The recent report by the Joint Parliamentary Committee (JPC) on the Personal Data Protection Bill, 2019 (PDP Bill) has put forth recommendations and has introduced the Data Protection Bill, 2021 (DP Bill) inclusive of both personal and non-personal data.
Introduction
Given India’s history of absence of streamlined data protection legislation and the fast development in technology-based businesses, in 2017 a committee headed by Justice B. N. Srikrishna was set up by the Ministry of Electronics and Information Technology (MeitY) to examine the issue regarding data protection. The committee submitted the draft Personal Data Protection (PDP) Bill in 2018 which was tabled in the Lok Sabha on December 11, 2019.
The PDP Bill was introduced to provide for the protection of personal data of individuals and to lay down the procedure to govern the processing of personal data by the government, the companies incorporated in India, and foreign companies dealing with personal data in India.
Some of the salient features of the PDP Bill, 2019 are as follows:
1) Rights of the citizens/Data Principals – The rights mentioned under Chapter 5 included the right of data principal to obtain confirmation from the data fiduciary if its personal data is processing or has been processed; the right to seek correction of inaccurate personal data; the right of data portability i.e., have personal data referred to any other data fiduciary in certain circumstances, and the right to restrict disclosure of their personal data by a data fiduciary
2) Obligations of the Data Fiduciary – which refers to any entity that governs the process and need for processing of data as provided under Chapter 2:
- collection and processing of data for specific and lawful purpose.
- reasonable notice given to the data principals before collection or processing of personal data.
- consent is taken from the data principal at the commencement of the data processing
- age is verified and parental consent is taken before processing sensitive personal data of children.
3) Process for processing Personal data without consent – The PDP Bill provided for certain exceptions (Chapter 3) under which data could be collected without the consent of the individuals in cases where:
- required by the State for providing benefits to the individual,
- legal proceedings,
- medical emergencies
- prevention of fraud, mergers and acquisitions, recovery of debt etc.
4) Social Media Intermediaries (SMI) – it defined SMI’s as intermediaries which primarily and solely enable online interaction between two or more users and allow them to create, upload, share, disseminate, modify, or access information using its services.
5) Establishment of a Data Protection Authority (Chapter 9) – to protect the rights of the individuals ensuring no malicious usage of the collected data and promoting awareness of data protection.
Recommendations of the JPC – DP Bill
The 2019 PDP Bill was later referred to a JPC which published its report along with the finalised Data Protection Bill 2021 (DP Bill) on December 16, 2021. The key characteristics and features of this report are discussed below:
1)Taxonomy of the Bill – The JPC report rebrands the PDP Bill as the Data Protection Bill, 2021 with an aim to expand the scope of the legislation. The DP Bill would now also cover non-personal data which was not the part of the PDP Bill. While widening the scope of the bill, it gives the government access to anonymized or non-personal data from any data fiduciary for better targeting of delivery of services or formulation of evidence-based policies. This inclusion could dilute the original aim of the PDP Bill which was to establish a framework for the protection of personal data only.
Non-Personal Data refers to any set of data that does not contain personally identifiable information and Personal Data refers to data about or relating to a natural person who is directly or indirectly identifiable, having regard to any characteristic, trait, attribute or any other feature of the identity of such natural person, whether online or offline, or any combination of such features with any other information, and shall include any inference drawn from such data for the purpose of profiling.
2) Specified timeline for implementation of the Act – It acknowledges the need for a transition period wherein all the stakeholders need time to adjust to changes. Thus, the JPC report provides for a 2-year timeline under which the Data Protection Act needs to be implemented.
It makes it easier for the DPA to work more effectively with the industry, its stakeholders by enabling the companies to comply and rearrange their global contracts accordingly.
3) Right to Data Portability– The report upholds the rights of Data Principals (any citizen whose data has been collected) which includes the right to be forgotten, access, correction, and right to portability.
It refers to providing individuals with the right to receive personal data which they have provided to a controller in a structured and machine-readable format.
4) Consent of Data Principals– The Bill 2021 enshrines the requirement of obtaining the consent of Data Principals regarding their personal data and its processing. The problem is the exemption of this principle under clauses 12-14 of the DP Bill which are:
- Clause 12 mentions exemptions to the state from consensual processing and it retains the overbroad language from the earlier draft that exempts the State from collecting consent for purposes of ‘performance of functions of the State authorized by law’.
- Clause 13 allows for an exemption against collection of consent for purposes relating to employment.
- Clause 14 enables non-consensual processing pursuant to be specified by future regulations. The changes made now include the legitimate interest of the data fiduciary.
5) Establishment of a Data Protection Authority (DPA)- Like the PDP bill, under the Data Protection Bill, 2021, the DPA would play a key role and even though its independence and capacity are addressed by the committee in the report. The JPC report recommends wider representation from technical, legal, and academic experts in addition to the bureaucrat officers comprising the selection committee for the DPA. Since all members in the selection committee are appointed at the behest of the Central Government (CG) it compromises the independence of the DPA.
6) Platform Regulation and Intermediary Liability– The report supports the mandatory verification of social media accounts as the intermediary regulations under the IT Act, 2000 are inefficient due to which it recommends that intermediaries shall be deemed as publishers of the content on their platforms. Since the content published by the print media is hosted on the platform who have the right to decide which content to be uploaded. To constitute a single body to regulate content published in print media as well as on social media platforms is predicted as one of the most unworkable recommendations by the JPC.
The report also prescribes for a statutory media authority which would regulate all forms of content which are published on media platforms whether online or print.
Conclusion
The JPC report makes strides towards the establishment of a data protection legislation as it ensures the rights of citizens, emphasizes the importance of the consent of data principals and provides for the establishment of the DPA.
However, it does have its share of criticisms as raised in the Parliament’s Winter Session held in December 2021 which is that the Data Protection Act empowers the government to exempt any or all its authorities from the provisions of the proposed legislation or be it terming social media platforms as publishers. Even the prescription for regulation of all kinds of content by a statutory authority raises questions regarding the privacy and freedom of expression of individuals.
The JPC report does in a lot of ways deviate from the original PDP Bill by expanding the scope and adding governmental exemptions which indicates further debates that would entail discussing the future and direction of data privacy laws in India. Thus, it can be precisely said that the data protection law is not in its final stage, and it is to be seen how India’s law on privacy shapes up in the future.
This is only for informational purposes. Nothing contained herein is, purports to be, or is intended as legal advice and you should seek legal advice before you act on any information or view expressed herein. Endeavoured to accurately reflect the subject matter of this alert, without any representation or warranty, express or implied, in any manner whatsoever in connection with the contents of this. This is not an attempt to solicit business in any manner. Sources: The Hindu and The JPC Report