NEW DELHI: The Joint Parliamentary Committee (JPC) on the Personal Data Protection Bill, which was constituted in 2019, submitted its report in Rajya Sabha, clearing the path for India’s first data protection law. The JPC report recommends sweeping revisions, including as broadening Bill’s scope to encompass non-personal data and proposing that all social media platforms be designated as “publishers.”
Because India has grown to be one of the world’s largest internet markets, there must be clear laws governing what is and is not acceptable. The report, which was the outcome of nearly two years of deliberation, was filed in Rajya Sabha by Congress MP Jairam Ramesh.
The 542-page JPC report examines the Personal Data Protection Bill of 2019 clause by clause and contains 81 proposals for changes as well as over 150 drafting fixes and improvements in various parts of the Bill.
According to JPC Chairman PP Chaudhary, the study will have a global impact and far-reaching implications for the country’s handling and protection of personal and non-personal data. The JPC report also includes seven dissenting notes signed by eight members of the Opposition.
Salient features of Personal Data Protection Bill:
Statutory Body For Media Regulation
The Committee has stated that self-regulation and existing media authorities are insufficient and ill-equipped to oversee the journalism industry.
“The Committee has desired that Clause 36(e) may be amended to empower any statutory media regulator that the Government may create in the future and until such time the Government may also issue rules in this regard,” the report quotes.
Personal and non-personal data shall be covered by the Personal Data Protection Act.
The JPC has advised that because the Data Protection Authority will handle numerous types of data at varying degrees of protection, distinguishing between personal and non-personal data will be challenging.
As a result, the committee has stated that the PDP Bill will include both categories of data until a new framework is established to distinguish between personal and non-personal data.
“As soon as the provisions to regulate non-personal data are finalized, there may be a separate regulation on non-personal data in the Data Protection Act to be regulated by the Data Protection Authority,” the report quotes.
Timeline for implementation of ACT
The Committee has also encouraged the government to set a schedule for the Act’s implementation after it is notified.
The JPC has recommended a 24-month term after the Act’s announcement for the selection of the Chairperson and Members of the DPA, as well as to ensure compliance by data fiduciaries and data processors.
During the Act’s implementation, the Committee also suggested ensuring the ease of doing business in India.
With Regards Social Media Platforms
The Committee has proposed that all social media platforms that do not operate as intermediaries be considered publishers and held accountable for the content they host. A process could be established in which social media platforms that do not operate as intermediaries are held accountable for content posted by unverified accounts on their networks.
The Committee has also advised that no social media platform be allowed to function in India unless the parent business in charge of the technology has an office in the country.
The JPC has recommended that a statutory media regulatory institution, similar to the Press Council of India, be established to regulate the material on all such media platforms, regardless of whether their content is disseminated online, in print, or otherwise.
Safety of financial transactions
The Committee has expressed concerns about the security and safety of the SWIFT network, which enables international financial transactions between banks.
It has suggested that an alternative indigenous financial system be built along the lines of such systems elsewhere, such as Ripple (USA), INSTEX (EU), and so on, to preserve privacy while simultaneously boosting the digital economy.
Regulating hardware manufacturers
The Committee has suggested that a new sub-clause 49(2)(o) be added to allow DPA to draught regulations to govern hardware makers and related companies.
The Committee has also urged the government to establish a dedicated lab/testing facility with branches across India to give certification of the integrity and security of all digital devices.
Localisation of data storage
The JPC has recommended that the Central Government ensure that a mirror copy of sensitive and important personal data already in the custody of foreign companies be brought to India in a timely manner.
The Central Government has also been requested to guarantee that the data localisation provisions of this legislation are obeyed in letter and spirit by all local and international organisations, and that India moves steadily toward data localisation.
The JPC also emphasised how the Central Government, in cooperation with all sectoral authorities, must create and issue a comprehensive policy on data localisation.
On Data storage and Surveillance by Government:
“Government’s surveillance on data stored in India must be strictly based on necessity as laid down in the legislation,” the report quotes.
On Data Breach:
The Committee has proposed that Clause 25(3) include a 72-hour reporting period for data breaches.
The Committee also wished for certain guiding principles to be followed by DPA when developing legislation on how to address data breaches.
The JPC has suggested that the Authority, while disclosing details of a personal data breach under Clause 25(5), ensure that the data principals’ privacy is maintained.
If the data principle has experienced immaterial or material harm as a result of the data fiduciary’s delay in reporting the personal data breach, the data fiduciary bears the burden of proving that the delay was reasonable. Furthermore, the data fiduciary is liable for the harm caused to the data principal as a result of the delay in notifying a personal data breach. The Authority should ask the data fiduciaries to maintain a log of all data breaches.
Retention of data by fiduciary:
A data fiduciary shall not maintain any personal data for longer than is required to fulfil the purpose for which it is processed and shall erase the personal data upon completion of processing.
On Sharing of data by Data Principal:
When approving a contract or intra group plan under Clause 34(1)(a) that provides for the cross-border transfer of data, the authority must always engage with the Central Government.
Holding government heads responsible:
Because the government will also become a data fiduciary, in the event of a breach or an offence, the Head of the Department concerned should first conduct an in-house investigation to discover the person or official responsible for the specific infraction, and culpability can then be decided.
The penalty on Data Principals, Fiduciaries and or Start Up will be applicable if:
(a) obligation to take prompt and appropriate action in response to a data (*) breach under section 25;
(b) failure to register with the Authority under sub-section (2) of section 26;
(c) obligation to undertake a data protection impact assessment by a significant data fiduciary under section 27;
(d) obligation to conduct a data audit by a significant data fiduciary under section 29;or
(e) appointment of a data protection officer by a significant data fiduciary under section 30, it shall be liable to (*)such penalty (*) as may be prescribed, not exceeding five crore rupees or two per cent. of its total worldwide turnover of the preceding financial year, whichever is higher.
(2) Where a data fiduciary contravenes any of the following provisions, namely:—
(a) processing of personal data in violation of the provisions of Chapter II or Chapter III;
(b) processing of personal data of children in violation of the provisions of Chapter IV;
(c) failure to adhere to security safeguards as per section 24
(d) transfer of personal data outside India in violation of the provisions of Chapter VII,it shall be liable to (*) such penalty (*) as may be prescribed, not exceeding fifteen crore rupees or four per cent. of its total worldwide turnover of the preceding financial year, whichever is higher.
Clause 32 provides for the data principal to file a complaint with the data fiduciary, and Clause 64 provides for the data principal to seek compensation by filing a complaint with the Adjudicating Officer.
The Committee believes that the Act should explicitly state the method to be followed in both cases.
As a result, the Committee has specified that the DPA must transmit the complaint or application lodged by the Data Principal to the Adjudicating Officer for adjudication. To incorporate all of the above provisions, the Committee proposes inserting a separate Clause in the Bill with a marginal heading that reads ‘Right to submit a complaint or application.’