India’s data protection Bill

• IAS NEXT, Lucknow
• 20, Dec 2021

Context:

Nearly two years after it was constituted on 11 December 2019, the Joint Committee on the Personal Data Protection Bill, 2019, headed by BJP MP P.P. Chaudhary, has presented its final report on the upcoming bill in both Houses of Parliament on 16 December.

Key recommendations:

1. Remove the word ‘personal’ from the existing title of ‘Personal Data Protection Bill’. This is intended to reflect that the bill, in order to better ensure privacy, will also be dealing with non-personal data, such as personal data that has been anonymised.
2. Amend the section restricting the transfer of personal data outside India to say “sensitive personal data shall not be shared with any foreign government or agency unless such sharing is approved by the central government.
3. No social media platform be allowed to operate in India unless its parent company, which controls the technology powering its services, sets up an office in the country.
4. It proposes a separate regulatory body to be set up to regulate the media.
5. Jail term of up to 3 years, fine of Rs 2 lakh or both if de-identified data is re-identified by any person.
6. The word ‘personal’ ought to be dropped from the name of the Bill.
7. Central government may exempt any government agency from the legislation only under exceptional circumstances.

How do these recommendations compare with EU regulation?

• The JCP recommendations on the Personal Data Protection Bill are in some aspects very similar to global standards such as European Union’s General Data Protection Regulation.
• Similarities:
• Consent: Users must have informed consent about the way their data is processed so that they can opt in or out.
• Breach: Authorities must be notified of a breach within 72 hours of the leak.
• Transition period: Two-year transition period for provisions of GDPR to be put in place.
• Data fiduciary: Under EU law, a Data fiduciary is any natural or legal person, public authority, agency or body that determines purpose and means of data processing. In India, it also includes NGOs.

The committee has recommended the formation of a Data Protection Authority (DPA):

The Data Protection Authority (DPA) will be dealing with privacy and personal data as well as non-personal data.

Composition of DPA: The Chairperson and the members of the DPA shall be appointed by the Union government based on the recommendation of a selection committee chaired by the Cabinet Secretary.

• Other members of the committee would be the Attorney General of India, the IT and law secretaries.
• Nominated members: An independent expert and a director each from the IIT and the IIM will be nominated by the Centre.