India’s proposed data protection regulations have been in the making for quite a long period of time. In 2018, an advisory group of specialists comprised by the Government provided the first draft of a proposed regulation on data protection. In the late 2019, a re-examined interpretation of the draft, the Personal Data Protection Bill, 2019 (PDP Bill) was presented in the Indian Parliament.
The PDP Bill was surrounded by discussions, particularly on exclusions that were at the expense of the Government offices, the treatment of anonymized information, data localization prerequisites, and regulation of cross boarder transferring of information. For a much profound assessment of the proposed regulation, the draft was alluded to a Joint Parliamentary Committee (the Committee) that was constituted of members from both the Houses of the Parliament.
On December 16, 2021, the Committee introduced the “Report of the Joint Committee on the Personal Data Protection Bill, 2019” (the Report) to the Parliament. The Report considerably comprised of the Committee’s general suggestions on the PDP Bill and a changed draft of the said bill.
Presently alluded to as the Data Protection Bill, 2021 (the Bill), the amended draft regulation contains the base on which the previous bills were drafted – i.e., it aims to safeguard the advanced security of the citizens and form a relationship of trust among people and the different elements handling their information.
JOINT PARLIAMENTARY COMMITTEE: KEY RECOMMENDATIONS
The PDP Bill was introduced with the goal of opening the information economy and giving assurance to protect every individual’s information. Nonetheless, the PDP Bill was not enacted as there were several concerns regarding the provisions of the PDP Bill. Subsequently, the Committee was set up with the goal of analyzing and providing suggestions with regards to the PDP Bill.
The Committee delivered its Report in December, 2021 and incorporated specific provisions that accentuated laying down stricter compliances for the organizations and implementing higher commitments on the public authority offices. The Report additionally modified the title of the PDP Bill and renamed it “The Data Protection Bill, 2021”.
On conducting research, the Report concluded that public authority expects to obtain an order control model of regulation to manage a steadily developing technological ecosystem.
The Committee has recommended the inclusion of non-personal data (NPD) within the ambit of the Bill. It is pertinent to note that even though the Report has proposed the inclusion of NPD within the ambit of the Bill, the Report does not have any regulations pertaining to the same just yet.
The Committee has stated that the regulations pertaining to NPD shall be incorporated later within the law. In the even NPD is incorporated in the law, the corporate entities and foreign companies shall have to restructure their data privacy management system completely.
The Committee has picked a stricter way to deal with data localization by suggesting that all the information of the citizens should be kept inside the territorial lines of the country.
The Committee has recommended that the Government should ensure that a mirror copy of all the sensitive personal data and other critical data stored abroad is brought back to the country.
Data localization will impose stringent restrictions on transfer of data outside the national borders. This measure shall aid in safeguarding the data of the citizens and prevent unauthorized or unnecessary transfers outside the country.
Reporting of Data Breach
The Committee has suggested amendment of the term ‘harm’ as provided in the PDP Bill and now shall include “psychological manipulation along with the loss of reputation or any kind of financial loss”. The Report makes it mandatory to report any data breach, irrespective of the quantum of harm cause and stipulates a cutoff time of 72 hours for notifying about the breach to the Data Principals.
Post the enactment of the Bill, frameworks and regulations should be adjusted to fulfill the time constraint and negate any potential penalties. Data Fiduciaries should embrace a preventive approach instead of mitigatory methodology.
OTT Platforms and Social Media
Perceiving and embracing the word ‘platform’ rather than ‘intermediary’, the Committee has suggested that these platforms should take noteworthy responsibility for handling of data from their end and be answerable for the content they post from any unverified accounts.
Additionally, the Committee has recommended that no social media platform will be allowed to operate in the country unless the respective parent company sets up an office in India, physically.
Data Protection Officer
The Report stipulates the mandatory appointment of a Data Protection Officer (DPO) for all prominent Data Fiduciaries. The Committee recommended that only a person who is a Key Managerial Personnel in an organization should be appointed as a DPO in order to ensure smooth functioning.
Processing of Personal Data and Sensitive Personal Data of Children
The Committee has fixed the age of consent as 18 years under the Bill. The Committee has suggested that the Data Fiduciary handling any information pertaining to minors ought to guarantee that they acquire assent from guardians and from the youngsters themselves three months before they turn 18 years of age.
This suggestion successfully puts a higher commitment on all Data Fiduciaries to execute unique controls by acquiring guardian consent, track it to maturity i.e., 18 years and revalidate with the Data Principal.
Composition of Data Protection Authority
India’s information security authority also known as the Data Protection Authority (DPA) is visualized under the proposed Bill and has been endowed with the pivotal obligation of safeguarding and controlling the utilization of personal data or information of citizens.
The DPA should act as a barrier against unlawful and illicit utilization of such personal data of the citizens. Given its vital job, the DPA isn’t just a financial or sectoral controller, but has greater responsibilities.
It is pertinent to note that any data protection body should be bounteously autonomous, particularly in the way of arrangement of its individuals, states of their administration and the way of their expulsion.
The proposals given by the Committee permit space for wary idealism. India needs a nuanced and comprehensive administrative way to deal with the data collection that happens in bulk within the corporate entities while supporting the country’s information driven monetary development.
Planning and creating protection control systems covering security administration, information boards, cross-line information streams, security by plan and default spaces are supposed to convert into critical additions at the consistence stage.
The PDP Bill and the Bill provide an efficient approach for assortment and handling of individual information in the era of Digital India.
The Bill is expected to be enacted by this year and only time will tell how efficient the application of the Bill is and how it reforms the data protection measures within corporate entities and multinational conglomerates.
-Team AMLEGALS assisted by Ms. Amrita Ghosh (Intern)
For any queries or feedback, please feel free to get in touch with firstname.lastname@example.org or email@example.com.
Leave a Reply