This week witnessed yet another roadblock towards a comprehensive data protection framework for India, as the Data Protection Bill, 2021 (‘Bill’), as reported by the Joint Committee of the Parliament (‘JCP’), was withdrawn in the Parliament[1], amidst reports that a comprehensive legal framework is being worked upon, considering the recommendations of the JCP. It seems that a new bill that fits into the comprehensive framework would be introduced[2], ostensibly, in the next Winter Session of the Parliament.
What were the JCP recommendations?
At the outset, it may be pertinent to track the development of the forthcoming personal data framework. The first draft of the Personal Data Protection Bill, 2018 (‘2018 Bill’) was proposed by the Committee of Experts headed by Justice Srikrishna[3], in the form of a principles-centered framework for personal data processing. Subsequently, MEITY revised the same and introduced the Personal Data Protection Bill, 2019[4] (‘2019 Bill’) in the Parliament which was referred to the JCP. The JCP presented its report[5] (‘Report’) and proposed the 2021 version i.e. the Bill and other substantive recommendations in its Report.
The JCP proposed more than 80 amendments to the 2019 Bill, however, some of the key proposals include:
Expanding ambit to Non-Personal Data: The JCP recommended extending the ambit of the Bill to processing of non-personal data, including anonymized data. This was subsequent to the Report of the Committee of Experts on Non-Personal Data Governance[6] (‘Non-Personal Data Committee Report’) thereby creating an uncertainty in approach to regulating non-personal data. This also invited certain additional obligations such as reporting of non-personal data breaches[7] (apart from personal data breach) and extending silent legitimacy to the Government’s ability to solicit non-personal data[8].
Regulation of social media intermediaries: The Bill proposed categorization of certain social media platforms crossing threshold limits and other subjective criteria (such as impact on public order and electoral democracy) as significant data fiduciaries[9]. In addition to the same, the JCP recommended treating social media platforms which do not ‘act as intermediaries’ i.e. which take an active role in dissemination of content, to be considered as publishers[10] of content available on their platform. This caused ambiguity especially owing to the presence of existing robust guidelines for governing internet intermediaries[11].
Localization and cross-border transfers: The JCP proposed tighter regulation of cross-border transfers of personal data, as approvals were proposed to be given to intra-group schemes, contracts on the touchstone of public or State policy[12], in addition to other criteria. These may have the effect of creating further subjectivity in approvals and giving higher discretion to the DPA or Government in approvals of such schemes or contracts. Apart from the above, the Bill also proposed restrictions on disclosure of sensitive personal data to foreign agencies without express permission of the Central Government[13].
Certification of hardware or equipment: The Bill proposed a framework for monitoring, testing and certification of hardware equipment by an agency authorized by the Central Government[14], in order to provide for a framework to regulate hardware manufacturers collecting data with software for all digital and IOT devices to ensure integrity and data security. Given that this does not fit in the context of a typical data protection legislation, this may not be best suited to be covered under the ambit of the Bill.
In addition to the key changes above, the JCP also proposed certain other changes to the Bill, which relate to the structure of the Data Protection Authority (‘DPA’), data processing in business transactions and data principal rights:
- Proposing regulation of personal data shared or transferred as part of business transaction in accordance with the manner prescribed by the DPA;
- Provision of additional data principal rights to nominate legal heirs or representatives, exercise right to be forgotten, append the terms of agreement with data fiduciary and lodge complaints with the DPA or adjudicating officer;
- Disclosures of algorithms or methods used for processing personal data, and their fairness in processing such data;
- Specification of qualifications of a Data Protection Officer as a key managerial personnel and detailing functions;
- Changes in composition of selection committee for appointment of chairperson and members of the DPA;
- Prosecution of offences by companies and departments of the Government.
What lies ahead?
The Bill is slated to undergo certain changes in line with policy prerogatives of the Ministry in regulating personal and non-personal data, although it is widely reported that there are unlikely to be further consultations on the Bill[15].
It may be reasonable to assess that the JCP recommendations and the Bill (as amended by the JCP) extend well beyond the contours of a data protection legislation by regulating non-personal data, empowering specification of hardware standards and other aspects typically regulated under a broader information technology law. Consequently, it may be possible that a comprehensive framework in the form of the proposed ‘Digital India Act’[16] could be introduced replacing the existing information technology law[17] covering the same, which may or may not include aspects on data protection. Alternatively, there are rife reports[18] that the Data Protection Bill may exclude non-personal data from its ambit, a suggestion which was also echoed in the Non-Personal Data Committee Report.
In any event, the Data Protection Bill has already witnessed inordinate delay in consultations, review by the JCP and in finalization. The expansion of digital markets, exponential rise in internet penetration and advent of 5G have made out a highly persuasive case for the need of a robust data protection framework to govern personal data processing by State and private entities and secure privacy of citizens. This is also parallelly witnessed in neighboring jurisdictions like Sri Lanka which has enacted its privacy law[19], and other countries in South Asia, pacing ahead for comprehensive data protection laws.
[The authors are Senior Associate and Partner, respectively, in Data Protection practice at Lakshmikumaran & Sridharan Attorneys, New Delhi]
[1] Bulletin No. 1, Lok Sabha, dated August 3, 2022, available at http://164.100.47.193/bull1/17/IX/03082022.pdf
[2] Withdrawal of Data Protection Bill: Reasons for Withdrawal, available at https://www.medianama.com/wp-content/uploads/2022/08/WhatsApp-Image-2022-08-03-at-4.59.32-PM.jpeg
[3] A Free and Fair Digital Economy: Protecting Privacy, Empowering Indians, available at https://www.meity.gov.in/writereaddata/files/Data_Protection_Committee_Report.pdf
[4] Personal Data Protection Bill, 2019, available at http://164.100.47.4/BillsTexts/LSBillTexts/Asintroduced/373_2019_LS_Eng.pdf
[5] Report of the Joint Committee on Personal Data Protection Bill, 2019, available at http://164.100.47.193/lsscommittee/Joint%20Committee%20on%20the%20Personal%20Data%20Protection%20Bill,%202019/17_Joint_Committee_on_the_Personal_Data_Protection_Bill_2019_1.pdf
[6] Report by the Committee of Experts on Non-Personal Data Governance Framework, available at https://static.mygov.in/rest/s3fs-public/mygov_160922880751553221.pdf
[7] Section 25(6), Data Protection Bill, 2021
[8] Section 92(2), Data Protection Bill, 2021
[9] Section 26(1)(f), Data Protection Bill, 2021
[10] Para 1.15.12.7, Report of the Joint Committee on Personal Data Protection Bill, 2019
[11] Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021
[12] Section 34(1)(a), Data Protection Bill, 2021
[13] Section 34(1)(b)(iii), Data Protection Bill, 2021
[14] Section 49(2)(o), Data Protection Bill, 2021
[15] Data protection Bill under scrutiny; no more consultation, available at https://www.financialexpress.com/industry/technology/data-protection-bill-under-scrutiny-no-more-consultation-rajeev-chandrasekhar/2602042/
[16] Govt to roll out new Digital India Act shortly, available at https://economictimes.indiatimes.com/tech/technology/govt-to-roll-out-new-digital-india-act-shortly-says-rajeev-chandrasekhar/articleshow/90747851.cms
[17] The Information Technology Act, 2000
[18] Non-Personal Data May be Removed from Personal Data Protection Bill: Report, available at https://www.news18.com/news/tech/non-personal-data-may-be-removed-from-personal-data-protection-bill-report-5412895.html
[19] Sri Lanka Becomes the First South Asian Country To Pass Comprehensive Privacy Legislation, available at https://www.wilmerhale.com/en/insights/blogs/wilmerhale-privacy-and-cybersecurity-law/20220330-sri-lanka-becomes-the-first-south-asian-country-to-pass-comprehensive-privacy-legislation