Analysis of the report on the Data Protection Bill, 2021 by the Joint Parliamentary Committee

By Krishnamohan Menon

February 12, 2022

On December 11, 2019, the Joint Parliamentary Committee on the Personal Data Protection Bill, 2019 (“JPC”) was established to investigate and examine the Personal Data Protection Bill, 2019. The JPC was supposed to give its report to Parliament during the 2020 Budget Session, but after receiving a two-year extension, the JPC tabled its report in both houses of Parliament on December 16, 2021.

The JPC report includes a list of policy recommendations, an examination of key sections of the 2019 Bill, and a draft bill titled the Data Protection Bill, 2021, among other things. The JPC report focused on answering questions and clarifying issues relating to public policy concerns about data protection in India, as well as making recommendations in that regard while taking into account the Honourable Supreme Court’s decision in Justice K.S. Puttaswamy (Retd.) v. Union of India and the Justice B.N. Srikrishna Committee’s recommendations.  Read on to find out the recommendations provided by the JPC on the PDP Bill.

One of the JPC’s first recommendations is to alter the bill’s name from ‘Personal Data Protection’ to ‘Data Protection,’ because it is impossible to distinguish between personal and non-personal data, and thus it is necessary to have a single law that covers both datasets. But the stakeholders are concerned that integrating both personal and non-personal data in the same legislation may weaken the PDP Bill’s goals, which were to provide a framework for personal data protection.

According to the PDP Bill, only members of the Ministry of Legal Affairs and the Ministry of Electronics and Information Technology were allowed to participate in the DPA selection process. However, the Report recommends that the DPA selection committee should include more technical, legal, and academic expertise, as well as the bureaucrat officers who make up the selection committee. As all members of the selection committee are nominated at the Central Government’s request, the DPA members will be indirectly in control of the Central Government.

According to the report, social media intermediaries should be scrutinized more strictly. The Report recommends that all user accounts on social media intermediaries should be verified in order to combat the threat of fake news and accounts. Further, the report suggests that social media intermediaries be recognized as “publishers” in certain circumstances, particularly when it comes to content from unverified accounts. Furthermore, it has been suggested that no social media platform should be permitted to operate in India until the parent company behind the technology establishes an office in the country.

With the object of protecting the national interest, the PDP Bill granted the government an exemption for compliance with the proposed legislation. The Report adds restrictions to this exemption, recommending that the government only be exempted from the provisions after following a fair, just, reasonable, and proportionate method. This is in keeping with the Supreme Court’s ruling in the Right to Privacy Case, which established the legality, legitimate goal, proportionality, and procedural safeguards that must be met for the government to infringe on people’s right to privacy under the exemptions available to it.

Companies must report personal data breaches when they cause harm to the data principal, according to the PDP Bill. In addition, the Report not only compels the keeping of a log of all types of data breaches, regardless of whether the breach involves personal or non-personal data, and regardless of the possibility of harm to the data principal, but also sets a 72-hour reporting deadline for such breaches. As a result, in addition to reporting obligations for personal data breaches, the keeping of a log will be required for both personal and non-personal data, and will not be contingent on the data principal suffering any harm.

The PDP Bill included special safeguards for the protection of children’s data. The notion of a guardian data fiduciary was described in the PDP Bill as a data fiduciary who maintains commercial websites or online services aimed towards children or processes vast amounts of personal data about children. The PDP Bill exempted such a guardian data fiduciary from taking approval of the child’s parent or guardian. However, the Report recommended that the concept of a guardian as a different class of data fiduciary should be eliminated,  because it may undermine the goal of protecting children. Further, the Report recommends that all data fiduciaries should be prohibited from profiling, tracking, or behavioral monitoring of children, or targeted advertising intended at children, as well as processing personal data that may cause serious harm to children. Previously, this bar only applied to guardian data fiduciaries.

While measures for data localization were previously included in the PDP Bill, the JPC has strongly recommended that all data be stored in India for national and security considerations. According to the report, the government should bring back mirror copies of all sensitive and vital personal data that is now housed outside of India, and all organizations operating in India should gradually move toward data localization. In addition to data localization, the Report recommends that the Central Government should draft a comprehensive data localization policy aimed at developing adequate infrastructure for local data storage and aiding start-ups in complying with localization requirements, all while keeping the Government’s ‘ease of doing business’ objectives in mind.

Several members of the Lok Sabha have dissenting opinions against the Report’s recommendations. The following are the key issues about the Report’s recommendations and the proposed “Data Protection Bill”:

While the JPC Report and the 2021 Bill are positive steps forward towards addressing various difficulties that people face in today’s digital world, they have also been faced with criticism. Critics of the 2021 Bill believe that in its current form, the bill is prone to be misapplied by the state, jeopardizing people’s fundamental rights. Privacy and data protection assume primacy in the digital era, and both must be protected to the same extent. The way the powers provided in the 2021 Bill are used will determine whether they are necessary for state function or whether they leave digital data rights unsecured and diminish the code’s aim.

Krishnamohan Menon is Managing Partner, Mimansa Law Offices

Disclaimer: The views or opinions expressed are solely of the author.