The joint committee on Personal Data Protection Bill, 2019, headed by BJP MP PP Chaudhary, tabled its report in both the houses of parliament on Thursday. The committee has made recommendations on widening the scope of data protection legislation by including non-personal data. Moreover, it has recommended devising a mechanism for social media platforms, which do not act as intermediaries. It has suggested such platforms should be treated as publishers and be held accountable for the content they host.
“A robust data protection law is critical to safeguard the privacy of Indian citizens while driving India’s success in the digital economy. While the JPC has retained much of what was positive with the 2019 Bill, and accepted many more recommendations from the industry, certain areas will require further deliberation – particularly the expansion of the scope to cover non-personal data,” Debjani Ghosh, president, NASSCOM, stated.
Among other recommendations, the government has been asked to make efforts to establish a mechanism for the formal certification process for all digital and IoT devices that will ensure the integrity of all such devices with respect to data security.
The committee has recommended a time period of 72 hours for reporting of data breach. It has also suggested that the word ‘guardian data fiduciary’ should be removed from Clause 16. “The Committee has felt it necessary that there should be rules or guidelines to be followed by data principal regarding consent when a child attains the age of majority i.e., 18 years,” Lok Sabha Secretariat said in a tweet.
It has also recommended the implementation of the provisions of the proposed bill in a phased manner during a period of 24 months to provide stakeholders with adequate time to make necessary changes to their policies, infrastructure, and processes.
“The Committee has recommended a phased approach to implement the provisions of the proposed bill. This gives both data fiduciaries and processors the time to lay out a strategy and execute it. The suggestions of the Committee are expansive as social media platforms are covered, and there are also recommendations to bring in regulations around IoT devices,” Gaurav Shukla, partner, Deloitte India, said.
It has also opined that all the data including non-personal data should be dealt with by one data protection authority. As per the committee, defining and restricting the new legislation only to personal data protection or to name it as ‘Personal Data Protection Bil’l is detrimental to privacy. “The Title of the Bill may be amended as ‘The (*) Data Protection Bill, 2021”’ and the Act may be called as ‘The Data Protection Act, 2021’,” the committee recommended as tweeted by Lok Sabha Secretariat.
According to NASSCOM’s Ghosh, the proposal in the report to have the bill apply to “non-personal data” and having a “single regulator” for both personal and non-personal data needs careful analysis and deeper debate. This is required as the imperatives for a policy on non-personal data are to enable data driven innovation and unlock economic value, Ghosh added.
“These imperatives arguably require a different regulatory approach than that needed for regulating personal data processing, where the focus is primarily on protecting privacy and preventing harms arising from the abuse of personal data. Given the enormity of these imperatives it is important to first operationalise the Bill’s original mandate well, that is, the processing and protection of personal data. The government has another committee specifically to examine non-personal data, and any legislative decision should ideally follow the policy discussions,” Ghosh noted.
Considerably, the committee has defined Sandbox and provided for incorporation of enabling provisions to exempt sandbox from rigours of the act. There should be flexibility in imposition of penalty as digital tech. is evolving, it advised. Startups and smaller data fiduciaries engaged in innovation and R&D need to be considered separately, as per the committee.
“Amongst the positives in the report are the highlighting of the imperatives to ensure the independence and accountability of government bodies and the Authority, to recommend the implementation of the law in a phased manner, and to suggest innovation-friendly measures, such as the inclusion of start-ups in the regulatory sandbox,” Ghosh added.