The Personal Data Protection Bill

Data Privacy related issues

Context:

The author talks about the Joint Committee on the Personal Data Protection Bill’s report.

Editorial Insights:

After rigorous sittings & deliberations, the Joint Committee of Parliament on the Personal Data Protection Bill recently tabled its report in both houses.

About JCP on Personal Data:

The JCP, which was formed in December 2019 to deliberate on issues surrounding personal data protection, expanded its mandate to include discussions on non-personal data, thereby changing the mandate of the Bill from personal data protection to broader data protection.

In all, the committee has made 99 recommendations, of which 12 are in connection with the provisions made in the Bill, and the rest are in the form of modifications.

The Recommendations:

Inclusion of Non-Personal Data: The key recommendation that changes the nature of the Bill itself is for the inclusion of non-personal data within the larger umbrella.

Because committee believed that it was impossible to distinguish between personal data and non-personal data when mass data is collected or transported”.

This means that all issues under the new legislation will be dealt with by a single Data Protection Authority (DPA) instead of separate ones for personal and non-personal.

Transition Period: As technology has become an inseparable part of everyone’s life.

To ensure that all such data aggregators get ample time to comply with the rules under the new Bill, the JCP suggested that up to 24 months be given from the date of notification of the Act.

All data fiduciaries that deal exclusively with children’s data have to register themselves with the DPA.

Social Media Liability: Another major recommendation is that social media platforms that do not act as intermediaries should be treated as publishers, and therefore be held liable for the content they host.

In other words, this would strip these companies of protections they are accorded under Section 79 of the Information Technology Act.

Penalty: The committee has recommended a fine of up to Rs 15 crore or 4% of the total global turnover of the firm for data breaches, and a jail term of up to 3 years if de-identified data is re-identified.

Timely-Alert: In case of any data breach, the data aggregator or fiduciary must notify the DPA within 72 hours of becoming aware of it.

The DPA shall then decide the quantum of the severity of the data breach and accordingly ask the company to report it and take appropriate remedial measures.

Factors took into consideration by JCP:

With the growth of the Internet, consumers have been generating a lot of data, Companies began to store a lot of these datasets without taking the users’ consent and did not take responsibility when the data leaked.

The committee stressed a need to set up new processes to unify such data present across spectrums and organizations such as public and private sector companies, research organizations, and academic institutions.

Among the major concerns that the JCP recommendations sought to address are :

The rapid commercial use of personal data has resulted in undermining the end-user trust and confidence.

Concerns and tensions about the misuse of sensitive and critical personal data are rising exponentially,

To deal with such situations, it was important to build a legal, cultural, technological, and economic infrastructure for a secure and user-friendly data ecosystem.

Apart from the obvious economic and privacy concerns, the JCP report also discusses the impact on mental health and emotional well-being that a user experiences due to a data breach.

It cites findings that among such individuals, as much as 86% felt worried, angry, and frustrated, while 85% experienced disturbed sleeping habits.

The Extra-Mile:

Though the JCP report reaffirms the core components of the Bill & fine-tunes many aspects. But it has also used the Bill to paint a broader canvas of data regulation for India.

Some of these proposals need greater deliberations:

• The JPC has provided a rationale for regulation more firmly grounded in sovereign interests than has been articulated yet.
• For example, In the issue of data localization, JPC states that all contracts enabling businesses to take sensitive personal data out of India’s borders will now need the approval of the central government in addition to the data protection regulator (DPA)
• The report also proposes requirements that limit the sharing of data processed outside with a third country without prior government approval.
• The JPC has doubled down on the rationale of data localization as an instrument for developing local innovation & also used the discussion on security considerations advanced for localization to argue for the need to develop local financial systems that reduce dependency on existing mechanisms.
• The report increases the scope of regulation of the Bill whereby it proposes the need to end the exemptions that social media platforms enjoy from liability based on their status as intermediaries under existing law.
• Its proposal to regulate social media platforms as significant data fiduciaries under the Bill will not make such companies liable for content by themselves.
• However, the related discussion argues that these businesses can no longer be treated as intermediaries but as platforms instead.
• This proposal would herald a significant exercise of sovereign regulatory power over businesses that some argue are the last bastions of free speech.

On many other aspects of the Bill, the JPC has adopted a workman-like approach:

• It proposed to exempt small businesses from certain parts of the Bill have been modified.
• While the earlier provision sought to exempt manual processing, the report proposes a more sensible idea of exempting non-automated processing.
• This narrows down the focus of the Bill to data-processing activities that originally motivated the need for data protection.
• The Bill narrows down the scope for employers accessing employee personal data, proposes a simpler mechanism to safeguard children’s data, and provides a timeline of implementation for different parts of the Bill.
• The most significant aspect of this implementation exercise will, of course, be the creation of the Data Protection Authority the over-arching regulator proposed to oversee data protection.

Concerns:

The Bill presented in Parliament gives the central government the power to exempt its agencies from the ambit of the data protection regulation.

The report proposes that any procedure followed by such agencies will have to be a just, fair, reasonable, and proportionate procedure.

While this encapsulates the checks laid down by the Supreme Court in its judgment on the right to privacy, it leaves it to the executive to figure out what just, fair, reasonable, and proportionate ought to mean.

The report takes a similar approach to the provision that enables the central government to require businesses to hand over non-personal data to it.

Way-Ahead:

Though the concern of the state invading the domain of privacy is visible, the need for Data protection against exploitation & breach is also necessary.

Therefore the need of the hour is the state's accountability in data protection to rebuild public confidence & trust in the process.