• Commercial Law Advisors

Summary of recommendations in the JPC Report on Data Protection

In 2019, the draft Personal Data Protection Bill was referred to a Joint Parliamentary Committee (“Committee”) for further deliberation. The Committee’s report on the Personal Data Protection Bill, 2019 (the “Report”) was tabled in the Parliament on 16th December 2021. The Report also proposes a Bill, the Joint Parliamentary Committee Bill (the “Bill”). A summary of all the important recommendations made by the Committee are as follows:


1. TITLE: The title of the earlier draft law “Personal Data Protection Bill” has been changed to the “Data Protection Bill, 2021” in view of the Committee’s proposition to extend the Bill’s material scope to regulate non-personal data as well. The Committee has recommended a single Data Protection Authority (“DPA”) to regulate both personal and non-personal data.


2. TIMELINE: The Committee has suggested a timeline for the implementation of the Act in the following manner:

​APPOINTMENT OF CHAIRPERSON AND MEMBERS OF DPA

​Within 3 months from the notification of the Act

​DPA

​Commences operation in six months of the notification of the Act

​REGISTRATION OF DATA FIDUCIARIES

​Within 9 months of the notification of the Act

​APPELLATE TRIBUNAL

​Need to function within 12 months of the notification of the Act

​ANY AND ALL PROVISIONS

​To be implemented within 24 months from the date of notification of the Act.

3. DATA BREACH: The Committee has recommended that there be guiding principles for the Data Protection Authority while drafting the regulations for reporting data breach by the data fiduciary, which include:

  1. Ensuring the privacy of the data principal before posting anything about the breach.

  2. In case of delay in data breach notification, the burden of proof lies with the data fiduciary to show that the delay was on reasonable grounds.

  3. Mandate the data fiduciaries to maintain a log of both personal and non-personal data breaches which is to be reviewed periodically by the DPA.

  4. Provide temporary orders of non-disclosure of details when a data breach occurs, if it has happened irrespective of reasonable precaution by the data fiduciary.

The Committee also recommended modifications to clause 25 that deals with the report of data breach. A period of 72 hours for reporting data breach has been specified. The Committee recommended that the DPA after looking at the data breach and analyzing the severity of harm to the data principal may direct the data fiduciary to inform the data principal. A proviso is also added to clause 25 allowing the DPA to direct the data fiduciary to mitigate the harm caused to the data fiduciary. The Committee recommended that the DPA shall have the power to deal with both personal and non-personal data breach.


4. CHILDREN’S DATA: The Committee has recommended that the data fiduciaries dealing with children’s data need to register themselves with the DPA. Further, data fiduciaries need to obtain, in addition to consent of the parents or guardians, the consent of the child on the day of attaining majority as well. The services provided shall continue unless and until the person is opting out. The earlier draft included the concept of guardian data fiduciary while dealing with Children’s Data. The Committee felt that the concept of guardian data fiduciary will altogether create a new class of data fiduciary which might result in the dilution of the provisions of the Bill. Therefore, the Committee recommended removing the concept of guardian data fiduciary from the Bill. In order to curb any misuse of children’s data, the data fiduciaries that deal with children’s data are regarded as significant data fiduciary.


5. SOCIAL MEDIA PLATFORMS: Social media companies are currently regulated as “social media intermediaries” under the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 framed under the Information Technology Act 2000. The Committee has suggested treating such companies as publishers and holding them liable for the content they host. This is because they have control to provide access to such content. It proposes regulating them as “social media platforms” and has included the definition of social media platforms under clause 3(44). The Committee is of the view that the provisions under the Information Technology Act, 2000 are not efficient enough to deal with the dynamic nature of these intermediaries. The Committee also stipulates that no social media platform shall be allowed to do business in India unless the parent company sets up an office in India. Under clause 26, social media platforms are recommended to be considered as a significant data fiduciary.


The Committee also suggested a statutory media regulatory body to be set up to regulate the content on all such media platforms online or offline. The Committee while dealing with provisions relating to the importance of journalistic freedom vis-à-vis the right of privacy of individuals feels that there is no single statutory regulator to regulate all the media platforms, as journalism these days is not limited to the traditional media and news articles are published online as well. Therefore, it suggested an amendment to clause 36(e) to empower the statutory regulator to be created to provide regulations, until then the Government shall provide rules and regulations under this Bill.


6. DATA PROTECTION AUTHORITY: The Committee recommends that the DPA must evolve in line with the best practice internationally and draft regulations for easier exercise of the rights of the data principal and the discharge of obligations by the data fiduciary in a practical manner. The DPA while framing the policies must take into account the interest of the Government as well. The Committee has discussed the importance of having regulations for hardware manufacturers who are collecting data, as these data can also be misused. In this regard, it suggested the inclusion of clause 49 (2)(o) allowing the DPA to draft regulations regarding the hardware manufacturers and related entities.


Under clause 50(2) the DPA has the power to approve any code of practice submitted by various associations involved to trade or representing the interest of data principal etc. The Committee recommended that along with the associations specified, the DPA must also approve the code of practice of technical service organizations. Clause 56 mandates the DPA to consult with other sectoral regulators when their action might have concurrent jurisdiction with other regulators. In this regard, the Committee observed that the activities of the DPA might have an economic consequence. For which the Committee recommends consultation with RBI.


7. ALTERNATIVE FINANCIAL SYSTEMS: The Committee observed that data protection is a matter of serious concern in the financial sector as well, especially when networks like SWIFT compromise the privacy of the individuals in case of cross-border payments. Therefore, the Committee suggested alternatives for SWIFT networks to be developed in India to not only ensure the protection of privacy of citizens but also to boost the digital economy. This system can be similar to the indigenous financial systems such as the Ripple (US), INSTEX (EU).


8. STARTUPS: The Committee in this Report has tried to ease the process of start-ups in complying with this Bill, rules and regulations thereunder. The Committee has suggested various amendments to the provisions in the interests of the Start-ups. The DPA needs to draft regulations taking into consideration the interests of the start-up, including regulations encouraging innovations and sandbox.


The Committee has also recommended a few changes to clause 40 relating to the creation of sandbox. The creation of a sandbox is not a mandatory obligation for the Government rather clause 40 is only an enabling provision, through which the Government may create sandbox considering the current infrastructure.


The Committee through its recommendations has tried to secure the interest of start-ups as much as possible. The Committee has also recommended having a flexible penalties scheme as the digital technologies are constantly changing and imposition of penalties needs to be decided from a case-to-case basis keeping in mind startups and smaller data fiduciaries, subject to the maximum cap stipulated in the Bill, subsequently clause 57 was amended.


9. HARDWARE MANUFACTURERS: The Committee noted the importance of having regulations for regulating the hardware manufacturers who are collecting data as well. The Committee recommended that labs/testing centres need to be set up throughout India by the Government, to certify all digital, and IoT devices and that have the potential to train AI using personal data. The Government must also develop a mechanism for this certification process. These labs must provide services whereby the individuals can certify their device and in case the device does not pass the test of data security, they can approach the DPA to take action against the manufacturer.

The global decentralized nature of manufacturing provides an opportunity for misuse of data in digital hardware. Therefore, the Committee recommended in order to protect Indian data the Central Government and the DPA must be empowered through this legislation to create a framework to monitor, test, and certify the hardware equipment at the same time to prevent interdiction or seeding that may result in personal data breach, subsequently clause 49(2)(o) was added.


10. DATA LOCALISATION: The Committee recommended that owing to the misuse of Indian data by foreign entities it is important that the Government protects the privacy of its citizens and it can no longer let other countries govern the data of Indian citizens. For this purpose, India needs to make legislations and enter into treaties with other countries. National security cannot be compromised in the name of promotion of business.


The Committee recommended that the Central Government must ensure that the Data localization provisions are followed in both letter and spirit by all local and foreign entities. In this regard, the Committee recommends the Central Government to develop an extensive Data Localisation Policy encompassing aspects like the development of adequate infrastructure for safe storage of data of Indians, which may generate employment. The Central Government should also ensure that the income generated from data localisation is used for the welfare of the country especially in helping start-ups and small businesses in complying with the localisation norms.


Clause 34 deals with the conditions for the transfer of sensitive and critical data. The committee has recommended that in case of transfer of sensitive personal data the approval of the Central Government shall be required. The Central Government’s approval is also needed for sanction of any contract or inter-government scheme involving the transfer of sensitive personal data. No approval shall be provided if that scheme or contract is against public policy.


11. NON-PERSONAL DATA: In view of the difficulty in segregating personal and non-personal data, the Committee has suggested that the Bill regulate all kinds of data. The Committee has recommended the inclusion of the definitions of non-personal data and non-personal data breach. The Committee suggests that in order to avoid contradiction, confusion and mismanagement, a single data protection authority is needed to deal with all kinds of data. The committee has recommended that the central government have the power to frame any policy for the digital economy, including policies regarding the handling of non-personal data including anonymised personal data.


12. DATA FIDUCIARY & DATA PROCESSORS: The definitions of data fiduciary and data processors are amended to include Non-Governmental Organizations (NGOs) as well.


13. DEFINITION OF HARM: Considering the wide impact of the definition of harm and extensive interpretation of the term, the Committee recommended adding Clause 3(20)(xi) to include psychological manipulation impairing the autonomy of individuals and further recommended that the government be empowered to prescribe any other harms.


14. QUALITY OF THE DATA PROCESSED: Clause 8(1) stipulates that the data fiduciary must ensure that the data processed is complete, accurate, not misleading and updated having regard to the purpose for which it was collected, in this regard the Committee recommends that the data fiduciaries must notify the data principal of any non-compliance of the above provision. The only exception carved out to this provision is when such a notice prejudices the data processing by the government authorities under section 12.


15. PROCESSING OF DATA FOR EMPLOYMENT PURPOSES: Clause 13 deals with the processing of data for processes relating to employment. The Committee observed that the relationship between the employer and employee is a sensitive and critical one formed on the basis of trust. The employer cannot be given complete freedom for processing the data of the employee. The employee must get an opportunity to stop the processing of data for unreasonable purposes. Therefore, the committee recommended limiting the processing data of the employee to circumstances where it is necessary or could be reasonably expected by the data principal.


16. PROCESSING OF DATA FOR OTHER REASONABLE PURPOSES: Clause 14 deals with the processing of data for other reasonable purposes. The Committee recommended that Clause 14(2)(c) be expanded to include mergers & acquisitions and any other combinations or corporate restructuring transactions in accordance with the provisions of the applicable laws, to be considered as reasonable purposes.


17. RIGHTS OF DATA PRINCIPAL; The Committee observed that there was no right specific to a deceased data principal. Clause 17 was amended by virtue of which the data principal will have the options to nominate a legal heir or legal representative as a nominee, to exercise the right to be forgotten, to append the terms of the agreement with regard to the processing of personal data in the event of death of the data principal.


Further, under the earlier draft, the data principal had the right to restrict only the disclosure of the data. The Committee has recommended extending this right to restrict the processing of data as well, as even after restricting the disclosure the data can be processed for various other purposes without disclosure. This right therefore applies to any processing operation performed on the data.


With respect to the right of data portability, the Committee recommended prohibiting the data fiduciary from denying data portability on the grounds of trade secret which was an option under the earlier draft.


18. DATA PROTECTION OFFICER: The definition of Data Protection Officer has been included under clause 3(18). The Committee has recommended the conditions for the appointment of a DPO, as the Committee found that there isn’t any specific qualification prescribed for a DPO in the old draft. As per the recommendations, the DPO must be a senior-level officer in the state or key managerial personnel in relation to a company or such other employee of equal capacity in the case of other entities. The explanation to clause 30(1) is added which defines a key managerial personnel as the CEO or Managing Director, the Company Secretary, the whole time director or CFO or other personnel as may be prescribed.


19. PENALTIES AND COMPENSATION: The Committee recommended the addition of a separate provision for dealing with the procedures for filing an application or complaint by the data principal. Clause 62 has been added under which the DPA shall forward the application or complaint of the data principal to the Adjudicating Officer.

The Committee observed that the adjudicatory officer has been provided with unrestricted power to impose penalty and decide the quantum of penalty of a data fiduciary for violating the provisions of this Bill. The Committee recommended exercising this power in line with certain guidelines to be issued by the DPA.


20. POWERS OF CENTRAL GOVERNMENT: Under clause 35, the Central Government has the power to exempt any agency from the application of the Bill. The Central Government can exempt any agency from any or all of the provisions of this Bill subject to such procedures, safeguards and oversight mechanisms to be followed by the agency. The Committee recommended that an explanation be provided to the term ‘such procedure’ in order to avoid any arbitrary use of this provision and for it to be in line with the Puttaswamy judgment. The Committee recommended the inclusion of a non-obstante clause by which this provision shall have an overriding effect on any other provisions of any other law for the time being in force. The Committee has also recommended certain inclusions to the powers of the central government for making rules and regulations.


21. QUALIFICATIONS OF CHAIRPERSON AND MEMBERS OF DATA PROTECTION AUTHORITY: The Committee suggested that the qualification of chairpersons and members of the DPA need to be specific and must include a member who is an expert in law with qualifications as may be prescribed.


The members and chairperson of the DPA will be appointed by the Central government on the nomination by a selection committee The Committee felt that the composition of the selection committee was not inclusive enough as it only comprised of senior-level bureaucrats. Therefore. it suggested the inclusion technical, academic, legal experts. The Committee also recommended that the Chairperson shall have the power to preside the meetings of the DPA.


22. SEARCH AND SEIZURE: The DPA has the power to conduct inquiries if it finds the activities of the data fiduciary or the data processor to be detrimental to the data principal. The DPA can appoint one of its members as Inquiry Officer to inquire into the affairs of such data fiduciaries or data processors. The Inquiry officer in order to conduct any search and seizure as per the earlier draft shall approach the designated court as notified by the Central Government. However the Committee recommended the approval from the DPA before the Inquiry officer renders his duties.


23. OFFENCES COMMITTED BY COMPANIES: Clause 85 deals with the offences committed by companies, the Committee points out that an offence may be attributed to a specific part of the business and not the business in its entirety thereby recommended adding the terms ‘part of the business’ to clause 85(1). The Committee suggested that the liability of independent directors and non-executive directors in this regard, be added to clause 85.


24. OFFENCES COMMITTED BY GOVERNMENT DATA FIDUCIARIES: The Committee recommends that in case an offense is committed by a government data fiduciary, that one particular data fiduciary alone will be responsible and not the entire department, authority or the state. The Committee also recommended that the Head of the Department should conduct an inquiry to find out the person or officer responsible for the offence


CONCLUSION: It can be seen that the Committee has made some major modifications to the Bill, such as including non-personal data, bringing in provisions in the interest of start-ups, strengthening the Data localization by mandating the approval of the Central Government, including social media platforms as significant data fiduciaries, etc. Through these recommendations, the Committee not only tries to provide a stringent framework for protecting the privacy right of individuals but also tries to boost the digital economy of the country. The JPC Bill is speculated to be tabled before the parliament during the upcoming budget session.


Recent Posts

See All