Introduction
On December 16, 2021, the Joint Parliamentary Committee (JPC) on the Personal Data Protection Bill of 2019 (2019 Bill) tabled its report (report) in Parliament. The Report is available here. It contains:
- In part I, a discussion with the heading “Data Protection and Privacy”, which contains certain “general recommendations"
- In part II, a clause-by-clause review of the 2019 Bill with the JPC’s comments and suggestions on its text.
- 14 appendices, including the relevant parliamentary motions (membership changed twice, 6 extensions sought), the stakeholders who tendered oral evidence (26 in total), the stakeholders from whom written submissions were received (234 in total), minutes of sittings of the JPC (78 sittings), and dissent notes (from 8 members).
- An Annexure, which contains a draft “Data Protection Act of 2021” that is a version of the 2019 Bill that incorporates the changes suggested by the JPC in Part II.
NASSCOM had submitted both written comments and had tendered oral evidence before the JPC on 26th August 2020.
In a recent blog post, we had provided an overview of media reportage around this report prior to its release. Much of what was reported has been confirmed by the text of the report, as shall become clear in this blog post, where we provide (1) an overview of the major general recommendations in Part I and (2) the major changes suggested to the Bill in Part II.
Part I – General Recommendations
The report begins with familiar narratives generally raised in data regulation discussions, including that data is the new oil, that data protection is a global concern; that data localization is a strategic necessity; that data breaches can have adverse psychological impacts; and that user-centric data protection frameworks are required. References are also made to flagship programs of the Government, such as AatmaNirbhar Bharat and Make in India.
While there is no one overarching framing of the JPC’s approach, it is clear that three perspectives have guided how it frames the concept of data protection: consumer privacy, national security, and data economy regulation.
Notably, the report also discusses, in part I, some areas of concern, where the discussions go beyond just the protection of data. Such areas include the regulation of social media platforms.
Part I then sets out 12 “general recommendations” that the JPC recommends be taken up “in due course”, distinguishing them from those made in part II on the 2019 Bill. One can assume that these recommendations may be, therefore, taken by the Government as and when it sees fit. These general recommendations are as follows:
- Legislative competence: That the Union Government has the exclusive legislative competence in relation to data protection in India. That the 2019 Bill, once in force, would override both private contracts and other general laws on the field of data protection. That its foundation stems from the right to privacy under Article 21 of the Constitution.
- Scope to cover non-personal data: That it would be detrimental to privacy to limit the scope of the Bill to just personal data (PD). As per the JPC, much of non-personal data (NPD) is derived from personal data that has been “anonymized or converted into non-re-identifiable data”, and it is often difficult to differentiate between PD and NPD. To avoid confusion and mismanagement, there should be a single law and a single data protection authority (Authority) to deal with all kinds of data at different levels of security. Any further policy or legal framework for non-personal data may be introduced via a separate regulation on non-personal data in the Data Protection Act to be regulated by the data protection authority.
- Transition period: That, in line with global best practice, a transition period of 2 years should be provided for the Act to be deemed effective, starting from the date of its notification. This period should be utilized as follows: within 3 months, the chairperson and members of the Authority should be appointed; within 6 months, the authority should commence activities; within 9 months, registration of data fiduciaries should start; within 12 months, adjudicators and appellate tribunal should commence their work. The Government should conduct consultations with stakeholders to determine how to set timelines for different phases and processes and should, in implementing each phase, keep the legitimate interests of businesses in mind, to prevent detracting from the objective of promoting ease of doing business.
- Data breaches: The application of the law should cover breaches of both personal and non-personal data. Further, the following guiding principles should be adhered to: (i) The Authority should ensure the privacy of data principles when posting details of personal data breaches; (ii) the burden to prove any delay in reporting a personal data breach should lie on the fiduciary, in cases where data principal suffer harm due to such delay. Further, that the data fiduciary is responsible for such harm caused by delay in reporting personal data breaches; (iii) data fiduciaries should maintain logs of all data breaches, to be reviewed periodically by the Authority, irrespective of the likelihood of harm to the data principal; (iv) the Authority should exercise its discretion to authorize temporary orders on non-disclosure of details of data breaches to afford a temporary reprieve to data fiduciaries, if such non-disclosure doesn’t compromise the interests of the data principal.
- Processing of personal data of children: Rules under the Act should provide for the following: (i) data fiduciaries exclusively dealing with children’s data should register themselves with the Authority (ii) the Majority Act should apply when a data principal, who is a child, turns 18, in relation to any contract with that child (iii) three months before such a data principal turns 18, the data fiduciary should inform that child for providing consent again on the date of turning 18 (iv) any services being provided to that child may continue, unless, on turning 18, they opt out or give fresh consent.
- Regulation of social media: A mechanism should be devised for the regulation of social media platforms (SMPs); to treat those social media platforms, which do not act as intermediaries, as publishers to be held accountable for the content they host and for the content from unverified accounts on their platforms. SMPs must mandatorily verify accounts once applications for verification are submitted with necessary documents. No SMP should be allowed to operate in India unless their parent company “handling the technology” sets up an office in India. A statutory media regulatory authority, along the lines of the Press Council of India, may be set up for the regulation of contents on all such media platforms, irrespective of the medium of publication.
- Rights of data principals: The Authority should frame regulations on data principal rights that can evolve in line with international best practices. Such regulations should ensure that data principals can exercise their rights in a simple manner whilst also ensuring that data fiduciaries can discharge their obligations in a way that is practically possible; and that the interests of the Government with regard to its obligations are accommodated.
- Alternative payments system: An indigenous alternative to the SWIFT payment system, such as Ripple (US) or INSTEX (EU), should be developed in India to ensure privacy and bolster the domestic economy.
- Innovation and startups: The Authority should keep in mind the interests of startups and encourage innovations and the Sandbox when framing regulations. In addition, to encourage more innovation, the Patent Act of 1970 may also be amended.
- Hardware manufacturers: It is necessary to regulate hardware manufacturers and related entities who are collecting data through digital devices. This involves establishing a mechanism for formally certifying all digital and IoT devices to ensure their integrity. In addition, emerging technologies should also be certified in a manner that ensures their compliance with the Act. To achieve these objectives, the Government should set up a dedicated lab or testing facility, with branches across India, to provide security certification services for all digital devices. These services should also be available to individuals to have their devices certified. Where devices do not meet specified security standards, the individuals should be able to approach the Authority to act against manufacturers.
- Data back to India: The Central Government should take steps to ensure that a mirror copy of all SPD and CPD already in the possession of foreign entities be mandatorily brought to India in a time-bound manner.
- Data localization: India must move towards data localization gradually; to this end, the Central Government should, in consultation with all sectoral regulators, pronounce an extensive data localization policy. Revenue generated from data localization should be used for welfare and for promoting innovation. Govt. surveillance on data stored in India must be strictly based on necessity as laid down in the law.
Part II – Clause-by-clause review
In Part II, the JPC provides an additional 81 recommendations that make specific modifications to the text of the 2019 Bill.
We provide an overview of the major changes to the legislative text of the Bill below. Please note that this is not an exhaustive list of changes.
Preamble and Long Title
- The title of the Bill has been changed to the “The Data Protection Act of 2021”.
- The word “personal” has been deleted throughout the long title.
- The word “digital” has been added before the phrase “privacy of individuals” in the long title.
- The phrases “(...) ensure the interest and security of the State” and “(…) fosters sustainable growth of digital products and services” has also been added to the long title.
Scope and Application:
- The scope has been expanded to include “processing of non-personal data including anonymized personal data” (clause 2)
- Non-personal data has been defined as “data other than personal data” (clause 3(28))
Data breaches (clauses 3, 25):
- A new definition of a “data breach”, covering breaches of both PD and NPD, has been added
- A new definition of “non-personal data breach” has been added
- Every personal data breach must be reported to the Authority by every data fiduciary
- The breach notice should also specify the remedial actions being taken for such breach
- A new rule-making power is introduced for the Central Government to prescribe rules on how the Authority will handle non-personal data breaches
Harm (clause 3(20)):
- The definition of “harm” is widened to include “psychological manipulations that impair the autonomy of the individual”
- A new rule-making power is introduced for the Central Government to prescribe additional types of harms in the future
Processing grounds and principles
- The principle for processing purposes to be “specific, clear and lawful” has been removed (clause 4)
- The State has been given the scope to process PD without any consent for any purpose (clause 12)
- A new rule-making power has been introduced for the Central Government to prescribe requirements on how data fiduciaries may share or transfer data to any person as part of any business transaction (clause 8(4))
Processing of data of children (clause 16):
- The concept of a guardian data fiduciary has been removed
- All data fiduciaries shall process PD of a child in a manner that protects their rights
Rights of data principals:
- Data principals are afforded new rights to determine how their data must be dealt with in case of their casualty or death (clause 17)
- The ground of trade secrets to deny data portability requests has been removed, while the ground of technical feasibility to deny data portability requests can only be determined in accordance with regulations specified by the Authority (clause 19)
- The right to be forgotten has been expanded to cover both the disclosure and processing of personal data (clause 20)
Algorithmic transparency (clause 23)
- Data fiduciaries should be required to publish information on the fairness of algorithm or method used for processing of personal data “where applicable” (clause 23)
Designation of significant data fiduciaries (clause 26):
- Two new factors have been introduced for the Authority to categorize data fiduciaries as significant, including (i) whether they process data relating to children or to provide them with services (ii) whether they are a social media platform with users above a certain threshold prescribed by the Central Government and whose actions might have a significant impact on the sovereignty and integrity of the nation
- A significant data fiduciary shall be regulated by the relevant sectoral regulator subject to the memorandum of understanding entered by the Authority with that regulator
Account verification by social media platforms (clause 28(4)):
- Users who voluntarily verify themselves on social media shall be provided with a verification mark that is visible to all other users on the platform (clause 28(4))
Data protection officer (clause 30):
- A DPO shall be a senior level officer of the State or key managerial personnel (such as a chief executive officer, company secretary or chief financial officer)
- A DPO shall have certain additional functions, including assisting the Authority; advising on data protection impact assessments; maintaining the inventory of records; and acting as the point of contact with the data principal
International data transfers (clause 34):
- Before approving any inter-group scheme or contract for transferring sensitive personal data outside India, the Authority shall consult with the Central Government
- Any such scheme or contract may not be approved if the object of such transfer is against public policy or State policy, which is defined as any act that “promotes the breach of any law or is not in consonance with any public policy or State policy or has a tendency to harm the interest of the State or its citizens”
Exemption for state agencies (clause 35):
- The exemption has been made to apply over and above any other law
- Any state agency exempted by the Central Government from the application of the Bill is now required to follow a “just, fair, reasonable, and proportionate procedure” that will be provided for in rules by the Central Government
Sandbox (clause 40):
- Startups whose privacy by design policy is certified by the Authority shall be eligible to apply for inclusion in the sandbox
- A sandbox has been defined as “live testing of new products or services in a controlled or test regulatory environment for which the Authority may or may not permit certain regulatory relaxations for a specified period of time for the limited purpose of testing”
Composition of Authority (clause 42):
- One of the members of the Authority must be an expert in area of law.
- There are four new additions in the selection committee – the Attorney General of India, an independent expert in data protection, information technology etc., director of an IIM, and director of an IIT.
Security certification (clause 49):
- The Authority has been provided with a new function to conduct “monitoring, testing and certification” by appropriate agencies authorized by the Central Government “to ensure integrity and trustworthiness of hardware and software on computing devices to prevent any malicious insertion that may cause data breach”.
Composition of Tribunal (clause 67):
- The Appellate Tribunal shall consist of a chairperson and no more than six members to be appointed by the Central Government
Policies for the digital economy (clause 92):
- It is now clarified that nothing in the Act shall prevent the Central Government from framing any policy for the digital economy, including measures for “handling of non-personal data including anonymized personal data”.
For any questions or comments on the report, please reach out to Varun (varun@nasscom.in) or Apurva (apurva@nasscom.in).
