12 recommendations made by Parl panel in report on Personal Data Protection

Platforms as publishers; covering personal, non-personal data suggested

The parliamentary joint committee on the Personal Data Protection (PDP) Bill, 2019, headed by P P Chaudhary, MP, on Thursday presented its report, recommending changes to draft legislation, including altering its name to “Data Protection Bill”.

The key proposed changes to the Bill include those on data localisation, having a single data protection authority (DPA) for personal and non-personal data, considering social media platforms publishers and holding them responsible for the content they host, a mechanism to be followed for data protection when a child comes of age, and provisions for localisation and cross-border flows of data. 

“The Joint Parliamentary Committee has examined the (PDP) Bill and made its recommendations in its report tabled today. These, however, aren’t binding on the government,” said non-profit research organisation PRS Legislative Research.

All the proposals do not have a unanimous vote, and members Manish Tewari, Mahua Moitra, Gaurav Gogoi, Ritesh Pandey, Vivek K Tankha, Jairam Ramesh, Derek O’ Brien, and Amar Patnaik have filed dissent notes, detailing their issues with some of the recommendations. 

Two key concerns flagged by these members are the wide exemptions given to the government from the provisions of the Bill and inadequacy in ensuring the independence of the proposed authority.

The report has said the Committee was concerned with respect to the capacity of government departments to protect the large volume of data they collect.

“The Committee observed that since the Government will be a significant data fiduciary, as per the provisions of the Bill, it will have to establish Standard Operating Procedures in the Ministries and Departments etc. to protect the huge amount of data that is collected,” a Lok Sabha communique said.

A data fiduciary is an entity that controls the storage of data and defines the permitted ways in which it can be processed. A data processor processes the data collected by a data fiduciary.

Extension of implementation period

The committee has recommended about 24 months may be provided for implementing any and all the provisions of the Act so that the data fiduciaries and data processors have enough time to make changes to their policies, infrastructure, processes, etc. 

Regulating non-personal data under the same legislation

The report says the committee has recommended that the authority will “handle both personal and non-personal data, any further policy/legal framework on non-personal data may be made a part of the same enactment instead of any separate legislation. As soon as the provisions to regulate non-personal data are finalized, there may be a separate regulation on non-personal data in the Data Protection Act to be regulated by the Data Protection Authority”.

Venkatesh Krishnamoorthy, country manager — India, BSA | The Software Alliance, said: “Removing provisions on non-personal data (NPD), avoiding mandatory data localisation, and promoting cross-border data transfers in the final Bill will support the Bill’s objectives, which is to safeguard personal data and enhance privacy protections. Conversely, failing to do so will be detrimental to India’s digital revolution, which needs to be built on strong privacy foundations.”

Social media

The committee has recommended that all social media platforms that do not act as intermediaries should be treated as publishers and be held accountable for the content they host. A mechanism may be devised in which social media platforms that do not act as intermediaries will be held responsible for the content from unverified accounts on their platforms.

“The protection that social media intermediaries have against liabilities for third-party content on their platforms under the IT (Information Technology) Act, also known as the ‘safe harbour’, is crucial to protecting free speech online. Treating social media platforms as publishers liable for such content would have a chilling effect on free expression and far-reaching consequences for democracy. International best practice is also clear -- the legal liability of intermediaries for third party speech on their platforms is not made part of a data protection law,” Raman Jit Singh Chima, Asia Pacific Policy director and senior international counsel, and Namrata Maheshwari, Asia Pacific Policy Counsel at digital rights organisation Access Now, had told Business Standard earlier.

Data protection officer

Clause 30 of the Bill draft mandates that every significant data fiduciary will have to appoint a data protection officer, and details the functions this executive will have to perform. These include providing information and advice to the data fiduciary on matters related to the Act, assisting and cooperating with the authority on matters of compliance of data fiduciary, monitoring personal data processing activities of the data fiduciary, providing assistance on matters of compliance with the Act, etc.

Data localisation and cross-border data flow

The Committee has recommended “any contract or intra-group scheme allowing cross-border transfer of data, even after the consent of the data principal, may not be approved if such contract or intra-group scheme is against public policy”.

Data processing related to children

The committee has suggested that data fiduciaries dealing exclusively with children’s data must register themselves with the data protection authority. It has further recommended that any contract that may exist between a data fiduciary or data processor and a data principal who is a child, the provisions of the Majority Act may apply when he/she attains the age of 18 years.

LONG ROAD TO DATA LAW

Key changes proposed in the 2019 Data Protection Bill

• Change name of legislation to Data Protection Bill from Personal Data Protection Bill 
• One data protection authority for personal and non personal data
• Social media platforms not acting as intermediaries to be liable for content they host
• Wider exemptions to the Centre
• Independence of Data Protection Authority reduced
• Govt must ensure a mirror copy of sensitive and personal data with foreign entities
• Restricting cross-border data flow under certain circumstances
• Fiduciaries dealing with children's data to adhere to stricter norms
• Data protection officer to be appointed by every significant data fiduciary