The Personal Data Protection framework in India was the brought after Indian Supreme Court landmark decision in K.S. Puttaswamy vs. UOI, 2017 which declared the right to privacy as fundamental right and recommended the government of India to come up with a data protection framework to safeguard the data of the citizens in the cyberworld and protect their privacy thereby. Subsequently, a ten-member expert committee was constituted by the Government to draft a Personal Data Protection law headed by Justice B.N. Srikrishna. The report on the same was laid down by the committee in August, 2018. After deliberate discussions, on December 11, 2019 the Personal Data Protection Bill, 2019 (herein referred after as PDPB, 2019) was first introduced in the Lok Sabha by Mr. Ravi Shankar Prasad (then Law Minister). Though the bill was criticized by the various stakeholders and Justice Srikrishna himself. Now, almost after two years, on 16th December, 2021, the Joint Parliamentary Committee headed by Hon’ble Member of Lok Sabha P.P. Chaudhary proposed its recommendation and suggestions on the PDPB, 2019.
Following are the key recommendations & suggestions of the Joint Parliament Committee on the PDPB, 2019 –
- Bill to cover both personal and non-personal data – First and foremost, the committee recommended the scope of the bill should be broadened to include both personal and non-personal data. The right to privacy should not only be restricted to personal data but also to non-personal data it is impossible to distinguish between personal and non-personal data when the mass data is collected or transported.
- Procedure for consent mechanism for children after majority – Regarding the processing of personal data and sensitive personal data of children, the committee suggested mentioning a set procedure that needs to be followed regarding delineating the options to be made available to the child at the stage when he or she attains the age of majority. The committee believes that it is necessary to provide rules or guidelines to be followed by the data principal regarding consent when a child attains the age of majority.
- Social media platforms as publishers– The committee recommended that the social media platforms which do not act as intermediaries should be treated as publishers and be held accountable for the content they host. If any social media platform doesn’t come under the term ‘intermediary’, it will be held responsible for the content from unverified accounts on its platforms.
- Regulating hardware manufacturers– Committee viewed that there is a global spread of manufacturing, hence it is essential to regulate hardware manufacturers who are collecting data along with the software. For this, the Data Protection Authority should frame regulations to regulate hardware manufacturers and related entities. It also recommends that Government should make efforts to establish a mechanism for the formal certification process for all digital and IoT devices that will ensure the integrity of all such devices with respect to data security.
- Data Localization – The committee showed concern regarding the cross-border transfer of Indian data and said that it can’t be compromised on the ground of the promotion of businesses. It suggests ensuring a replica of the sensitive and critical personal data should be maintained which is already in possession of the foreign entities.
- Right to be forgotten – The committee recommended broadening the scope of the right to be forgotten. Hence the data principal shall have the right to restrict or prevent not only the continuing disclosure but also processing of his personal data where such disclosure or processing has served the purpose for which it was collected or no longer in use for the purpose of which it was collected; consent is withdrawn by the data principal; was made contrary to the provisions of the act or any other law for the time being in force.
- Posthumous rights of a data principle – The committee observed the rights of a deceased data principle over his data and recommended including a provision that empowers the data principal to exercise his or her rights to decide how his or she dealt has to be dealt with in case of casualty/death. The options suggested by the committee are –
a. To nominate a legal heir or a legal representative as his nominee;
b. To exercise the right to be forgotten; and
c. To append the terms of the agreement. - Reporting data breach – The committee recommends that any data breach should be reported within 72 hours to the Data Protection Authority by the companies.
- Data Protection Officer – The conditions for the data protection officer laid down in the bill mention that every data fiduciary has to appoint a data protection officer who should be based in India and represent the data fiduciary in the country. The committee suggested adding specific qualifications or positions of the officer in the company. The position implies a senior level officer in the State or key managerial personnel in relation to a company such as the Chief Executive officer or the Managing Director or the Manager; Company Secretary; the whole-time Director; the Chief Financial Officer or such other personnel as may be prescribed.
- Penalty– The committee suggests empowering the Central government to prescribe penalties by way of making rules. Though the penalty cap remained untouched as before, i.e. Rs 15 Crores or 2-4% of companies’ worldwide turnover.
- Single window for deciding claims and compensations – The committee recommends a single methodology to decide the course of action on the filing of complaints or applications. It should be the responsibility of the Data Protection Officer to establish such a window and the data protection officer shall forward the complaint or application filed by the Data Principal to the Adjudicating Officer for adjudicating.
The Joint Parliament Committee Report on the PDPB, 2019 is an approximate 540-page comprehensive piece of work. The committee has evaluated the PDPB, 2019 clause by clause, and provided its expert comments on every point. In the future, we are yet to see how much of the recommendations shall be considered and accepted and inculcated in the Act. The wait is not yet over for India for a Data Protection regulation to be in action.