The Government of India had introduced the Personal Data Protection Bill 2019 (PDP Bill) in the Lok Sabha on 11 December 2019. The "Bill" was referred for examination and recommendations to a Joint Committee of both Houses of Parliament (called JPC) on 12 December 2019. JPC received more than 200 representations including that of Dua Associates / Dua Consulting. Around eight members had submitted their written dissent on the said Bill.
The Joint Parliamentary Committee chaired by Member of Parliament Shri P.P. Chaudhary tabled the report on the Bill along with the amended Bill before both Houses of Parliament on the 16th of December 2021. The Committee deliberated for over two years, during which time that Bill underwent substantial changes in scope and nature. A total of 188 amendments have been recommended out of which 91 amendments are of significant nature, while the rest are editing of legal nature in different sections.
Salient features of the "Bill" introduced on 11th Dec, 2019
- The "PDP Bill 2019" which defines both Personal and Non-personal Data, is a substantive framework which introduces a specialized regulatory approach for the Protection and Privacy of Data in any form (digital or non-digital) in India. The proposed legal framework would be applicable to processing, storage and transfer of any form of personal data across sectors of the economy, academia, industry and the society. The Bill has also limited provisions relating to Non Personal Data (NPD).
The framework is on the lines and pattern of General Data Protection Regulations (GDPR) of European Union. Some of the provisions of the "Bill" also reflect the directions followed in the California Privacy Act.
The framework classifies data into 3 broad categories namely:
- Personal Data
- Sensitive Personal Data (SPD)
- Critical sensitive personal data
- The nature of sensitive personal data has been defined in the legal The entities across different sectors and individuals will be required to follow its provisions while processing, storing and transmitting data in the domestic territory and in cross-border exchange too. The provisions provide for special conditions to process biometric data.
- The consent of the user w.r.t collecting, and usage of his/her "data" is the underlying feature of the framework. A framework for consent mechanism is proposed. The "Bill" also has provisions relating to ground for processing of data without consent.
- The "Bill" provides for the rights of the Data Principal including right of data portability. There are special requirements in the "Bill" w.r.t. processing of personal and sensitive data related to children.
- The framework would regulate "data localisation" particularly "sensitive personal data" and "critical sensitive data". Consent of the user and approval of the "Regulator" would be essential for cross border transfer of Personal Data.
- Any breach of sensitive personal data and critical sensitive data will attract heavy fine and compensation to the Data Principal (the owner of such data).
The key recommendations made by the Joint Parliamentary Committee in their report
- Applicable to the digital domain: The "Bill" will apply only to data collected, stored and processed in digital form.
- Legislation for both Personal and Non-Personal Data: Citing impossibility in discerning between Personal and Non-Personal Data, during mass collection and usage, the JPC has recommended that all the data has to be dealt with by one Data Protection Authority (DPA). JPC have proposed to change the name of Bill to "Data Protection Bill".
- Phased implementation of Data Protection Act: The JPC has recommended that an approximate period of 24 months may be provided for implementation of any and all the provisions of the Act so that the data fiduciaries and data processors have enough time to make the necessary changes to their policies, infrastructure, processes etc.
- Mirror copy of sensitive and critical data to be localized: The JPC recommends that apart from provisions under Clause 33 and 34 for cross-border transfer of data, some concrete steps be taken by the Government to ensure that a mirror copy of the sensitive and critical personal data which is already in possession of the foreign entities be mandatorily brought to India in a time bound manner.
- Policy for gradual data localization: JPC has specifically recommended that the Central Government, in consultation with all the sectoral regulators, must prepare and pronounce an extensive policy on data localisation encompassing broadly aspects like development of adequate infrastructure for the safe storage of data of Indians which may generate employment; introduction of alternative payment systems to cover higher operational costs; inclusion of the system that can support local business entities and start-ups to comply with the data localisation provisions laid down under this legislation; promote investment, innovations and fair economic practices; proper taxation of data flow and creation of local Artificial Intelligence ecosystem to attract investment and generate capital gains.
- Mechanism for certification of all digital and IOT devices: JPC has strongly recommended that the Government should make efforts to establish a mechanism for the formal certification process for all digital and IoT devices that will ensure the integrity of all such devices with respect to data security.
- Social media platforms to be treated as publishers: JPC has recommended that all social media platforms, which do not act as intermediaries, should be treated as publishers and be held accountable for the content they host. A mechanism may be devised whereby social media platforms, which do not act as intermediaries, will be held responsible for the content from unverified accounts on their platforms.
- Timeline for reporting breach of personal data: JPC has recommended a fixed timeline of 72 hours for breach reporting.
Some of the key changes in the draft "Bill" proposed by JPC in comparison to the 2019 draft:
- Applicable only to Digital Data: The JPC is of the opinion that for the purposes of this Bill, privacy should be viewed in the context of information available in the digital domain alone.
- Non-Personal Data: The Act brings both Personal and Non-Personal Data within its scope. The Report highlights the primary reasons why Non-Personal Data is brought into the purview of the legislation, which are the near impossibility of being able to distinguish between PD and NPD when mass data is collected or transported and that NPD is essentially derived from the anonymisation of personal data – both sensitive personal and critical personal data.
- Criminal Penalties: The offences punishable under the scope of the Bill shall be cognizable and non-bailable. The criminal penalties include imprisonment of up to three years and a fine of two lakh rupees. The Data Protection Bill highlights that no court shall take cognizance of any offences punishable under the Act, save in the cases where a complaint is made in writing either by the Authority or an officer authorised for this purpose. The Bill also mentions that an "independent director and a non-executive director of a company shall be held liable only if it is shown that the acts of omission or commission by the company had occurred with his knowledge or with his consent attributable to him or where he had not acted diligently".
- Data Localisation: Both the Report and the Bill call for continual storage of sensitive personal data in India and storage and processing of critical personal data only within the territory of India. It also specifies that transfer of critical data outside India be subject to DPA approval in consultation with Government.
- Accountability and Transparency: Chapter 6 of the Data Protection Bill looks at the nature and scope of accountability and transparency for data collection and processing systems. The Bill overall places the responsibility of data protection and the transparency of processing activities squarely on the data fiduciaries and by osmosis on data processors, as mentioned in Clause 10 of the Bill. Such transparency is ensured by reporting a data breach within 72 hours of becoming aware of such an event occurring and calling for the appointment of Data Protection Officers. The revised Bill calls on the need for companies to implement Privacy by Design, especially in the cases of Fairness, Accountability, and Transparency (FAT) of algorithms. The Report also highlights that one of the critical concerns for the Committee is the transparency and accountability expected of social media intermediaries. To increase accountability of such platforms, the Committee opined that social media platforms that do not act like intermediaries should be considered publishers who control the content published on their platforms. The Committee also suggested that social media intermediaries should verify their users to increase accountability and should not be allowed to operate in India unless the parent company sets up an office within the territory of India. The Committee has further suggested that a statutory media regulatory authority - like the Press Council - should be set up to regulate content on such platforms.
- Timeline for Implementation: A timeline for set-up, implementation and compliance has been specified within the Bill and the Report. As it stands, companies have been given a period of 24 months or 2 years to comply with the legislation once it comes into effect. However, there has been no mention of a separate or implicit timeline for data localisation requirements.
- By recommending applicability of "Bill" to only the digital domain, the JPC has diluted the purpose and objective of concept of privacy. It may be mentioned that there is no specific law addressing the privacy of data kept in physical mode. In this context, it would be useful to recall that the 9-judge Bench of the Supreme Court had declared "Privacy" as fundamental right.
- The inclusion of Non-Personal Data in the "Bill" will complicate the implementation and enforcement of law. Users generally would not be aware of the nature and quantum of Non-Personal Data collected and retained by the "Data Fiduciary". Thus, principle of "Providing Consent" will raise many legal and procedural issues.
- The JPC Report has thus, further complicated the already complex law. Framing of rules/ regulations to enforce/address issues relating to Personal and Non-Personal Data will pose significant challenges as the nature of the two types of data are different.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.