The Joint Parliamentary Committee (JPC) recently submitted its report to the Parliament on the Personal Data Protection Bill, 2019 . With that, the JPC also presented a revised bill i.e. the Data Protection Bill, 2021 (Bill). This was after a deliberation of almost 2 years by the JPC, during which time the businesses and civil society were all getting anxious on the outcome of such a long deliberation period. It is undeniable that at this hour, India needs a comprehensive data protection legislation if it aims to harness the growth of digital economy. The draft Bill is expected to be laid down before the Parliament for its passage soon, but in its existing form there are a number of uncertainties on key issues. This article is an attempt to set out a brief analysis of the hits and misses of the JPC and the way forward for businesses.
Hits and misses
Non-personal data – Half legislation? The JPC has included non-personal data within the purview of the Bill. It recommends that as soon as the provisions to regulate non-personal data are finalised, there may be a separate regulation on non-personal data in the Data Protection Act. The inclusion of non-personal data at this stage is perhaps a bit premature for India especially for the business ecosystem here. Businesses have been shaken with the news and are grappling to understand the nuances of this inclusion. A better solution in this regard could be to have a single regulator (i.e. the Data Protection Authority) which could be the regulator for the presently crafted personal data protection law and, subsequently, also the regulator for the non-personal data law that is to be crafted in future.
Clarity on implementation – Much needed: Business organisations will now have a period of 24 months from the date of enforcement of the law for transitioning. This provides them the much-needed room to realign their internal practices and policies.
Cross-border data transfers and localisation – A right approach? The JPC has recommended that the Data Protection Authority should ensure consultation with the Central Government for granting approval to the cross-border transfer of sensitive personal data either through contract or an intra-group scheme or transfers for specific purposes. Additionally, such contract or an intra-group scheme should not be approved if it is against “public” or “State” policy. It is likely that the process for approval of cross-borders transfers will become cumbersome with the involvement of the Central Government. Further, the JPC has recommended that the Central Government should ensure that a mirror copy of the sensitive personal data and critical personal data stored abroad is brought back to India. While the thrust on localisation in the absence of adequate infrastructure in India may hurt businesses of all stature, it may prove to be beneficial in the longer run.
Processing children’s personal data: The JPC has accorded due importance to protection of children’s privacy in the digital world. It has recommended that a data fiduciary (akin to data controller) must verify the age of the child and obtain the consent of child’s parent or guardian. It also recommends that a data fiduciary should inform the child 3 months before attaining majority (i.e. 18 years) for providing fresh consent. Further, in terms of the Bill, all data fiduciaries are now barred from profiling, tracking, behaviourally monitoring children and their data, or targeting advertisements at children, or processing any personal data that can cause significant harm to the child. As a consequence, all data fiduciaries, irrespective of their level of engagement with children or children’s offerings will have to verify the age of its users and it has the potential to age gate the internet. Additionally, children-centric businesses will have to devote considerable resources towards ensuring compliance with the Bill.
Social media platforms – Legitimate concern, wrong place: To counter problems like prevalence of fake accounts, propagating hate speech, etc., the JPC has recommended that social media platforms must set up an office in India and they will be held accountable for the content they host from unverified accounts. This may be considered by social media platforms as a hindrance to the safe harbour provisions that are prevalent today. While the concern relating to social media may be well founded, however the JPC may not have taken the correct approach to address this concern in a data protection law.
There are several other recommendations that the JPC has proposed, which are improvements to the previous iteration of the Bill. In its previous iteration, the Bill mirrored a broad consensus on the key issues concerned with regulation of personal data. However, the JPC has opened the floodgates for businesses with the inclusion of aspects such as non-personal data, social media regulations and other non-contextual issues, in what was expected to lay down a basic framework for regulation of personal data. Despite all these hits and misses, businesses are now eagerly looking forward to the last mile that is to be covered by the Bill. It is expected that this umbrella legislation on data protection would soon be debated in the Parliament and rolled out as a landmark global gold standard law.