Road to data protection law

On Monday, the Joint Parliamentary Committee (JPP) on the Personal Data Protection Bill of 2019 is said to have adopted the final draft. The Bill is slated to be tabled in the Winter Session.

Why does India need a data protection law?
Amid the proliferation of computers and the Internet, consumers have been generating a lot of data, which has allowed companies to show them personalised advertisements based on their browsing patterns and other online behaviour. Companies began to store a lot of these datasets without taking the consent of the users, and did not take responsibility when the data leaked. To hold such companies accountable, the government in 2019 tabled the Personal Data Protection Bill for the first time.

What is said to be in the final draft?
One of the major changes that the final draft of the PDP Bill is believed to have pushed for is to include non-personal data within its ambit, which changes the nature of the Bill from personal data protection to just data protection.

The final draft is also said to have sought additional compliance for companies that deal exclusively with children’s data, by asking them to register with the Data Protection Authority — a regulatory body that will have powers to decide on implementing the law’s various provisions.

A third key aspect that the committee is said to have pushed for is to consider all social media companies as publishers, and to hold them accountable for the content on their platform if they are not acting as intermediaries. It is said to have recommended that no social media company be allowed to operate in India unless the parent company handling the technology sets up an office in India.

Other aspects such as setting up of an indigenous architecture, which can be an alternative to the internationally accepted SWIFT payment system, are also said to have been suggested.

A key suggestion said to be made by the JCP, which also received the most dissent from members, is wide-ranging powers for the government such as exempting any agency from application of the law.

Key terms in data protection

When will it be tabled?
Since the final draft has been adopted by all members of the JCP, it is likely to be tabled during the Winter Session. However, some of the JCP members have dissented to certain aspects, so some changes are possible before the Bill is tabled in Parliament.

How long has it taken to complete the draft?
First proposed by the government in 2018, the Bill has been pending for close to three years now. It has seen several changes to the original draft drawn by retired Supreme Court Justice B N Srikrishna, who has said that the revised Bill was “a blank cheque to the state”.

The Bill, which is said to contain 98 clauses, was referred to the JPC headed by BJP MP Meenakshi Lekhi in December 2019. Lekhi was replaced as chairperson with another BJP MP, P P Chaudhary, earlier this year. The 30-member panel got extensions in March and September 2020 as well as a final extension in February 2021.

Officials from the Ministries of IT, Law and Home Affairs, the Unique Identification Authority of India, National Investigation Agency, Narcotics Control Bureau and the Reserve Bank of India, among others, have deposed before the panel.

From the private sector, executives from Visa, MasterCard India, Google India, PayTM, Facebook India, Twitter India, Amazon Web Services as well as Amazon India, among others, have made submissions to the panel.

What were their submissions?
In their meeting with the JPC, Google’s representatives had said India should avoid making data localisation a requirement, which had upset the members of the committee. Paytm, on the other hand, had said data generated in India should be parked in the country. Cab aggregators such as Ola and Uber, whose representatives appeared before the JPC earlier this month, have supported data localisation norms.

In November last year, before the JPC had started a clause-by-clause consideration of the Bill, several tech policy groups had written to then chairperson Lekhi, seeking wider consultations on the various aspects of the Bill. The committee, however, went ahead with these deliberations.

Companies, tech policy groups and even JCP members had also called for reconsideration of the one-size-fits-all approach based on binary age threshold for children, given the vast geographic and cultural diversity of children across the country and their varying maturity levels and needs.

Companies and policy groups had also expressed apprehensions about the possible inclusion of certain clauses related to non-personal data and had told the JCP that it carried a very high risk of re-identification and may lead to legal complications for stakeholders.

Policy groups had repeatedly objected to the blanket exemptions to the central and state governments along with allied agencies.

“We are hoping that these provisions have been relooked, especially in the absence of a comprehensive surveillance framework, to introduce some element of oversight,” said Kazim Rizvi, founder of public policy group The Dialogue.

Rizvi said that as per the 2019 draft, the Data Protection Authority had been entrusted with a wide variety of functions ranging from standard-setting to adjudication, which would end up “overburdening” the architecture.

“The functional and structural independence of India’s first data regulator is a key aspect considering the crucial role it plays as the mediator between all vested stakeholders that is citizens, businesses and the government themselves,” Rizvi said. Indian Express