Connect with us

Headlines of the Day

12 recommendations by Parl panel PDP Bill report

The Joint Parliamentary Committee (JPC) report on the Personal Data Protection (PDP) Bill, 2019 was tabled in both Houses of Parliament on Thursday.

Congress Member of Parliament Jairam Ramesh extended the JPC report in the Rajya Sabha while BJP MP PP Chaudhary, the chairperson of the panel, tabled the report in the Lok Sabha.

The JPC report, which reviewed the country’s first proposed data protection law, has been tabled two years after it was introduced in the Lok Sabha. Here’s all you need to know about the committee’s report on the bill.

PDP Act to deal with personal and non-personal data
The JPC has recommended that since the Data Protection Authority (DPA) will handle various types of data at various security levels, it will be difficult to distinguish between personal and non-personal data.

The committee has said that the PDP Bill should cover both sets of data till an additional framework is established to distinguish between personal and non-personal data.

“As soon as the provisions to regulate non-personal data are finalised, there may be a separate regulation on non-personal data in the Data Protection Act to be regulated by the Data Protection Authority,” the report said.

Timeline for implementation of act
The committee has advised the government to set a timeline for the implementation of the Act once it has been notified.

The JPC recommended a 24-month period after the notification of the Act for the appointment of the chairperson and members of the DPA.

Impact on social media platforms
The committee has recommended that all social media platforms that do not act as intermediaries be considered publishers and, therefore, be held accountable for the content they host.

A mechanism may be devised by which social media platforms which do not act as intermediaries are held responsible for the content from unverified accounts on their platforms, the report said.

The committee has also suggested that no social media platform be permitted to operate in India unless the parent company in charge of the technology sets up an office in the country.

The JPC has recommended that a statutory media regulatory authority, similar to the Press Council of India, be established to regulate the content on all such media platforms, regardless of whether their content is published online, in print or anywhere else.

Statutory body for media regulation
The committee has said that self-regulation and existing media regulators are insufficient and ill-equipped to regulate the journalism industry.

“The committee has desired that Clause 36(e) may be amended to empower any statutory media regulator that the government may create in the future and until such time the government may also issue rules in this regard,” the report said.

Safety of financial transactions
The committee has expressed concerns about the safety of the SWIFT network, which enables international financial transactions between banks.

It has recommended that an alternative indigenous financial system be developed along the lines of similar systems elsewhere, such as Ripple (USA) and INSTEX (EU), to ensure privacy while also boosting the digital economy.

Regulating hardware manufacturers
The committee has recommended that a new sub-clause 49(2)(o) be added to allow the DPA to regulate hardware manufacturers and related entities.

The committee has urged the government to establish a dedicated lab/testing facility with branches across India to provide certification on the integrity and security of all digital devices.

Data localisation
The central government has been instructed to take protective measures and secure sensitive data in the possession of foreign entities. The JPC has said that a copy of such data must be mandatorily brought to India in a timely manner.

The central government has also been asked to ensure that the new data localisation provisions are followed by all local and foreign entities. The government has been asked to prepare and issue a comprehensive policy on data localisation in the coming days.

On govt surveillance
“The government’s surveillance of data stored in India must be strictly based on necessity as laid down in the legislation,” the report said.

Data breaches
The committee has recommended that clause 25(3) include a 72-hour reporting period for data breaches. The committee wished for specific guiding principles to be followed by the DPA when developing regulations against data breaches.

It has been recommended that the authority ensure the data principals’ privacy is protected. In case the data principal has suffered immaterial or material harm due to delayed reporting, the burden to prove that the delay was reasonable shall lie on the data fiduciary, the report said.

The data fiduciary shall be responsible for the harm suffered by the data principal due to an untimely complaint. Fiduciaries will also have to maintain a log of all data breaches, as per the report.

A data fiduciary shall not retain any personal data for longer than is necessary and shall delete personal data at the end of processing.

Since the government will also become a data fiduciary, in the event of a breach or an offence, the head of the department concerned should first conduct an in-house investigation, the report recommends. This process is intended to determine who was responsible for the particular offence, post which the liability can be decided.

A penalty up to five crore rupees or two per cent of the company’s total worldwide turnover of the preceding financial year will be applicable if any of the following provisions are violated:

  • obligation to take prompt and appropriate action in response to a data breach under section 25
  • obligation to undertake a data protection impact assessment by a significant data fiduciary under section 27
  • obligation to conduct a data audit by a significant data fiduciary under section 29
  • appointment of a data protection officer by a significant data fiduciary under section 30
  • A penalty up to fifteen crore rupees or four per cent of the fiduciary’s total worldwide turnover of the preceding financial year will be applicable in the following cases:
  • processing of personal data in violation of the provisions of Chapter II or Chapter III
  • processing of personal data of children in violation of the provisions of Chapter IV
  • failure to adhere to security safeguards as per section 24
  • transfer of personal data outside India in violation of the provisions of Chapter VII

While clause 32 allows the data principal to file a complaint against the data fiduciary, clause 64 allows the data principal to seek compensation by filing a complaint with the adjudicating officer.

The committee has added that the DPA must forward the complaint or application filed by the data principal to the adjudicating officer for action.

A separate clause in the bill with a marginal heading that reads ‘Right to file a complaint or application’ has been suggested by the committee for the implementation of these propositions. IndiaToday


Click to comment

You must be logged in to post a comment Login

Leave a Reply

Copyright © 2023 Communications Today

error: Content is protected !!