Here’s all you need to know about the JPC Report on Data Protection Bill
The Joint Parliamentary Committee (JPC) on Personal Data Protection Bill (PDPB) has finally tabled its report before the Parliament. The much-awaited report has a lot of recommendations on key provisions, and also on the entire scheme of the bill.
Interestingly, the Committee has recommended changing the purpose of the bill to even include non-personal data. And that ultimately results in the name of the bill changing to the “Data Protection Bill”. There are many other recommendations too, and we shall look into all the key ones that you need to know about.
We will first look into the recommendations to provisions of the bill, and then also discuss some other general recommendations of the Committee.
“Data Protection Bill, 2021”
The 2019 bill focuses on regulating only personal data, and strictly bars regulation of non-personal data.
What Changed: The very first change that the Committee suggests is to change the title of the bill.
Reasoning: After examining the Objects and Reasons of the Bill, the Committee observed that the bill is “dealing with various kinds of data involving various levels of security and distinguishes between personal data and non-personal data”.
The Committee also found that The Personal Data Protection Bill cannot privilege the digital economy over data protection. Moreover, “in view of the impossibility of a clear cut demarcation of personal and non-personal data and to cover the protection of all kinds of data”, it recommended a new title: “The Data Protection Bill, 2021”.
Scope of the Bill
What changed: Earlier, Clause 2 (b) said that the Act shall apply to the processing of personal data by the State, any Indian company, any citizen of India or any person or body of persons incorporated or created under Indian law.
The Committee has changed it to “the processing of personal data by any person under Indian law”.
Further, it has added a new sub-clause (d) to include “the processing of non-personal data including anonymised personal data”.
Reasoning: The Committee observed that any kind of flexibility in the legislation such as the exclusion of anonymized data under the Bill may encourage manipulation or commercialization of personal data under the array of anonymization jeopardizing the privacy of data principles. Therefore, it recommends bringing anonymised data under the ambit of the bill.
Regarding replacing the selective words under Clause 2 (b), the Committee notes that it may lead to complications- being restrictive. However, the Committee does not give any reasoning as to what impact the replacement may have since it also replaces the term ‘state’.
No denial based on the exercise of Choice
Clause 11 deals with the necessity of consent for the processing of personal data. Further, the consent must be free, informed, specific, clear, and capable of being withdrawn.
What changed: Clause 11(4) of the bill says that any goods or services, or the performance of any contract, or the enjoyment of any legal right or claim “shall not be made conditional on the processing of any personal data not necessary for that purpose”.
The Committee has added a new sub-clause (ii) here. It says that any goods or services…shall not be denied based on the exercise of choice.
Reason: The report does not mention any reason in detail for this particular sub-clause. However, the reasoning flows from its comments on the previous recommendation regarding Clause 11 (3)(b).
As such, the Committee wants the sub-clause to reflect the idea that the data fiduciary must obtain the consent of the data principal without any circumvention of the law. It cannot use denial of service as leverage to obtain consent.
Processing of Personal data necessary for purposes related to Employment
Clause 13 of the bill deals with the processing of personal data necessary for purposes related to employment. It allows the processing of personal data for recruitment or termination, provision of any service or benefit, verifying attendance, etc.
What Changed: The Committee has added a phrase “or can reasonably be expected by the data principal”. The Clause now reads as:
“13. (1) Notwithstanding anything contained in section 11 and subject the the provisions contained in sub-section (2), any personal data, not being any sensitive personal data, may be processed, if such processing is necessary or can reasonably be expected by the data principal for—“
Reasoning: The Committee notes that there is a trust relationship between the employer and employee. The Committee wants to respect this relation. Therefore, “there should be equilibrium in the processing of data of employee by the employer and its use/ misuse of data by the employer”.
Therefore, the Committee recommends that the processing may happen if such processing is necessary or can reasonably be expected by the principal.
Data Breach reporting strictly within 72 hours
Clause 25 of the Bill deals with reporting personal data breaches. Every data fiduciary has to inform the Data Protection Authority (DPA) about the breach of any personal data it’s processing.
What changed: Since the bill also includes non-personal data, the Committee, first of all, recommends “reporting of data breach” instead of “reporting of personal data breach”. Further:
The bill asks data fiduciary to inform the Authority about the breach of personal data only where “such breach is likely to cause harm to any data principal”. The Committee recommends removing this requirement.
2. There are three more crucial changes. First, the Committee now proposes a strict data breach reporting window of 72 hours (after becoming aware of it). It replaces what the bill says “as soon as possible within such period as may be specified by regulations”.
3. The Committee is also recommending changes to Clause 25(5). The bill says that the DPA shall determine if reported data breaches should be reported to the data principal. The Committee recommends that the “Authority shall, after taking into account the personal data breach and the severity of harm that may be caused to the data principal, direct the fiduciary to report such breach to the data principal…”
4. Lastly, the Committee has recommended not to specify the “form of notice” to report a data breach.
1. The Committee says that the most important obligation of a data fiduciary is to maintain the security of data. Therefore, it says the phrase “likely to cause harm to any data principal” will lead to ambiguity. As such, the Committee has recommended omitting it.
2. About the strict 72-hour window, the Committee says the existing clause is too general. It should mention a specific and realistic time frame for reporting a data breach.
3. Regarding the reporting to data principals, the Committee notes “it’s not advisable to report all kinds of data breach to data principal without informing the Authority. The Committee are of the view that some data breach reports may create panic among the citizens and also affect public law and order if reported to every data principal without analysing the exact harm to a specific data principal.
Further, the genuineness of trust between an individual and an entity can be questioned due to the reporting of every kind of personal data breach to the data principal.”
4. Regarding the “form of notice”, the Committee is of the opinion that it should be specified by regulations rather than restricting the scope of the form within the legislation itself.
Transfer of Sensitive Personal Data only after Consultation with the Central Government
Clause 34 of the Bill lists out conditions under which sensitive/ critical personal data could be transferred out of India.
What Changes: The bill says that the transfer can be made pursuant to a contract or intra-group scheme approved by the DPA. The Committee, in Clause 34(1) recommends adding “in consultation with the Central Government.”
Alongside, the Committee recommends power to block transfer “if the object of such transfer is against public policy or State Policy”. It also recommends adding an Explanation, which reads”
“..an act is said to be against “public policy” or “state policy”, it the said act promotes the breach of any law or is not in consonance with any public policy or state policy in this regard or has a tendency to harm the interest of the State or its citizens.”
Lastly, the committee recommends adding a new clause 34(1)(b)(iii) to restrict sharing of sensitive personal data with any foreign government or agency unless such sharing is “approved by the Central Government”.
Reasoning: The Committee notes that the Central Government has power to allow the transfer of sensitive personal data to any country with certain safeguards, as per Clause 34(1)(b).
“Similarly, the Authority while approving a contract or intra-group scheme under Clause 34(1)(a) which allows the cross-border transfer of data, should invariably consult the Central Government.”
For the addition of clause 34(1)(b)(iii), the Committee says that “in order to safeguard the data of Indians and keeping in view the shifting nature of international relations, it is necessary to have a directive in the Bill to restrict any country, to which sensitive personal data of Indians would be transferred, from sharing it with a third country or agency, unless such sharing is approved by the Central Government.”
Exemptions to the Central Government & other authorities
Clause 35 of the bill grants power to the Central Government and to exempt itself or any of its agencies from the application of the Act.
What Changed: The Committee has added a non-obstante clause to even further solidify the exemptions. It has also added an explanation for “such procedure”, which refers to “just, fair, reasonable, and proportionate procedure.
Reasoning: The Committee is concerned about the possible misuse of the provisions of the Act when a situation arises whereby the privacy rights of the individual have to be subsumed for the protection of the larger interests of the State.
The Committee, therefore, feels that though the State has rightly been empowered to exempt itself from the application of this Act, this power may, however, be used only under exceptional circumstances and subject to conditions as laid out in the Act.
The exemption, however, should be given only with reasons to be recorded in writing, in accordance with such procedure as may be prescribed. Such procedure means prescribing just, fair, reasonable, and proportionate procedures. The exempted agency will have to put in place safeguards and follow an oversight mechanism.
Penalty not strict anymore
Clause 57 of the Bill seeks to list out penalties. For offences, and non-compliance with the Act, the data fiduciary faces a penalty which may extend to five crore rupees or two per cent of its total worldwide turnover of the preceding financial year, whichever is higher.
For some contraventions, the penalty may extend to fifteen crore rupees or four per cent of its turnover of the preceding year.
What Changed: The bill proposes a penalty for a contravention, either five crore rupees or two per cent of its total worldwide turnover, whichever is higher. But the Committee is recommending “such penalty as may be prescribed.
Reasoning: The Committee notes that “flexibility in the imposition of penalty is required as digital technology is rapidly evolving”. Further, the penalty needs to take into account start-ups and smaller data fiduciaries engaged in innovation and research activities.
Other Notable Recommendations
Processing of Children’s Data: The bill bars only guardian data fiduciaries from collecting personal data and conducting behavioural monitoring or targeted advertising of a child. The Committee recommends barring all data fiduciary. Also, there was an exception from the prohibition for data fiduciary providing counselling or child protection services, but now the DPA will frame rules in this regard.
Rights of deceased: The bill was silent on data rights post-death. The Committee recommends that a data principle will have the right to nominate a legal heir/ representative, or exercise the right to be forgotten, or append the terms of the agreement.
Privacy by design: The Committee recommends that the DPA can grant exemptions from the privacy by design policy to data fiduciaries below a certain threshold.
Non-Personal Data Regulations
The Committee thinks that if privacy is the concern, non-personal data has also to be dealt with- since it is impossible to distinguish between personal data and non-personal data when mass data is collected. Also, all data has to be dealt with by one DPA to avert contradiction, confusion, and mismanagement. Any further legal framework on non-personal data may be made a part of the same enactment.
Time Frame to Respond to the Law
The Committee has recommended an approximate period of 24 months for implementation of any and all the provisions of the Act. That way, the data fiduciaries and data processors will have enough time to make the necessary changes to their policies, infrastructure, processes, etc. It also recommends phased implementation.
- Chairperson and Members of DPA are appointed within three month;
- the DPA commences its activities within six months from the date of notification of the Act,
- the registration of data fiduciaries should start not later than 9 months and be completed within a timeline; and
- adjudicators and appellate tribunal commence their work not later than twelve months.
Social Media Regulation
The Committee recommends that social media platforms be treated like publishers. It says that all social media platforms that do not act as intermediaries should be treated as publishers and be held accountable for the content they host. They suggest:
- a mechanism in which social media platforms, which do not act as intermediaries, will be held responsible for the content from unverified accounts on their platforms;
- verification process where once application for verification is submitted with necessary documents, the social media intermediaries must mandatorily verify the account;
- no social media platform should be allowed to operate in India unless the parent company handling the technology sets up an office in India;
- a statutory media regulatory authority, on the lines of Press Council of India, may be setup for the regulation of the contents on all such media platforms irrespective of the platform where their content is published, whether online, print or otherwise.
Certification of Devices for Security
The Committee recommends that the government should make efforts to establish a mechanism for the formal certification process for all digital and IoT devices that will ensure the integrity of all such devices with respect to data security. It should also set up a dedicated lab/testing facility, with branches spread throughout India, that will provide certification of integrity and security of all digital devices.
The Committee recommends that the govt. must prepare and pronounce an extensive policy on data localisation. It should encompass broadly the aspects like the development of adequate infrastructure for:
- the safe storage of data of Indians which may generate employment;
- introduction of alternative payment systems to cover higher operational costs; and
- inclusion of the system that can support local business entities and start-ups to comply with the data localisation.
The Committee has also desired that proper utilization of revenue generated out of data localisation may be used for welfare measures in the country, especially to help small businesses and start-ups to comply with data localization norms.
You can read the full report here, and the press release here.
Do subscribe to our Telegram group for more resources and discussions on tech-law & policy. To receive weekly updates, don’t forget to subscribe to our Newsletter.