Joint Parliament Committee tables report on the Personal Data Protection Bill

The Joint Parliament Committee (“Committee”) on Personal Data Protection Bill, 2019 (“Bill”) has tabled its report in the Parliament. The report contains general recommendations and review of the 2019 Bill vis-à-vis comments/ suggestions of the Committee. The Annexure to the report contains a draft ‘Data Protection Act 2021’ which incorporates changes suggested by the Committee.

Key observations / recommendations:

• The Committee has changed the name of the draft law from the ‘Personal Data Protection Bill, 2019’ to the ‘Data Protection Bill, 2021’. This is being done as it is impossible to distinguish between personal data and non-personal data, when mass data is collected or transported. In Committee’s view, all the data has to be dealt with by one Data Protection Authority (“DPA”). As the Bill provides for the establishment of one Data Protection Authority, we cannot have two DPAs one dealing with privacy and personal data and the other dealing with non-personal data;

• For the issue of ‘Data Breaches’, the Committee has recommended to include a 72-hour reporting period for data breaches. Further, a new definition of ‘data breach’ is included in the Data Protection Bill 2021 while the definition of ‘harm’ now includes “psychological manipulations that impair the autonomy of the individual”;

• With respect to processing of personal data when the child attains the age of majority, the Committee felt it is necessary that there should be rules or guidelines to be followed by the data principal regarding consent when the child attains the age of majority i.e. 18 years. The Committee has recommended the following provisions be incorporated –

1. Data fiduciaries dealing exclusively with children’s data, must register themselves, with the Data Protection Authority;
2. With respect to any contract that may exist between a data fiduciary or data processor and a data principal who is a child, the provisions of the Majority Act may apply when he/she attains the age of 18 years;
3. Three months before a child attains the age of majority, the data fiduciary should inform the child for providing consent again on the date of attaining the age of majority;
4. Whatever services the person was getting will continue unless and until the person is either opting out of that or giving a fresh consent so that there is no discontinuity in the services being offered.

• The Committee has further recommended that all social media platforms which do not act as intermediaries, should be treated as publishers and be held accountable for the content they host. A mechanism may be devised in which social media platforms which do not act as intermediaries, will be held responsible for the content from unverified accounts on their platforms. It is also recommended that no social media platform should be allowed to operate in India unless the parent company handling the technology sets up an office in India;

• The Committee is of the view that an alternative to SWIFT payment system may be developed in India which will not only ensure privacy, but will boost the domestic economy. The Committee, therefore has strongly recommended that an alternative indigenous financial system should be developed on the lines of similar systems elsewhere such as Ripple (USA), INSTEX (EU), etc. which would not only ensure privacy but also give a boost to the digital economy;

• The Committee further noted that the current Bill has no provision to keep a check on hardware manufacturers that collect the data through digital devices. In light of this, the Committee has strongly recommended that the Government should make efforts to establish a mechanism for the formal certification process for all digital and IoT devices that will ensure the integrity of all such devices with respect to data security. Further, the Government should set up a dedicated lab/testing facility, with branches spread throughout India, that will provide certification of integrity and security of all digital devices;

• It is observed that the employer can’t be given complete freedom to process the personal data of employee without his or her consent for the sake of employment purposes. As the employer collects all the data of its employees and there is a trust relation between them which should be respected. Therefore, there should be equilibrium in processing of data of employee by the employer and its use/misuse of data by the employer. The employee must also be given the opportunity to ensure that his or her personal data is not being processed for unreasonable purposes. Therefore, the Committee have recommended that the processing may happen if such processing is necessary or can reasonably be expected by the data principal.

• Clause 9 (1) of the Bill specifically mentions that a data fiduciary shall not retain any personal data beyond the period necessary to satisfy the purpose for which it is processed and shall delete the personal data at the end of processing. It is noted that such provision is restrictive and may be a big hurdle in functioning of the agencies which process the collected data multiple times for various welfare purposes. The Committee has, therefore, desired that in Clause 9 (1) the word ‘the processing’ should be deleted and it should be replaced with ‘such period’. Clause 9 (1) may be read as under:

“9.(1) The data fiduciary shall not retain any personal data beyond the period necessary to satisfy the purpose for which it is processed and shall delete the personal data at the end of (***) such period.”

• As per the report, the creation of separate class of guardian data fiduciary on behalf of child needs to be removed. Firstly, the term ‘guardian data fiduciary’ needs to be defined which may be done in the form of an Explanation and secondly, the consent from the guardian is more important and sufficient to meet the end for which personal data of children are processed by a data fiduciary. In Committee’s view, the mention of guardian fiduciary will be altogether a new class of data fiduciary and there will be no advantage in creating such a separate class of data fiduciary. Moreover, the concept of guardian data fiduciary may lead to circumvention and dilution of law too.

• In reference to the Data Protection Officer of international companies, the Committee has desired that since a Data Protection Officer plays a vital role under the provisions of this Bill, he or she should hold a key position in the management of the Company or other entities and must have adequate technical knowledge in the field. The Committee further provided clarity to the expression key managerial professionals as follows –

1. the Chief Executive Officer or the Managing Director or the Manager;
2. the Company Secretary;
3. the whole-time Director;
4. the Chief Financial Officer;
5. such other personnel as may be prescribed.

• In order to devise a single window system to deal with complaints, penalties and compensation, the Committee has inserted a new clause under ‘Chapter X-Penalties and Compensation’. The new clause, confers the right to the data principal to file a complaint to the Authority within such period and in such manner to be specified by regulations. It also says that the Authority shall forward the complaint or application filed by the data principal to the Adjudicating Officer for adjudging such complaint or application.

• The composition of Selection Committee for Appointment of Chairperson and Members of DPA has been made robust, inclusive and independent by the recommendations of the Committee.

• The Committee has noted that flexibility in the imposition of penalty is required as digital technology is rapidly evolving and the quantum of penalty needed to be imposed would need to be decided taking into account these factors. Startups and smaller data fiduciaries engaged in innovation and research and development activities, etc. may also need to be considered separately. Hence, the quantum of penalties has been tweaked.

A copy of the report is attached herewith for ease of reference.

Source: Lok Sabha