that they were about to commit. The new framework will ostensibly meet global standards on data privacy — an aspect that is diffused in itself since the world seems deeply divided on the subject.

For a start, the Centre must decide whether it really wants an omnibus privacy law that covers both personal and non-personal data. The jury is still divided on this question. Personal data include passwords, financial data, health data, credit history, biometric and genetic data, and data that reveal religious or political affiliations. Nonpersonal data relate to anonymised information collected, for instance, by ride-hailing apps, telecom and electricity companies, and even census and tax data. The 2019 bill covered both aspects. The former Supreme Court judge, B.N. Srikrishna, who headed the government-appointed committee that first prepared the draft legislation on the issue, feels non-personal data should be left out of the re-drafted bill. Others have argued that the personal privacy law should not be allowed to fall between two stools.

The biggest criticism against the old legislation was that it gave the government and its agencies unfettered right to snoop on citizens using a vaguely defined pretext of protecting national security. This raises the crucial principle of data minimisation and whether it ought to extend to the government as well. When an individual shares his/her personal information with a service provider or a government agency, he/she has a reasonable expectation that it will be used for the precise purpose for which consent was given. The new law must specifically ban elaborate data fishing expeditions without any exception. One of the biggest ironies in the entire process is the attempt to fix rigid, immutable regulations for a digital economy that is in a state of constant flux. The provisions must be prescriptive and the specifics can be dealt with in codes and regulations. The edifice of privacy law must stand on trust — and the only way forward is to allow for some flexibility in meeting desired objectives through a self-regulating code of ethics within industry. The tyranny of law and the regulator must not smother growth or ambition.