After almost two years of scrutiny, the Joint Parliamentary Committee (JPC) finalised its report on the Personal Data Protection (PDP) Bill, 2019, on Monday. In the meeting chaired by P.P. Chaudhary, the committee called for stricter compliance requirements for companies while tweaking clauses that provide leeway to the government. The committee also recommended that the government should have an upper hand in matters of the legal mechanism that will be set up to safeguard personal and non-personal data.
Key suggestions made by the JPC included data collection of non-personal data by electronic hardware and treating all social media as social media platforms. The committee has also suggested introduction of new provisions to form additional compliances, which includes reporting of data breach by companies within 72 hours, mandatory disclosure of information relating to a data principal (person or entity that owns the data) passed on to someone else, and appointment of senior management personnel as data protection officers, who will also be held responsible for lapses.
Designating social media intermediaries that are governed by IT Rules, 2021, the JPC has suggested to bring them strictly under the ambit of the law. The panel recommended that the social media platforms that do not act as intermediaries should be held responsible for their own contents and be treated as publishers. It said that a statutory media regulatory authority may be formed to regulate contents on such platforms.
The JPC recommended to provide an approximate period of 24 months for data fiduciaries and data providers for the transition of their policies, infrastructure and processes to facilitate the implementation of the new provisions of the law. It said that during these 24 months, phased implementation may be carried out with a set deadline for instituting DPAs, registration of data fiduciaries, adjudicators and appellate tribunals, and so on.
Further, backing the controversial exemption for government agencies to function outside the purview of this law, the panel noted that a secure nation alone provides the atmosphere that ensures personal liberty and privacy of an individual. Clause 35 of the law under “public order”, “sovereignty”, “friendly relations with foreign states” and “security of the state”, exempts government agencies from any or all provisions of the law. Recommending a “judicial or parliamentary oversight” for exempting an agency, members of the committee suggested that “there should be an order in writing with reasons for exempting a certain agency from the ambit of the Bill”.
However, till now seven Members of Parliament from the Congress, the Trinamool Congress (TMC) and the Bharatiya Janata Dal (BJD) have submitted their dissent notes to oppose the JCP report on the Bill. Apart from pointing out several deficiencies in the Bill and the JPC report, the MPs specifically opposed Clause 35. The seven MPs who have submitted their dissent include the Congress’ Jairam Ramesh, Manish Tiwari, Gaurav Gogoi, and Vivek Tankha, the TMC’s Derek O’Brien and Mahua Moitra, and the BJD’s Amar Patnaik.
Opposing the clause in his dissent note, MP Jairam Ramesh stated that it “gives unbridled powers to the central government to exempt any agency from the entire Act itself”. Ramesh also argued that Section 12(a)(I) creates “certain exceptions for governments and government agencies from the provisions of consent”. Posting his note on Twitter, he said, “Governments and government agencies are treated as a separate privileged class whose operations and activities are always in the public interest and individual privacy considerations are secondary.” He added, “The idea that the August 2017 Puttaswamy judgment of the Supreme Court is relevant only for a very, very, very tiny section of the Indian population is, in my view, deeply flawed and troubling and is one that I totally reject.”
Suggesting that the Centre should take Parliamentary approval to exempt any agency, the Congress leader said, “I was willing to compromise provided the JCP had recommended that the reasons for exemption that would be recorded in writing as provided for in the Bill would be tabled in both Houses of Parliament. This would bring greater accountability and transparency, but even that was not found acceptable.”
Another Congress leader Gaurav Gogoi pointed out that there are concerning pointers regarding the Bill like the lack of attention paid to harms arising from surveillance and effort to establish a modern surveillance network, lack of parliamentary oversight, regulation of non-personal data and failure to quantify penalties. MPs Derek O’Brien and Mahua Moitra claimed that the committee has rushed its mandate, giving less time and opportunity to stakeholders for consultation. The TMC leaders said that the committee has failed to introduce proper safeguards to prevent the misuse of the controversial Clause 35. They alleged that the central government would have major involvement in the selection process for the members and chairperson of the Data Protection Authority.
The report and the dissents on the Personal Data Protection Bill will be discussed in the Parliament during the winter session scheduled to start on November 29.