ADVERTISEMENT

Parliamentary Committee Report On Data Protection Bill: Top 5 Recommendations

Data Protection Bill, 2021 includes five key recommendations, BloombergQuint learns.

<div class="paragraphs"><p>Computer code and text displayed on computer screens. (Photographer: Chris Ratcliffe/Bloomberg)</p></div>
Computer code and text displayed on computer screens. (Photographer: Chris Ratcliffe/Bloomberg)

The Joint Parliamentary Committee, set up to examine the Personal Data Protection Bill, 2019, adopted its report days before the start of the current session of the Parliament.

The bill itself was introduced in the Lok Sabha in December 2019 and was subsequently referred to the JPC, which comprises members from both houses of the Parliament. For two years, deliberations have been underway while citizens await a law to protect their data.

The committee adopted its report on Nov. 22 with dissent notes from some members. But the deadline for the committee to submit the report to the Lok Sabha Speaker was extended again last week. The report, which could see further revisions until it is tabled in the house, is now likely to be submitted in the last week of the current winter session.

That said, BloombergQuint has learnt that the Nov. 22 version—which is now called the Data Protection Bill, 2021—includes five key recommendations:

  • Personal and non-personal data to be governed by a single legislation.

  • Regulating social media companies.

  • Procedure to exempt government agencies from purview of the bill.

  • Provisions related to data localisation.

  • Composition of the data protection authority.

The joint committee consisted of 30 members from both houses of the Parliament and across different political parties.

Inclusion Of Non-Personal Data 

The first committee that laid the groundwork on a law for data protection was headed by Justice BN Srikrishna. In its report, the committee had suggested that anonymised data be kept out of the purview of the personal data protection framework. What'll qualify as anonymised data, the committee had proposed, should be determined by the data protection authority.

But the parliamentary committee has taken a different view.

The JPC has said exempting anonymised data from the purview of the bill may encourage manipulation or commercialisation of personal data and defeat the core purpose of the bill which is to protect individual privacy, BloombergQuint has learnt.

Further, at times, it is impossible to distinguish between personal and non-personal data and such distinction depends on how the data is going to be extracted or used.

And so the JPC has recommended to regulate personal and non-personal data through the same act to avoid confusion and mis-management and have a single law and regulator overseeing all the data originating from an individual. With that intent, the JPC has recommended that even anonymised data be brought under the ambit of the bill.

It's for this reason that the JPC has recommended changing the name of the proposed legislation—from Personal Data Protection Act, 2019, to Data Protection Act, 2021. And since the ambit of the act has to be widened to include non-personal data, the powers to take action for breach of non personal data should be widened as well.

The move, however, has seen dissent from two members in the committee—Derek O’Brien and Mahua Moitra. In the joint letter, the two TMC MPs have opposed the recommendation and called for a detailed study and separate framework for regulation of non-personal data.

Regulating Social Media

Currently, the Information Technology Act, 2001, governs social media platforms and grants such companies immunity from third-party content posted on their website as long as they comply with the regulations framed under the law.

The Personal Data Protection Bill, 2019 sought to cover social media intermediaries and defined them as entities which enable online interaction between two or more users.

The JPC has taken the view that the current framework under the Information Technology Act and even the proposals under the 2019 version are inadequate to regulate social media platforms and address the concerns around them.

It has pointed out that some intermediaries may be working as publishers of content in many situations. For instance, where they have the ability to select the receiver of the content and also exercise control over the access to any such content hosted by them. And so, the JPC has opined that such companies should be called social media platforms and their intermediary immunity should be discontinued in certain cases.

Its proposal is to treat all social media platforms, which do not act as intermediaries, as publishers and hold them accountable for the content from unverified accounts.

Companies enabling commercial transactions, providing access to the internet and search engines, e-mail services or online storage services will not be called social media platforms.

The JPC's recommendations for regulating social media include:

  • Treating certain social media platforms as publishers and making them accountable for the content hosted.

  • A verification request by an account that submits valid documents for verification must be mandatorily approved. All companies will have to provide a voluntary verification mechanism for their users.

  • Mandatory requirement for social media companies to set up an India office of the parent company which handles the technology.

  • Setting up a statutory media regulatory authority for digital news.

Interestingly, some of these provisions already feature in the recent IT Rules, covering social media intermediaries and digital news platforms and notified earlier this year.

It's not clear how the overlaps and contradictions between the Data Protection Bill, 2021 and the information technology law will be dealt with. The Data Protection Bill, though, provides for an overriding clause over other legislations.

Data Localisation

India’s position on data localisation is being keenly watched—not just by tech policy observers, but also from an economic policy perspective.

The JPC has recommended the central government takes steps to ensure that a mirror copy of the sensitive and critical personal data must mandatorily be stored in India. This is along the lines of Justice Srikrishna committee's report.

The JPC has also suggested formulation of a policy on data localisation. On government surveillance over the data stored, it must strictly be based on necessity, the JPC has said.

Government Exemption

The Personal Data Protection Bill, 2019 allowed the central government to exempt any of its agencies from the purview of the law for certain legitimate purposes, including security of the state, friendly relations with foreign states, public order, etc. An exemption order will have to comply with "such procedure", "safeguards" and "oversight mechanism" to be followed by the agency, as may be prescribed, the government's version had stated.

The JPC has now added an explanation to "such procedure".

"Such procedure" in determining the exemption should be just, fair, reasonable and proportionate, and this exemption should be granted in exceptional circumstances, the JPC has said.

Not all members have agreed with this. Congress MP and member of the committee Jairam Ramesh disagreed with the committee’s approach on this issue.

In his dissent note, Ramesh said that the bill gave unbridled powers to the central government to exempt its agencies. Ramesh proposed that the reasons for exemptions should be tabled in parliament but the recommendation did not find acceptance in the final report.

Data Protection Authority

The Data Protection Authority proposed to be established under the bill was criticised for excessive government role in its composition.

The JPC has opined that the selection committee should be more inclusive and independent.

The parliamentary committee report has recommended that the selection committee for chairperson and members of the data protection authority should also include the attorney general of India; an independent expert nominated by the central government, director of any of the Indian Institutes of Technology or any of the Indian Institutes of Management.

The chairperson and members of the data protection authority should be appointed within three months and the authority should commence its activities within six months of the notification of the act.

The report, BloombergQuint has learnt, also recommends a 24-month timeline for implementation of any or all provisions of the bill. This is aimed at providing time to entities and processors to make necessary changes.

BloombergQuint reached out to members of the committee—Chairperson PP Chaudhary, DMK’s Dayanidhi Maran, Shiv Sena’s Shrikant Shinde, BJP’s Satyapal Malik and Congress’ Manish Tewari—requesting a comment. Their response is awaited.

The report of the committee is likely to be tabled in the Parliament soon.