Season's greetings from the Parliamentary Committee on India's privacy law!

A Joint Parliamentary Committee (JPC) on the Personal Data Protection Bill 2019 (PDP Bill) tabled its report (Report) in the recently concluded winter session of Parliament.

And we kicked off a series on #AllThingsPDP to unpack the Report! Here's our summary condensing the 100+ page Report into 5 sharp pages, for a quick read. For fellow nerds, we have a clause-wise mapping of the 2019 version of the PDP Bill, against the Report. We also prepared an info-graphic cheat-sheet on the JPC's recommendations impacting businesses, here. Earlier, Sreenidhi and Anirudh wrote in the Times of India about what to expect from the Report. They were worried about the expansion of the law to cover non-personal data (NPD), and argued that the objective of a data protection law is individuals' privacy, while the goals of regulating NPD are economic. Combining the two could dilute both those objectives. Stay tuned to our LinkedIn and Twitter pages for more updates on #AllThingsPDP.

So, what did the JPC have to say?

Including NPD: Expand the scope of the PDP Bill to regulate NPD (anonymized data/business information) and empower a single data regulator to deal with personal and non-personal data.

Social media: Hold social media companies accountable for the content they host. Also, set up a statutory media regulatory authority, on the lines of Press Council of India (self-regulatory body for print media) for the regulation of content on all social media platforms.

Breach notifications: Companies should report breaches to the data regulator, under all circumstances. Under the PDP Bill, companies were required to report breaches only when it could cause severe harm to users. Also, companies should report data breaches to the data regulator within 72 hours. More on data breaches, here.

Transition period: A period of 24 months for the adoption of the law and gradual transition for compliance. An infographic capturing JPC's recommendations on transition period and penalties, here.

Hardware and software certification: The data regulator should regulate hardware manufacturers for collecting data from devices. Also, the government should develop a certification process for all digital and IoT devices. Here's a quick explainer on hardware certification and algorithmic transparency.

Next steps: The Lok Sabha Rules say that the central government can either introduce the JPC's version of the bill directly in Parliament or return the bill to the JPC or another committee or circulate it in Parliament for further consultation. Our sources and general practice indicate the government is likely to withdraw the PDP Bill, and re-work it as per the recommendations of the JPC's Report. But the recommendations are not binding on the central government. The re-drafted and cabinet-approved data protection bill will then be tabled and put to vote in Parliament.

Data in healthcare

Entities processing health data are likely to be impacted by the National Health Authority's (NHA) latest consultation paper on health data retention policy. The paper seeks inputs on how long and what kinds of health data should be stored. It also discusses the data retention practices of doctors, clinics, hospitals, laboratories, public health programs, etc. (healthcare entities).

The paper is in continuation to the health data management policy, released under the Ayushman Bharat Digital Health Mission (ABDHM). The health data management policy enables secure processing of personal and sensitive personal data of individuals who are a part of the ABDHM ecosystem. The NHA had earlier said that certain provisions in the health data management policy will be implemented through specific data retention policy. The consultation paper questions whether the health data retention policy should apply to all healthcare entities irrespective of whether they are operating in the ABHDM or not.

The PDP Bill which discusses processing and retention of health data is still under deliberation, but it will be interesting to see how the PDP Bill and the data regulator will interact with the NHA's policies for health data management and data retention.

In case you missed it!

Mercury is in retrograde for

Online Gaming: The Federation for Indian Fantasy Sports (FIFS) and 6 other companies challenged Karnataka's online gaming ban. In its submission before the Karnataka High Court, the Karnataka government clarified that the intention of the law was to prohibit injury to public health and order; and the ban extended only to games of chance, including the ones over the internet. The Karnataka High Court is expected to give its decision on the ban on 10 January 2021. Additionally, the Tamil Nadu government appealed the Madras High Court's decision overturning the law banning online games in the state. The case will be heard by the Supreme Court of India.

Stars have aligned for

National Blockchain Strategy: The Ministry of Electronics and IT released the updated National Strategy on Blockchain. The strategy discusses key recommendations for policy making and implementation of blockchain technology in India. This includes assessment of value proposition of blockchain technology for various applications and government services, and a case-by-case valuation of these applications. Mapping a 5-year plan, it proposes to set up a National Blockchain Portal (which will be an indigenous blockchain platform) to analyze innovative blockchain use cases on an experimental basis.

Through the grapevine

The word not-yet on the street is that the committee deliberating the new drugs and cosmetics law might see a rejig, with one member retiring. The committee is looking to regulate the use of information technology in selling drugs and cosmetics, and has time till February 2022 to submit its report. Read more about the online sale of drugs, here.

We are celebrating!

Bringing us some festive cheer, Chamber and Partners, widely recognized as an authority on legal rankings worldwide, has ranked us as a 'Band 2' firm for Fintech and a 'Band 3' firm for TMT. Anirudh retains his rank in 'Band 1' for Fintech. He's also been ranked in 'Band 3' for Aviation, and 'Band 4' for TMT. Also, Nehaa has been ranked in 'Band 5' for TMT. We are beyond grateful and look forward to continue doing some good work.

We wish you all the best as we step into the New Year, here's hoping for a kinder and safer 2022.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.