India: Summary Of The JPC Report On Data Protection

On 16 December 2021, the Joint Committee on the Personal Data Protection Bill 2019¹ ('JPC' or 'Committee') tabled its report in the Parliament ('Report'). The Report captures the JPC's recommendations on changes that should be made to the Personal Data Protection Bill, 2019 ('2019 Bill'), along with general recommendations related to privacy and data protection. In this blog, we cover the Committee's major recommendations, along with the likely next steps on the introduction of the revised Bill in Parliament ('upcoming Bill').

A. General recommendations: The JPC draws out two sets of recommendations: (i) specific changes to the text of the law which should be reflected in the upcoming Bill,² and (ii) general recommendations which the government may implement in due course.³ Here are the general recommendations (of note):

1. Data for economic growth and regulation of non-personal data: The Report focuses on the economic value of data, as it identifies data as an 'asset of national importance'⁴ and stresses on the need to 'unify data sets'⁵ to fuel innovation. In line with this theme, the Committee recommends expanding the bill's scope to include non-personal data.⁶ Notably, it recommends that a separate regulation for non-personal data should be issued under the Bill. This is a departure from previous versions which were confined to personal data protection and fundamentally alters the privacy-focused nature of the original bill.

2. Data localisation: The Committee believes that storing data on Indian shores is important for national security, privacy, economic, geopolitical, and innovation purposes.⁷ Accordingly, it suggests that the government should bring back mirror copies of all sensitive and critical personal data already stored abroad. It suggests that all entities operating in India should 'gradually' move towards localisation of all data.⁸ The Committee urges the government to prepare a comprehensive data localisation policy, which looks at issues around developing adequate infrastructure for such local storage, helping startups comply with localisation requirements, while keeping in mind the 'ease of doing business' objectives of the government.⁹

3. Testing of hardware and software products: Noting the privacy implications of data collection by hardware devices, the Committee suggests that the government should introduce a certification process for all digital and IoT devices, and testing facilities should be set up all over India to give such certifications. These facilities/laboratories should also have the ability to test an individual's device and detect if it meets data security standards, failing which they may notify the Data Protection Authority (DPA) to take action against the manufacturer.¹⁰

4. Data breaches: The JPC recommends that the DPA should follow a set of guiding principles while framing rules and regulations concerning data breaches. These include ensuring privacy of the data principal when reporting breaches, requiring companies to justify reasons for delay in reporting the breach, and requiring companies to maintain a log of data breaches for periodic review by the DPA.¹¹

5. Social media: The Committee opines that social media platforms should be subject to greater accountability. It points to various fake accounts and bots on social media, which spread fake news and run malicious campaigns. It recommends verification of accounts through ID verification of every user. It also believes that the intermediary framework under the Information Technology Act, 2000 (IT Act) has failed, and thus recommends that these companies should be treated as 'publishers' in certain contexts, especially in relation to problematic content from unverified accounts. It also recommends that all foreign social media companies must set up an Indian office, or be barred from offering their services in India.¹²

6. Indigenous alternative to SWIFT: The JPC recommends that an alternative to the 'SWIFT' payment system may be developed in India. According to the JPC, this will ensure better protection of financial data and boost the domestic economy.

B. Specific recommendations: Here are the Committee's key recommendations on the text of the 2019 Bill:

1.Scope of the Bill extended to include non-personal data: The 2019 Bill was only limited to protection of 'personal data'. However, the JPC recommends renaming the Bill to the 'Data Protection Act' - a single law that will regulate both personal and non-personal data (NPD), including anonymised data. It retains provisions for mandatory NPD sharing with the government, ¹³ and recommends that the data regulator should be empowered to investigate NPD data breaches. Stakeholders have previously raised concerns around including NPD within the personal data protection law, arguing that the aim of a personal data regulation is to protect personal information, while NPD regulation aims to generate value from data, and regulating both under one legislation will dilute such objectives. .¹⁴

2. Transition period: The JPC recognises that all stakeholders - the government, companies, citizens, startups, data processors - need to be prepared for the change brought about by the Bill, requiring time to ease into the compliance routine. It also points to the need for constant consultation through the implementation phase of this bill, especially with businesses. For these reasons, it has suggested a two-year transition period before the bill comes into force.¹⁵

3. Processing personal data for reasonable purposes: The PDP Bill allows companies to process data under the non-consent based reasonable purposes ground. Reasonable purposes will be specified by the DPA, keeping in mind certain factors, including a data fiduciary's interest. Now, the JPC recommends modifying the factors the DPA should consider in determining such purposes by adding the word 'legitimate' before 'interest'. While this looks like a largely cosmetic change, it could require companies to prove that their interest is legitimate, with regard to a specific processing activity.

4. Transparency of algorithms and processing methods: The JPC recommends that data fiduciaries should provide details of the fairness of algorithms and methods of data processing to ensure transparency and prevent misuse.

5. Processing children's data: The Committee notes that the concept of a 'guardian' as a separate class of data fiduciary is impractical and may dilute the objective of safeguarding children. Therefore, the Committee recommends the deletion of this concept altogether. It also recommends that all data fiduciaries should be barred from carrying out profiling, tracking, or behavioral monitoring of, or targeted advertising directed at children, and processing personal data that may cause significant harm to children. This bar was previously applicable on guardian data fiduciaries alone.

6. Data portability: The Committee observes that the trade secrets exemption is not an appropriate ground for rejecting requests for data portability. This is because trade secrets, as a concept, is continuously evolving, sector-specific, and subject to various technological advancements. Therefore, the Committee recommends deleting the trade secrets exemption to the data portability right. Instead, it recommends that the DPA should be empowered to determine the scope of exceptions to data portability through regulations.

7. Right to confirmation and access: To address the absence of the rights of deceased persons under the Bill, the Committee recommends allowing the data principal to either nominate a legal heir/representative, exercise the right to be forgotten or append the terms of agreement in the event of their death.¹⁶

8. Reporting of data breaches: The Committee recommends that companies should report data breaches to the DPA within a period of 72 hours.¹⁷ It also proposes that companies should be report data breaches under all circumstances, as opposed to when the breach may cause harm to the data principal- which was the provision under the 2019 Bill. Further, the JPC suggests that the Bill should govern breaches of non-personal data as well. ¹⁸

9. Significant data fiduciaries: The Bill subjects significant data fiduciaries - of which social media intermediaries are a subset - to a higher set of compliances, such as the requirement to register with the authority, appoint a data protection officer, and conducting data protection impact assessments. The JPC recommends removing exemptions from the definition of social media intermediary for companies that enable commercial or business transactions, provide internet access, search engines, email services, or online storage services. The Committee further clarifies that these significant data fiduciaries will continue to be subject to sectoral regulations, in consultation with the DPA.

10. Data protection officer: The Committee proposes that a Data Protection Officer (DPO) be appointed by significant data fiduciaries, must play a vital role in the management of the company. The DPO ought to be a senior level officer or key managerial personnel, having technical knowledge in the field of operations of the respective significant data fiduciary.¹⁹

11. Cross border data transfers: The Committee acknowledges that the risks (to national security, privacy, or employment) associated with cross border flow of data should be balanced with innovation.²⁰ The JPC suggests inserting another layer of approval for transferring sensitive personal data (SPD). For transferring SPD in pursuance to a contract or intra-group scheme, the DPA will have to further consult with the central government before approving the transfer.²¹ The Committee recommends that such intra-group schemes must only be permitted if they are consistent with 'public policy' or 'State policy'.²² The Committee also recommends inserting a clause to ensure that no sensitive personal data can be shared with any foreign government or agency without the permission of the central government.²³ Mandating central government approval for contract-based cross-border flows may create additional bureaucratic hurdles to the flow of data - which as the Committee itself notes, is critical to growth in the digital economy.²⁴

12. Treatment of government bodies under the bill: In order to 'balance' national security concerns with the data protection objectives of the bill, the JPC suggests that the government requires exemptions- but in line with the Puttaswamy judgment.²⁵ It suggests that the government can exempt itself after following 'just, fair, reasonable and proportionate procedure'. This blanket exemption has attracted sharp criticism from opposition members in their dissent notes.²⁶ Even Justice (Retd.) B.N. Srikrishna, the chairperson of the original report on data protection, has raised alarm over this provision.²⁷

At the same time, the Committee, when discussing offences committed by government entities, acknowledges that government agencies and departments can be significant data fiduciaries in many contexts, and thus should establish Standard Operating Procedures (SOPs) and in-house inquiry processes for fixing liability for any offence.²⁸

13. Media organisations: When addressing the exemption given to data processing for journalistic purposes, the Committee recommends the setting up of a statutory body to provide safeguard against misuse. The statutory body will govern media organisations across all platforms, instead of self-regulatory organisations.²⁹

14.Appointment of DPA: The Committee recommends that the selection committee for the DPA have wider representation from technical, legal, and academic experts, in addition to the bureaucrats comprising the selection committee in the 2019 Bill.³⁰ Though the Report claims that this will make the selection process more independent, certain MPs in their dissent notes have argued that the selection process remains heavily skewed in favor of the government and the DPA is unlikely to be a truly independent body.³¹

15. Certification of hardware and software products: The JPC also identifies misuse of digital devices and hardware as a major issue which requires the DPA's intervention. It recommends that the DPA should create a framework to monitor, test and certify hardware and software for computing devices so that 'integrity of data' is maintained.³² .

16.Single window for claims/compensation: Identifying that data principals may have to approach different entities - data fiduciaries under clause 32, and the adjudicating officer under clause 64 - the Committee suggests that the DPA establish a single-window system through which aggrieved persons can file their claims.³³

17. Penalties: The JPC recommends that the central government should have the power to prescribe penalties through rules. Although, it retains the provisions that would cap the penalty amount to Rs. 15 Crores or 2-4% of companies' world-wide turnover.³⁴

18.Offences by companies: The Committee affixes responsibility on the members in an offending company who are in-charge of 'that part of the company to which the offence relates' shall be held responsible. Previously, the bill stated that the person in-charge of the company at an overall level should be held responsible.³⁵

C. Process going forward: According to the Lok Sabha Rules,³⁶ the government can either introduce the JPC's version of the bill directly in Parliament or return the bill to the JPC or another committee or circulate it in Parliament for further consultation. The government is now expected to re-work the 2019 Bill based on the JPC's recommendations. Notably, the government is not bound to accept the JPC's recommendations. Given that this was a largely bipartisan effort, several of the Committee's recommendations may find their way into the revised bill. After finalising the bill, the government will table a re-drafted, cabinet-approved version in Parliament for voting. Since the winter session is close to coming to an end, it is likely the new bill will be tabled in the next Parliament session (budget session of February/March 2022).

Footnotes

1. http://loksabhaph.nic.in/Committee/CommitteeInformation.aspx?comm_code=73&tab=1

2. Recommendation 92, Report.

3. Recommendation 93, Report.

4. Para 1.2.10, Report.

5. Para 1.2.7, Report.

6. Para 1.15.8, Report.

7. Para 1.9.4, Report.

8. Para 1.15.17.5, Report

9. Para 1.15.17.6, Report

10. Para 1.15.16.3, Report.

11. Paragraph 1.15.10.2 of the JPC report.

12. Para 1.15.12, Report.

13. Para 2.271, Report.

14. See, for instance, the dissent note filed by Gaurav Gogoi, MP (Indian National Congress), on page 227 of the Report. See also Para 5.3 of the revised Report by the Committee of Experts on Non-Personal Data Governance Framework, December 2020, https://static.mygov.in/rest/s3fs-public/mygov_160922880751553221.pdf.

15. Para 1.15.9, Report

16. Rec No. 39.

17. Paragraph 2.111 of the JPC report.

18. Para 2.107, Report.

19. Paragraph 2.136, 2.137 and 2.138 of the JPC report.

20. Paragraph 1.9.4 of the JPC report.

21. Paragraph 2.149 of the JPC report.

22. Paragraph 2.150 of the JPC report.

23. Paragraph 2.154 of the JPC report.

24. Para 1.9.2, Report.

25. Para 2.171, Report.

26. https://www.indiatoday.in/india/story/data-protection-bill-orwellian-tmc-derek-o-brien-mahua-moitra-dissent-note-1881652-2021-11-28

27. https://thewire.in/law/privacy-bill-india-orwellian-state-justice-bn-srikrishna

28. Para 2.262, Report.

29. Para 2.177, Report.

30. Para 2.191, Report.

31. Dissent note filed by Derek O'Brien and Mahua Moitra, Members of Parliament from the All India Trinamool Congress.

32. Para 2.201, Report.

33. Para 2.219, Report.

34. Rec. No. 71

35. Para 2.256, Report.

36. http://loksabhaph.nic.in/rules/rules.pdf

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.