The much-awaited personal data protection bill is expected to be taken up for discussion during the winter session of Parliament that began November 29. A joint parliamentary committee adopted a 250-page final report on the bill on November 22 after nearly two years of deliberation.
Some provisions of the bill have come in for criticism. According to reports, seven of the 30 members, which were drawn from the ruling and opposition parties, had submitted dissenting notes. Experts and people, who worked on the first version of the bill, too, have some concerns.
Former Supreme Court judge Justice BN Srikrishna, who headed the committee that proposed the first draft in 2018, called out the bill as Orwellian and said it was loaded in favour of the government.
Ameet Datta, Partner, Saikrishna & Associates, a legal firm, said the bill had strayed from its core focus, individual privacy, and had put the national interest at the centre.
The Supreme Court had in 2017 declared privacy a fundamental right and also directed the government to come up with the data protection regime.
With the bill, now likely to be called Data Protection Bill, 2021, expected to be tabled in the coming days, we look at its key aspects:
1 Exemption for the government
Section 35 of the bill exempts the government and its agencies from the purview of the proposed law. Section 12 makes a provision for the government to process non-personal data without consent and also parliamentary sanction. Both of them could lead to misuse, seven committee members said.
In his dissenting note, Congress leader Jairam Ramesh said, “Section 35 gives almost unbridled powers to the central government to exempt any government agency from the entire Act itself.”
2 Social media
The committee has recommended declaring social media intermediaries as publishers, which would make them responsible for the content published on their platform. According to the committee, this is because the “IT Act has not been able to keep pace with the changing nature of the social media ecosystem.”
“The committee, therefore, recommends that all social media platforms, which do not act as intermediaries, should be treated as publishers and be held accountable for the content they host,” the report read.
The committee has also recommended that social media platforms be allowed to operate in India only when the parent company has technology offices set up in the country.
3 Data protection authority
A data protection authority, which will be responsible for enforcing the rule for both personal and non-personal data, will consist of a chairperson and not more than six whole-time members appointed by the Union government. The first draft of the bill had recommended DPA as an independent regulator.
4 Inclusion of non-personal data
When the bill was first proposed in 2018, the committee suggested a separate bill for non-personal data. The final draft report has conflated both personal and non-personal data. Non-personal data includes information collected by government agencies, not-for-profit organisations and the private sector. The information is usually stored in an anonymised format.
5 Data localisation
The bill mandates the storage of mirror copy of sensitive and critical data in India by companies in a time-bound manner, and over time develop the infrastructure to facilitate the data storage in India.
“The committee specifically recommends that the Central government, in consultation with all the sectoral regulators, must prepare and pronounce an extensive policy on data localisation encompassing broadly the aspects like development of adequate infrastructure for the safe storage of data of Indians which may generate employment,” the report said.
With the manufacturing spread out globally, the committee suggested that hardware should be regulated as well since hardware manufacturers were collecting data.
“The committee strongly recommends that the government should make efforts to establish a mechanism for the formal certification process for all digital and IoT (internet of things) devices that will ensure the integrity of all such devices with respect to data security,” the report read.
The committee has recommended that the government set up a dedicated lab or testing facility, with branches spread throughout India to provide certification of integrity and security of all digital devices.
7 Data-breach reporting
So far, there has been no protection for consumers in case of a data breach. This bill attempts to make that right by making it mandatory for companies to report the breach to the supervisory authority within 72 hours.“The overarching goal is to notify the affected users so that they can take adequate steps to protect their information,” the report said. This has been a key task from the information security community, since data breaches are not made public in India, putting the user data at risk.