Joint Parliamentary Committee Report on Personal Data Protection Bill

Joint Parliamentary Committee Report on Personal Data Protection Bill

On Thursday, the Joint Parliamentary Committee on Personal Data Protection Bill presented its Report to both Houses of Parliament following 2 years of deliberation. A new version of the Data Protection Law called the 'Data Protection Bill, 2021' is included in the JPC's review of the country's first data protection law.

A data protection law was proposed after the Supreme Court declared privacy to be a fundamental right in its Puttuswamy judgment (2017) and ordered the government to establish a data protection rule. A Personal Data Protection Bill, 2019 focused on the protection of individual data was introduced in Lok Sabha in 2019. On behalf of opposition members, the Bill was referred to a Joint Parliamentary Committee for further inspection in December 2019.

Key takeaways from the Report

1 Changes in Bill's Name and Scope

According to the JPC Report, the draft law has been renamed 'Data Protection Bill, 2021' from 'Personal Data Protection Bill'. In addition to governing "personal data," the draft law will also regulate "non-personal data." According to the Internet Freedom Foundation, the primary purpose is to provide a seemingly blank check to the Government through Clause 92 which states, " Read Also - Supreme Court dismisses petition challenging interest deduction on MACT award nothing in this Act prevents the Central Government from framing (***)an appropriate policy for the digital economy, including measures to promote growth, security, integrity, protection against misuse, (***)or the handling of non-personal data, including anonymised data.

2 Both personal and non-personal data must be handled by the Data Protection Authority

There is no separation of personal and non-personal data under the PDP Bill, as the committee has recommended.

3 Exemptions for government bodies

JPC reports retain the controversial clause that provides that the central government may exempt any government agency from the act's provisions. In addition, the amendment adds a qualification that is "subject to just, fair, reasonable and proportionate procedure."

It was earlier proposed that the central government have the power to grant exemptions without requiring that there be a just, fair, reasonable and proportionate process for granting exemptions.

In its report, the JPC notes that it is concerned about the misuse of the provisions if the privacy rights of an individual have to be subsumed for the protection of state interests. By way of additional qualification, the JPC hopes to "strike an appropriate balance between the Constitution, the Puttaswamy judgment and individual rights in the matter of privacy."

It was recommended that the Clause be amended - Public order should not be a basis for exemption; judicial oversight / parliamentary oversight should be required; written orders explaining why exemptions should be granted; and safeguards should be in place to ensure exemptions are valid, necessary and proportionate.

The Committee nonetheless feels that though the State might have been justified in exempting itself from the application of the Act. This power should only be exercised in exceptional circumstances and under conditions stipulated in the Act.

4 Data Breaches

It has been proposed to include a 72-hour reporting period for data breaches in clause 25(3).

5 Government's Powers

While the JPC Report retains the controversial clause exempting Governmental agencies from the law, a few minor changes have been made. It should be the central government that controls the Data Protection Authority (DPA) and exempts any government body from the bill's provisions based on the principle of 'just, fair, reasonable and proportionate' procedures.

6 Children's Data

As defined in Section 3(8) of the Bill, a "child" as a person who has not reached the age of 18. When processing a child's data, data fiduciaries have different obligations, including obtaining the consent of the child's parents or guardians.

The JPC report has been presented to Parliament, but the members have not been unanimous in their recommendations. Dissent has been expressed by a number of members over key provisions in the Bill. Government agencies have been exempted from the provisions, data fiduciaries must handle children's personal data, and the composition of the Data Protection Authority has been a contentious issue.

MP Manish Tewari disapproves the bill conceived with a Pre-Puttuswamy mindset

Several MPs criticized clauses 12 and 35 of the Bill because they allow governments to process individuals' personal data without their consent and grant them authority to exempt any of their agencies from the Bill's provisions.

As Tewari notes in his dissent, a bill that leaves the state and its instrumentalities open to blanket exemptions for a limited period is in violation of the Right to Privacy.

The following should be added to Clause 35 by Mr. Tewari:

An exemption cannot be granted until it is judicially determined by the Appellate Tribunal as provided under clause 68. Any person may apply to the Appellate Tribunal with an appropriate application, detailing the reasons why such an exemption should be granted or not. This must be done in the form of a reasoned order so that the remedy provided under Clause 76 may be exercised."

MPs Mahua Moitra and Derek O'Brien argue that the Data Protection Bill has Orwellian elements

Despite amendments to Clause 35 of the Bill, which gives the Central Government the power to exempt any government agency from applying the Act, Mr. Derek O Brien and Ms. Mahua Moitra in their combined dissent note, "the Committee has not only failed to introduce proper safeguards in Clause 35 to prevent its misuse but also recommendations that the Central Government be empowered with greater unqualified powers." They call on the Central Government to remove the power to exempt government agencies from the application of the Act. A recommendation is also made for the provisions of the bill to not apply to non-personal data.

MP Vivek Tankha: The state has been granted powers in violation of Puttuswamy's judgment

Vivek Tankha dissented from clauses 12 and 35 of the Data Protection Bill, 2021. According to the MP's dissent note, "the PDP Bill is based on an incorrect assumption that the right to privacy can only be protected against privacy breaches and that the state is exempted from responsibilities under the constitution."

According to the professor, government agencies are treated as an exclusive class, hence the recommendation is inconsistent with the K. Puttuswamy case's spirit.

Considering this, he adds that the state's power of exception needs to be amended to prevent abuse.

It is therefore important to keep personal data under lock and key unless the sharing is incompatible with national security, foreign relations, or for the prevention or detection of crimes/cognizable offenses. Still, he explains, "these exceptions may be allowed only in exceptional cases and by a logical order for posterity and constitutional courts to judge the level of interruption."

Amar Patnaik: A State Data Protection Authority, needed

As outlined in his dissent note, MP Dr. Amar Patnaik calls for an independent, overarching authority to protect data. The author points out that a data protection authority under the control of the central government is hostile to the principles of federalism. As a result of the separation, "the commission will maintain structural, fiscal and functional autonomy and will be protected from adverse changes to tenure, composition, salary and appointment methods."

Ritesh Pandey: Children's consent ages should be lowered in the digital age

As part of his dissenting note, MP Ritesh Pandey objected to the high age of consent and the government's right to exempt its agencies from the bill. In an era of digital transformation, Panday recommends that the age of consent be lowered to fourteen years old, since 18 years and under "does not align with the principle of the best interest of a child."

"Despite safeguarding children's privacy and welfare is a primary duty of the Bill. It is fundamental to define a child as anyone under 14 years of age so that they can benefit from new technologies without obtaining consent from their parents or guardians. This amendment also addresses social barriers young women face in accessing the internet in rural India," he concludes.

Concerning the government's power to exempt agencies, Pandey noted:

Section 35 of the current bill substantially enhances surveillance powers without any of the safeguards and judicial oversight provided under Sections 5 and 24. The grant of access to personal data to the Central Government without appropriate safeguards and judicial oversight is irreconcilable with constitutional principles and should be removed from the Bill.

Gaurav Gogoi points out that the government and its agencies are granted broad exemptions under Clauses 13 and 35; that there is no parliamentary oversight and engagement; and that non-personal information is not regulated.

Along with the dissent notes of the members of the Joint Parliamentary Committee, the Internet and Mobile Association of India in a statement on the JPC Report has expressed concern and said that the Data Protection Bill has "undergone fundamental changes from its 2015 version." PC Report is concerned that the age restriction of 18 years on certain services will exclude an important demographic from the digital ecosystem and contradict most data privacy regimes that allow 13 to 18-year-olds access to their data. Despite the recommendations of the expert committee appointed by the MEI ITY to develop a framework for non-personal data governance, IAMAI has recommended excluding non-personal data from the personal data protection act.

Soon, both the Bill and the Committee's report will be taken up by the Parliament for debate and deliberation. In the event that the Bill and Report are assented to, India will adopt the country's first data protection legislation.