Data protection bill: Panel calls for strict rules for firms, leeways for govt
The JPC was set up in 2019 to take up the personal data protection bill after parliamentarians were divided over several provisions of the law meant to give a legal shape to the Right to Privacy after it was made a fundamental right by the Supreme Court in 2017.
The joint parliamentary committee (JPC) reviewing the proposed data protection law finalised its report on Monday, suggesting stricter compliance requirements for companies while adding or tweaking clauses that provide for lighter obligations on government agencies, and recommending that State have greater say in the legal mechanism that will be set up to safeguard personal and non-personal data, according to people aware of the matter.
The JPC was set up in 2019 to take up the personal data protection bill after parliamentarians were divided over several provisions of the law meant to give a legal shape to the Right to Privacy after it was made a fundamental right by the Supreme Court in 2017.
The people cited above said that the panel has suggested new provisions that will build in additional compliances: companies will need to report a data breach within 72 hours, mandatorily disclose if information relating to a data principal (person or entity that owns the data) is passed on to someone else, and appoint senior management personnel as data protection officers who will ultimately be held responsible for lapses or violations.
At the same time, the rule about mandatory disclosure of third party sharing need to the data principal need not be made in case it is for State functions (such as for offering benefits, or maintaining law and order) or to comply with a court order. Government departments will also be allowed to carry out an in-house inquiry to fix responsibility in the event of a leak, a person aware of the suggestions added.
The report will be tabled for discussion in the Parliament session beginning November 29, following which the government will reintroduce the bill. The recommendations are not binding.
There has been pushback from several opposition party members of the panel, who have argued that the new bill gives “unbridled power” to the government. At least five have already submitted their dissent notes and one more is expected by November 24.
The report, the people quoted above added, makes suggestions as well as clause-by-clause tweaks.
In one of these suggestions, it has asked the government to ensure that copies of sensitive and critical personal data already in possession of foreign entities be brought back in a timebound manner – a recommendation that could hold implications for financial systems services providers like Visa and MasterCard; and, in another recommendation, it has called for a mechanism in which social media companies can be treated as publishers in some circumstances.
A mechanism may be devised under which social media platforms will be held responsible for the content from unverified accounts, one of the people said, citing the report. Treating a social media company such as Facebook or Twitter as a publisher will make it liable under laws pertaining to illegal speech, such as those punishing hate and libel, thus, allowing them to prosecuted for third party content, which they are so far protected from under the IT Act.
The committee has, however, listened to the demands of stakeholders on some points, such as the removal of a blanket provision treating social media companies as publishers, and in implementing the legislation in a phased manner over a period of two years.
“The recommendations tighten regulatory framework for big tech companies and enhances compliance framework,” Supreme Court lawyer and founder of Cybersaathi NS Nappinai said. “That stakeholders have been heard is apparent -- 24 months is something big tech has been pushing for, in as much as they have argued that they cannot be treated as publishers.”
The people said that the panel has also suggested a change in a particularly contentious portion of the law: Clause 35, which deals with conditions under which the government can access personal data without consent. It has recommended that the procedure by which this exemption is claimed be “just, fair, reasonable and proportionate”. This clause is contentious because it allows the government to claim the exemption if it is satisfied that it is “necessary or expedient” to do so in the interest of purposes such as national security. The tests for “just, fair and proportionate” have been explained further as part of procedure.
The committee was concerned about the possible misuse when a situation arises with privacy rights of the individual have to be subsumed for the protection of the larger interests of the State. The committee, therefore, felt that though the State has rightly been empowered, this power may be used only under exceptional circumstances and subject to conditions as laid out, one of the people cited above said, citing the report.
Some of the additional powers of the State are the ability to frame policies for non-personal data, including anonymised data; define significant social media platforms based on a threshold of users; and decide penalties for data fiduciaries for failing to comply with the law.
A Data Protection Authority (DPA), to be set up under the law, is meant to be regulator for deciding how personal and non-personal data will be managed in the country. The authority will be chosen by a panel shortlisted by the central government – a point that has already been a matter of contention since it raises questions about its autonomy. The panel’s report now suggests that DPA will need to follow the government’s lead on all matters and not just questions of policy.
“Such a clause will further dilute the power of the data protection authority,” Nappinai said.
Under clause 94, previously clause 93, which deals with granting powers to the government to make rules, the panel, the people said, recommends that the government decide the manner in which a data fiduciary can share, transfer or transmit the personal data to any person as part of any business transaction, and define the threshold of users of significant social media platforms and process of voluntary user verification.
The recommendations suggest the government will decide the penalty for those failing to comply with the provisions, which was earlier defined with respect to the global turnover of the company as part of the bill.
The panel says the government should take the final call on whether sensitive personal data can be shared with a foreign government or agency. The recommendations also give the government the scope to set up a future statutory body to look into the use of personal data by journalistic organisations, the people said.