The joint parliamentary committee's (JPC) report on the Data Protection Bill 2019 was tabled in both houses of the Indian Parliament earlier today. The report offers 93 recommendations based on a clause-by-clause analysis of the 2019 version of the bill. That bill was introduced in the Parliament in December 2019 and was referred to the JPC for further deliberation.
In its recommendations, the JPC suggested that the data protection law should deal with both personal and non-personal data and should be implemented in a phased manner. The committee also made recommendations on the regulation of social media companies, recommended the setting up a blockchain-based homegrown cross border payment system, bringing mirror copies of sensitive data to India, and limiting employers access to their workers’ personal data.
Gaurav Shukla, Partner, Deloitte India, said the suggestions of the Committee are expansive as social media platforms are covered, and there are also recommendations to bring in regulations around IoT devices. Shukla also felt that the recommendation to implement the provisions of the proposed bill in a phased manner will give both data fiduciaries and processors the time to lay out a strategy and execute it.
"The detailed Report is indicative of the significant effort the Committee has put in to conclude and finalize its findings and recommendations," said Kirti Mahapatra, Partner at Shardul Amarchand Mangaldas & Co said. "We will also look forward to the modifications the Government may make to the Bill based on the recommendations in the Report," Mahapatra added.
Here are some of the key recommendations made by the JPC.
Bringing non-personal data under the law
JPC said that leaving the non-personal data out of the ambit of the new law and calling the bill only the Personal Data Protection Bill is "detrimental to privacy". JPC held that when data is collected at a large scale, it is impossible to distinguish between personal data and non-personal data. Hence, non-personal data should be addressed under the same bill.
The JPC observed that the Bill does not suggest any timeline for implementation. According to their recommendations, the provisions when it becomes law should be implemented in a phased manner within a time frame of 24 months, so that data fiduciaries and data processors have enough time to comply with the new rules.
Handling data breach
The JPC also believes that the bill in its current form does not have guiding principles to handle and report data breaches. They recommend that the data protection authority (DPA) should ensure user privacy when publishing details of the data breach. The DPA should also ensure that data fiduciaries are keeping a log of all breaches for periodic reviews by DPA, they added.
Treating social media as publishers
The JPC also stressed the urgent need to regulate social media platforms as many of them may be working as publishers. They suggest that all social media platforms that do not act as intermediaries should be treated as publishers and held accountable for the content hosted on their platform. They also suggest setting up a media regulatory body on the lines of the Press Council of India to regulate social media platforms.
Building an alternative financial system
The JPC lamented the financial sector’s dependence on global payment networks such as SWIFT that have compromised user privacy. They implored the need to create an alternative payment system on the lines of Ripple to cater to the growing number of Indian users who are making cross border payments. Ripple is a blockchain-based digital payment network.
Mechanism to certify IoT devices
The JPC also stated that the existing bill has no provision to regulate hardware companies that collect data through their devices. To regulate hardware manufacturers, they suggest the creation of a mechanism to certify all digital and Internet of Things (IoT) devices.
Limiting data processing by the employer
The JPC also notes that employers should not be allowed to process the personal data of their workers without seeking their consent. They should allow workers to ensure that the data employers have is not being processed for “unreasonable purposes”.
Flexibility in penalty provisions
The JPC also feels that the penalty for a data breach should be flexible given the size of the company and the nature of the breach. For instance, if a company fails to conduct a security audit, the penalty can be lower, but if a company is caught transferring personal data outside India the penalty can be higher.