Data Protection Bill, 2021 & The Joint Parliamentary Committee Report: Key Changes

Introduction

Data Protection laws provide a set of laws that deal with the matters related to privacy, policies, and procedures and it is imperative for the protection of one’s privacy and regulating its collection, storage, and dissemination. Currently, there is no express legislation in India that lays down proper guidelines for data protection. The Information Technology Act, 2000 along with the Indian Contract Act, 1872 provide some basic protection however, there is an imminent need for comprehensive legislation pertaining to data protection. Ever since the landmark judgment of Justice K.S. Puttaswamy v. Union of India (2017) which legitimized the Right to Privacy under the Constitution of India, the government has been under an obligation to pass a law governing data.

data protectionIn the year 2019, a bill was introduced in the Rajya Sabha which was referred to as “The Personal Data Protection Bill, 2019” with the objective of unlocking the data economy and providing protection to personal data. However, the bill was not passed as there were many discrepancies with respect to its provisions and hence, the same was referred to the Joint Parliamentary Commentary (JPC) which was set up for the purpose of review of the bill. The JPC released its report on 16th December 2021 after reviewing the Bill and it made certain suggestions that emphasized laying down stricter compliance requirements for the companies and placing more obligations on the government agencies. The report also amended the title of the Bill and renamed it “The Data Protection Bill, 2021”.

Some Key Changes Incorporated in the Draft Data Protection Bill, 2021

Inclusion of Non-Personal Data

One of the most important changes suggested by the JPC was to amend the scope of the Bill and make it a lot vaster to include not just personal data but all kinds of non-personal data as per clause 3(28) which includes “data other than personal data”. The committee recommended this as they opined that even non-personal data can affect privacy as it is very difficult to distinguish between personal data and non-personal data. Moreover, if non-personal data is not covered under the data protection bill, then a separate bill will have to be passed in order to regulate the non-personal data.

Privacy and Consent

Another change incorporated in the draft Bill was regarding the express consent and providing people with the option to choose whether they want to provide their personal data or not. As per the recommendation made by the JPC committee, if the person chooses not to share his/her personal data, they will be allowed to enjoy their right to do so. But, as all rights are subject to certain reasonable restrictions, there have been attempts made to specify the circumstances under which non-consensual processing of personal data can be allowed. In the earlier draft of the 2019 Bill pertaining to data protection, it was provided that non-consensual usage can be allowed when “such processing is necessary”. However, the 2021 draft of the Bill fails to incorporate the procedural safeguards provided in the landmark judgment of Justice K.S. Puttaswamy v. Union of India (2017)which requires the presence of “proportionality” &legitimate purpose”. The 2021 Draft Bill, provides that non-consensual usage can be allowed whenever it “can be reasonably expected” thereby failing to incorporate the procedural safeguards laid down in the aforementioned case.

Social Media Platforms

The Draft Bill, 2021 made certain changes with respect to the “social media intermediaries” as now the term has been amended to “social media platforms” and the same has been defined under clause 3(44) of the Draft Data Protection Bill,2021, as any platform which works towards enabling online interaction between multiple users. This amendment has been undertaken in order to hold these platforms liable for any content that hosts. However, including these social media companies within the ambit of “platforms” will still not provide a viable solution to the issue of data privacy. Classifying these social media platforms strictly as an “intermediary” or strictly as a “platform” will not be as effective because a middle ground has to be found wherein as per the varying circumstances, these companies can be legally exempted or be held liable for the content posted by their users.

Breach of Data

The JPC report also discusses the issue pertaining to the breach of data and its disclosure and reporting mechanisms. It lays down several regulations which include providing a predefined time period of 72 hours for reporting the breach. Under this, proper justification will also have to be provided by the companies explaining the reason behind the delay in reporting the breach if any. As per the 2019 Bill, the data fiduciaries only needed to inform the Data Protection Authority(DPA) in the event of any “harm” caused. This definition of “harm” has been amended in the latest draft to include psychological manipulation along with the loss of reputation or any kind of financial loss. This draft also proposes to make it mandatory to report all the data breaches irrespective of any harm caused or not.

Data Localisation

The JPC report emphasized the importance of data localization and opined that all the sensitive data related to national security, personal data, economic activities, etc. should be necessarily stored within the national borders. The committee even recommended the steps that need to be undertaken for the purposes of transferring all the sensitive data that has been stored offshore and bringing them back within the national borders. However, there have been certain incongruities with respect to the grounds on which these data can be transferred. In the 2019 draft of the Bill, it was provided that the transfer of sensitive data can be restricted if it is against the public or the state policy. But, there is no information available as to what all can be included within the definition of public and state policy and this could lead to the arbitrary use of powers that have been assigned to the DPA.

Appointment of Data Protection Officer

The JPC also amended the draft and made it mandatory for all the prominent data fiduciaries to appoint a Data Protection Officer. The committee recommended that only a person who is at a key managerial position or at a senior position in the company can be appointed to perform the duties of a Data Protection Officer. This is done to ensure that the person who is being appointed as the DPO is well versed in the workings of the company.

Testing and certification of Hardware and Software

The Committee also took into consideration the implications of the data breaches due to the hardware and the software being used for the purpose of data collection and storage. It opined that certain basic minimum criteria need to be set that need to be fulfilled before the approval is granted for the hardware or the software. The JPC recommended that the DPA should establish a framework for keeping a check and also ensure that regular testing is being done so that the data remains protected.

Conclusion

The Joint Parliamentary Committee has successfully incorporated many necessary changes in its report, which deal with several issue which were prevalent in the Personal Data Protection Bill, 2019. However, some of these changes have also led to certain criticisms which have been raised against the 2021 Draft Bill. This criticism deal with the powers that have been assigned under the Bill which could lead to the violation of certain fundamental rights of the individuals.

Author: Siddharth Raj Choudhary – a Student of School of Law (Bennett University), an intern at Khurana & Khurana, Advocates and IP Attorney, in case of any queries please contact/write back to us via email vidushi@khuranaandkhurana.com .

Leave a Reply

Archives

  • May 2022
  • April 2022
  • March 2022
  • February 2022
  • January 2022
  • December 2021
  • November 2021
  • October 2021
  • September 2021
  • August 2021
  • July 2021
  • June 2021
  • May 2021
  • April 2021
  • March 2021
  • February 2021
  • January 2021
  • December 2020
  • November 2020
  • October 2020
  • September 2020
  • August 2020
  • July 2020
  • June 2020
  • May 2020
  • April 2020
  • March 2020
  • February 2020
  • January 2020
  • December 2019
  • November 2019
  • October 2019
  • September 2019
  • August 2019
  • July 2019
  • June 2019
  • May 2019
  • April 2019
  • March 2019
  • February 2019
  • January 2019
  • December 2018
  • November 2018
  • October 2018
  • September 2018
  • August 2018
  • July 2018
  • June 2018
  • May 2018
  • April 2018
  • March 2018
  • February 2018
  • January 2018
  • December 2017
  • November 2017
  • September 2017
  • August 2017
  • July 2017
  • June 2017
  • May 2017
  • April 2017
  • March 2017
  • February 2017
  • January 2017
  • December 2016
  • November 2016
  • October 2016
  • September 2016
  • August 2016
  • July 2016
  • June 2016
  • May 2016
  • April 2016
  • March 2016
  • February 2016
  • January 2016
  • December 2015
  • November 2015
  • October 2015
  • September 2015
  • August 2015
  • July 2015
  • June 2015
  • May 2015
  • April 2015
  • March 2015
  • February 2015
  • January 2015
  • December 2014
  • November 2014
  • October 2014
  • September 2014
  • August 2014
  • July 2014
  • June 2014
  • May 2014
  • April 2014
  • March 2014
  • February 2014
  • January 2014
  • December 2013
  • November 2013
  • October 2013
  • September 2013
  • August 2013
  • July 2013
  • June 2013
  • May 2013
  • April 2013
  • March 2013
  • February 2013
  • January 2013
  • December 2012
  • November 2012
  • September 2012
  • August 2012
  • July 2012
  • June 2012
  • May 2012
  • April 2012
  • March 2012
  • February 2012
  • January 2012
  • December 2011
  • November 2011
  • October 2011
  • September 2011
  • August 2011
  • July 2011
  • June 2011
  • May 2011
  • April 2011
  • March 2011
  • February 2011
  • January 2011
  • December 2010
  • September 2010
  • July 2010
  • June 2010
  • May 2010
  • April 2010