Platforms as publishers, penalties, checking electronic hardware may figure in draft data Bill

Widening the ambit of the Personal Data Protection Bill to include non-personal data and data

Widening the ambit of the Personal Data Protection Bill to include non-personal data and data collection by electronic hardware, and treating all social media as social media platform, are among key suggestions believed to have been pushed by the Joint Committee of Parliament (JCP) after almost two years of scrutiny.

The final set of recommendations of the committee and dissent notes by half-a-dozen members from Opposition parties are likely to be tabled in the coming winter session of Parliament.

Chaired by P P Chaudhary, the JCP met Monday to adopt recommendations on the Bill that will have a bearing on the flourishing digital economy in the country.

The JCP is believed to be in favour of widening the ambit of the legislation to include not just personal data but non-personal data as well. The proposed Data Protection Authority (DPA), it believes, should be a larger umbrella to handle non-personal data as well. And for this, the JCP feels that further policy/legal framework on non-personal data in future should be made part of this legislation, and not a separate legislation. Apart from other industrial databases, the non-personal data will also include anonymised personal data under the proposed changes.

Apart from the digital/software companies, the JCP is believed to have favoured bringing data collection by electronic hardware (telecom gears, IoT etc) under the ambit of this law itself. The legislation, as introduced, does not have any provision to keep a check on hardware manufacturers that collect data through digital devices. Given this backdrop, the JCP is believed to be in favour of suggesting incorporation of new clauses in the legislation that will allow DPA to frame regulations towards data handling by hardware manufacturers and related entities.

This, in a way, will allow DPA to create a framework providing for monitoring, testing and certification to ensure integrity of hardware equipment to guard against any seeding that may lead to breach of personal data.

Bringing all social media intermediaries (governed by IT Rules) tightly under its ambit by redesignating them as social media platforms is believed to be another JCP wish. Likewise, it is believed to have favoured that all social media platforms (which do not act as intermediaries) be treated as publishers and be held accountable for the content they host. For them, the committee is believed to have suggested that a statutory media regulatory authority may be set up for regulation of content on such platforms.

Explained

Guarding digital privacy

The Bill was introduced in the wake of the country’s flourishing digital economy and the SC declaring privacy as a fundamental right in 2017. The legislation seeks to safeguard digital privacy of individuals and provide a rule-based framework for the digital economy.

The committee, however, is learnt to have favoured granting exceptions to smaller firms about the principle of privacy by design envisaged in the legislation. For this purpose, the DPA may be vested with some avenue to make regulations to grant exceptions to data fiduciaries below a certain threshold with a purpose to not hamper the growth of firms that can be classified under MSMEs.

It is believed that the JCP has considered recommending an approximate period of 24 months be provided to data fiduciaries and data processors towards transition of their policies, infrastructure and processes for the implementation of the provisions of this law after its notification. During this period, a phased implementation is proposed with set deadlines for instituting DPA, registration of data fiduciaries, adjudicators and appellate tribunals etc.

The JCP is also believed to have favoured a specific timeline for the data fiduciaries to report data breach with 72 hours being considered a realistic and finite timeframe.

The committee, however, was believed to be against informing every odd and sundry data breach to the data principal by the data fiduciary. Instead, it was considering the recommendation that the DPA must first of all take into account the personal data breach and the severity of harm before directing a data fiduciary to inform data breach to individuals.

The committee is believed to have favoured a more exhaustive definition of a consent manager and recommended that the definition of harm should include psychological manipulation which impairs autonomy of a person.

While several members of the committee belonging to Opposition parties have submitted dissent notes to provisions that appear giving an easy pass to the government, the committee was believed to be agreeable to an enhanced role of the Central government in matters like transfer of data outside the country and issue directions to the DPA other than policy as well. While this will allow the government to give directions to the DPA, the committee was believed to be of the view that the government’s directions to DPA should be disclosed in annual reports.

It is believed to be of the view that the Central government must ensure that data localisation provisions under this legislation are followed in letter and spirit by all local and foreign entities and India must move towards data localisation gradually once the proper infrastructure and establishment of Data Protection Authority is completed.

The issue of penalties in case of violations is believed to have been a bone of disagreement among members of the committee.