December 18 2021: The joint parliamentary committee's report on the Personal Data Protection Bill, 2019, which recommends wide ranging changes, including widening the scope of to include non-personal data and pitches for all social media platforms to be declared 'publishers' has been tabled and will be taken up by the two Houses next week. Details of the main features from an IndiaToday report:
The JPC has recommended that since the Data Protection Authority (DPA) will handle various types of data at various security levels, it will be difficult to distinguish between personal and non-personal data.
The committee has recommended that all social media platforms that do not act as intermediaries be considered publishers and, therefore, be held accountable for the content they host.A mechanism may be devised by which social media platforms which do not act as intermediaries are held responsible for the content from unverified accounts on their platforms, the report said.
The committee has also suggested that no social media platform be permitted to operate in India unless the parent company in charge of the technology sets up an office in the country.
The committee has said that self-regulation and existing media regulators are insufficient and ill-equipped to regulate the journalism industry.
The committee has expressed concerns about the safety of the SWIFT network, which enables international financial transactions between banks.
It has recommended that a new sub-clause 49(2)(o) be added to allow the DPA to regulate hardware manufacturers and related entities.|
It has urged the government to establish a dedicated lab/testing facility with branches across India to provide certification on the integrity and security of all digital devices.
"The government’s surveillance of data stored in India must be strictly based on necessity as laid down in the legislation," the report said.
Member in the panel Jairam Ramesh has submitted a dissent note. His objection primarily is to a clause that allows the Centre to exempt any agency under its purview from the law. Government and government agencies are treated as a separate privileged class whose operations and activities are always in the public interest and individual privacy considerations are secondary.”
Early reactions:
NASSCOM and Data Security Council of India: A robust data protection law is critical to safeguard the privacy of Indian citizens while driving India’s success in the digital economy. While the JPC has retained much of what was positive with the 2019 Bill, and accepted many more recommendations from the industry, certain areas will require further deliberation – particularly the expansion of the scope to cover non-personal data. NASSCOM will continue to work with the Government towards passing a law that brings regulatory certainty and delivers on our collective duty to protect India’s personal data.
The JPC has made certain significant recommendations that apparently go beyond the scope of the proposed data protection law, including those around stringent data localisation policies, social media intermediaries and financial systems. NASSCOM-DSCI expects these to be widely debated and discussed so that India continues to enable cross-border data flows without undue restrictions, provide an effective safe Harbour regime for intermediaries and ensure a globally competitive market ecosystem for FinTech and the financial sector in general.
The proposal in the report to have the Bill apply to “non-personal data” and having a “single regulator” for both personal and non-personal data needs careful analysis and deeper debate. This is required as the imperatives for a policy on non-personal data are to enable data driven innovation and unlock economic value. These imperatives arguably require a different regulatory approach than that needed for regulating personal data processing, where the focus is primarily on protecting privacy and preventing harms arising from the abuse of personal data. Given the enormity of these imperatives it is important to first operationalise the Bill’s original mandate well, that is, the processing and protection of personal data. The Government has another committee specifically to examine non-personal data, and any legislative decision should ideally follow the policy discussions.
Amongst the positives in the report are the highlighting of the imperatives to ensure the independence and accountability of government bodies and the Authority, to recommend the implementation of the law in a phased manner, and to suggest innovation-friendly measures, such as the inclusion of start-ups in the regulatory sandbox. We welcome these as key steps forward.
India's Information Technology (IT) and Business Process Management (BPM) industry's annual exports to over 100 countries stand at $150 billion. Given this, NASSCOM-DSCI reiterates the importance of providing strong privacy safeguards and establishing grounds for India to engage with the world on data adequacy from a robust position. The need to exempt the processing of foreign data in India from certain conditions, the retention of broad powers to exempt stage agencies without sufficient checks and balances, and an emphasis on treating processing by the State and the private sector equally should be viewed in this context.
Internet and Mobile Association of India: Prima facie it seems that the draft that was put out in 2019 after the widest possible consultations has changed fundamentally, including the title of the bill from Personal Data Protection Bill to Data Protection Bill. Certain other deviations such as the recommendations that social media intermediaries could become publishers in certain circumstances and a few aspects of data localisation norms change the original structure of the bill substantially.The report currently encompasses non-personal data within the personal data protection bill which is contrary to the recommendations of the expert committee appointed by MEITY to develop a framework for non-personal data governance.
The requirement on DPA to consult the Central Government before issuing any approvals or decisions on cross-border data flows would create an incredibly slow and cumbersome process for decisions and would mitigate the autonomy and efficiency of a specialised body such as the DPA.
IAMAI also raised its concerns on imposing age restrictions of 18 years on certain services that will exclude an important demographic from the digital ecosystem and will contradict most data regimes that create enabling provisions for 13-18 years. In addition, the inclusion of ‘psychological manipulations which impairs the autonomy of any individual (without sufficient understanding of what this would entail) under the meaning of ‘harm’ creates immense room for inaccurate interpretations of the law.
Above all, IAMAI feels that the recommendations may bring a much higher compliance burden on start-ups, and suggests that an expert group should be set up to study the impact of these recommendations on start-ups.
Certain provisions in the report such as the new requirement for hardware/device testing need to be discussed with the industry as the outcomes of such a mechanism are not clear given that data fiduciary is already legally accountable for complying with the law.
The bill will impinge upon the IP rights of the companies as part of the new requirements on data portability and algorithmic transparency. These objectives can be achieved without compromising on trade secrets.
Nanjunda Prasad Ramesh, CEO, Multi-Verse Technologies: This is undoubtedly a major step forward in ensuring every Indian’s personal data is protected. It has been long overdue and brings in the much needed accountability when dealing with the data of people. While this is a good first step, we must not stop here. The law must safeguard the interests of the people against indiscriminate use of data by any enterprise, be it private or Government. The next step is to clearly limit the exemptions that are currently being provided. This ensures that we move ahead to protect the interests of citizens on priority rather than pushing the law by only focusing the loopholes in the current draft. We need to roll this out, make corrections and keep moving. I personally believe in the right to privacy and I am glad to be a part of this movement.