The JPC regarding the Personal Data Protection Bill 2019, was headed by Meenakshi Lekhi, a BJP Member of Parliament and submitted its Report on 16 Dec 2021. This article summarises some of the key takeaways from the Report.
1. SCOPE OF APPLICATION WIDENED
- The title, long title and the objects and reasons of the Bill stand changed to widen the scope to include personal as well as non-personal data.
- The new proposed taxonomy is “Data Protection Bill, 2021”.
- Personal Data to include “data about or relating to a natural person who is directly or indirectly identifiable, having regard to any characteristic, trait, attribute or any other feature of the identity of such natural person, whether online or offline, or any combination of such features with any other information, and shall include any inference drawn from such data for the purpose of profiling.”
- Non Personal Data defined as anything which falls outside the purview of Personal Data as defined above.
2. PROPOSED STAGGERED IMPLEMENTATION
- The Committee proposes a 24 months’ time period for phased implementation of the Bill.
- This is to serve two purposes:-
- To allow Companies to re-formulate policies etc for implementation of their obligations.
- To enable Data Protection Authority to begin its functions and alleviate concerns alongside providing help and guidance to stakeholders.
3. DATA LOCALISATION
- Clause 33 and 34 of Data Protection Bill, 2021 outline Data Localisation.
- Clause 33: Outlines conditional prohibition on cross border transfer of sensitive personal data and absolute prohibition on transfer in case of critical personal data
- Clause 34: Outlines conditions to be satisfied for the transfer of data such as:
- The data fiduciary to seek explicit consent from data principle.
- In case of Intra Group Scheme the same to be approved by Data Protection Authority with consultation of Central Government.
- The same should not be against public policy or state policy.
4. TRANSFER OF SENSITIVE DATA
- Clause 19: Outlines two exceptions to Principal’s Right to Portability which are Trade Secret and Technical Feasibility
- The Committee recommends removal of the above instead suggests that technical feasibility is to be determined by Data Protection Authority.
- The Committee further recommends that Right to be Forgotten to include processing of data as well and not just disclosure.
- Transfer of Personal and Critical Data post prior approval of Central Government and must not be contrary to Public or State Policy.
- Public Policy is also defined under Recommendation 52 & 53 asany contract or intra-group scheme approved by the Authority in consultation with the Central Government, and such contract or scheme must protect the interests of the State or its citizens.
5. FOR SOCIAL MEDIA INTERMEDIARIES
- Recommends treating Social Media Intermediaries as Publishers.
- Further recommends a definition for Social Media Intermediary as “platform which primarily or solely enables online interaction between two or more users and allows them to create, upload, share, disseminate, modify or access information using its services.”
- Recommendation inconsistent with Shreya Singhal’s Judgement. The proposed recommendation to construe social media intermediaries or platforms as publishers is essentially asking for accountability and transparency in their actions. The recommendation takes away the protection of ‘safe harbour’ as provided by the IT Act to intermediaries. This can lead to the intermediaries to self-censor thereby disproportionately impacting their right to freedom of speech and expression under Article 19(1)(a) of the Indian Constitution, which is the very essence of the Shreya Singhal Judgement.
- Further recommends mandatory verification of social media accounts.
- Lastly recommends a regulatory body for online and print media.
6. ON DATA PROTECTION OF CHILDREN
- Recommends that on attainment of majority i.e. 18 years of age, fresh consent to be taken from Children. The same to be done 3 months prior to turning 18.
- Fiduciary dealing with data of children to be registered with Data Protection Agency.
- Recommends deletion of Guardian Data Fiduciary Clause.