On Dec. 16, 2021, the Joint Parliamentary Committee submitted its long-awaited report to the Indian Parliament after two years of deliberations on the Personal Data Protection Bill, 2019. This is, hopefully, the culmination of a series of extensions provided to the JPC and will pave the way for a strong data protection law in the world’s largest democracy.

The journey so far: In 2017, the Supreme Court of India (the apex judicial body in India) declared the right to privacy as a fundamental right protected under the Indian Constitution. It also recommended the Indian Central Government put in place a data protection regime that considers the interests of individuals as well as the legitimate concerns of the state while promoting an environment for entrepreneurship and innovation. In the same year, the government appointed an expert committee headed by former Supreme Court judge Justice B.N. Srikrishna to draft a Personal Data Protection Bill that will "ensure growth of the digital economy while keeping personal data of citizens secure and protected.” The expert committee submitted its report along with a draft legislation on data protection in July 2018. The government then set up a JPC to review the PDPB.

The committee consulted various stakeholders, such as industry and regulatory bodies and services providers. This includes the Ministry of Electronics and Information Technology, Reserve Bank of India, Securities and Exchange Board of India, National Payments Corporation of India, Income Tax department, Unique Identification Authority of India, National Association of Software and Service Companies, large social media players, law firms and others. The objective was to understand how personal and sensitive data are processed in real time with implementation of actual data protection safeguards preventing data leakages. The committee also visited data centers and processing centers in India.

Key committee recommendations

The following revisions are observed in the report submitted by the committee:

  • Timelines for implementation (Clause 1): The 2019 bill did not specify any time limit for the implementation of its provisions. The revised bill provides that an “approximate period of 24 months may be provided for implementation of any and all the provisions of the Act so that the data fiduciaries and data processors have enough time to make the necessary changes to their policies, infrastructure, processes, etc.” It is recommended the data protection authority commences its work within six months, registration of data fiduciaries is done within nine months and the appellate tribunal commences its work within 12 months from the date of notification.
  • Scope (Clause 2): The scope of the Personal Data Protection Bill has undergone an expansion and will now cover both personal and non-personal data. The bill has been renamed from “Personal Data Protection Bill” to “Data Protection Bill (Bill).” The same regulator is expected to regulate non-personal data and personal data, because “it is impossible to distinguish between personal data and non-personal data, when mass data is collected or transported.”

The inclusion of non-personal data including anonymized data in the scope will become a debatable and controversial issue, mainly because some of the non-personal data will be considered as proprietary by businesses that would have made major investments to collect this non-personal data.

  • Definitions (Clause 3): Several key terms have been defined, consolidated or revised, including “consent manager,” “data auditor,” “data breach,” “data fiduciary,” “data processor,” “data protection officer,” “harm” and “non-personal data.”
  • Processing of personal data without consent (Clauses 13 and 14): The processing of non-sensitive personal data for the purposes of employment now includes scenarios where "such processing is necessary or can reasonably be expected by the data principal." Legitimate interest is now explicitly called out as a basis of processing personal data if “the processing is necessary for reasonable purposes as may be specified by regulations,” balancing the interests of both the data principal and data fiduciary.
  • Processing of personal data of children (Clause 16): Data fiduciaries exclusively dealing with children's data must register with the DPA. The data fiduciary must inform the child three months before the child attains the age of majority so they may choose to provide consent again, and the data fiduciary must continue providing the services to the child unless the child withdraws consent.

The fact that personal data of children would now be processed to protect the rights of the child (instead of the earlier “best interests of the child”) is a welcome change.

  • User rights (Clauses 17, 19 and 23): The data principal will now be able to exercise his or her right to decide how their data will be handled in case of casualty or death by nominating a legal heir or representative. For data portability, trade secrets can no longer be grounds to deny data portability, and porting of data can only be denied on the ground of technical feasibility, which must be strictly determined by the regulations. The data fiduciary is also required to ensure transparency and fairness of algorithms and methods for processing personal data.
  • Breach reporting (Clause 25): A data breach now includes breach of both personal and non-personal data. The breach reporting requirements are stricter and more specific. The form of notice will now be specified by regulations rather than restricting the scope of the form within the bill itself. Most importantly, the timeline for reporting has been clearly defined as within 72 hours of becoming aware of a breach. A provision has been added where the DPA can direct the data fiduciary to adopt any urgent measures to remedy such a breach or mitigate any harm caused to the data principal.
  • Social media platforms (Clause 26): All social media platforms — which do not act as intermediaries — should be treated as publishers and be held accountable for the content they host. The rationale is such platforms can select the receiver of the content and control access to any content posted on their platform. These platforms will be held responsible for the content from unverified accounts on their platforms and will have to set up an office in India if they do not already have one. A media regulatory authority is proposed to be set up to regulate content on these platforms.

This moves away from the Information Technology Act 2000, its amendment in 2008 and subsequent regulations around intermediaries, which protected intermediaries from content posted by third parties.

  • Data protection officer (Clause 30): Further clarity has been added regarding who can be a DPO. In the government, the DPO should be a senior level officer of the state and, in a private company, key managerial personnel, such as chief executive officer, managing director, chief financial officer, company secretary or whole-time director.
  • Data transfer (Clause 34): The requirements for transfers of sensitive and critical personal data have been further refined. The DPA, when approving a contract or intragroup scheme that allows the cross-border transfer of data, should now consult the government as well. The contract or intragroup scheme allowing cross-border transfer of data should not be approved if the contract or scheme is against public or state policy. Also, such data should not be shared with any foreign government or agency unless it is approved by the government.
  • Exemptions from the regulation (Clause 35): This allows any agency under the government to be exempt from any or all provisions of the law. This led to the maximum number of dissent notes from the members of the committee. To address these concerns, the revised draft provides that the procedure to allow for such exemption should be a "just, fair, reasonable and proportionate procedure."

However, the inclusion of a non-obstante clause provides an overriding effect over any other law. How this overarching provision is balanced against the right to individual privacy remains to be seen.

  • Sandbox environment (Clause 40): To encourage startup and innovation culture with the inclusion of privacy by design, the government may set up sandbox environments for live testing of new products, technologies, and services (this was earlier a mandatory obligation). This would help small businesses and startups comply with data protection norms.
  • Composition of the DPA (Clause 42): The composition of the DPA must be inclusive, robust and independent, constituting members from legal, technical and academic fields in addition to secretary level officials while capping the total members at six. The government will identify an independent expert from data protection, information technology, data management, data sciences and data security services. The attorney general of India must be a member of the DPA. In addition, one director from the Indian Institute of Management and one from the Indian Institute of Technology must be nominated to the DPA.
  • Testing and certification of hardware devices (Clause 49): Since there is no coverage for hardware devices involved in personal data collection and processing in the PDPB, the committee recommended the government set up dedicated testing labs or facilities and establish mechanisms to provide formal certification of integrity, trustworthiness and security of hardware and software for all digital and IoT devices. An individual should be able to have their device certified, and, in case the device does not meet the specified standards of data security, approach the DPA to take action against the manufacturer.
  • Data localization: Mandatorily brought to India in a time bound manner, it is recommended the government, in consultation with concerned sectoral regulators, prepare and pronounce an extensive policy on data localization.
  • Privacy-centric alternative financial payment system: An alternative indigenous financial system to the Society for Worldwide Interbank Financial Telecommunication system should be to boost digital economy and usage in domestic space and ensure privacy in financial transactions. The goal is to reduce financial fraud fear among consumers, encouraging and accelerating the adoption rate of digital payments by consumers.

View on implementation

As suggested in the report, some key activities that need to be carried out in a phased manner include setting up the DPA and other associated infrastructure. Companies need to embrace and build an effective compliance strategy by focusing on investments and alignment to people, process and technology in a stipulated time. Both the government and private companies need to establish dedicated training and awareness programs to train the workforce and ensure timely compliance.

Conclusion

The Data Protection Bill is a much-delayed and much-needed legislation that will replace the current archaic, legacy and ineffective data protection regime in India. As compared to the current standards, it will help protect the privacy rights of individuals and promote fair and transparent use of data for innovation and growth, unlocking the digital economy. It has the potential to create employment, increase user awareness about their privacy, and enforce accountability with data fiduciaries and processors.

Though inspired in part by the EU General Data Protection Regulation, India has ultimately forged its own path toward data protection with several unique provisions: combining personal and non-personal data under the same umbrella, data localization, coverage of hardware devices, managing social media platforms, and more. Though it still has several lacunae, when implemented it will bring India on par with other countries’ strong data protection laws. Companies will do well to start preparing for compliance with the various provisions.

The views and opinions expressed in this document are those of the authors and do not necessarily reflect the official policy or position of the company they work for.

Photo by Srikanth D on Unsplash