New Delhi: The word ‘personal’ ought to be dropped from the name of the Personal Data Protection Bill, says the parliamentary committee formed to study the upcoming law.
Nearly two years after it was constituted on 11 December 2019, the Joint Committee on the Personal Data Protection Bill, 2019, headed by BJP MP P.P. Chaudhary, presented its final report on the upcoming bill in both Houses of Parliament on 16 December.
On the provision in the bill allowing the central government to exempt any government agency from the legislation, the committee says, it “feel[s] that though the State has rightly been empowered to exempt itself”, that power may be used “only under exceptional circumstances”.
The report is over 500 pages long and discusses 81 recommendations to modify the existing bill, together with more than 150 corrections and improvements.
Important changes the committee suggests to the data bill
The committee has suggested removing the word ‘personal’ from the existing title of ‘Personal Data Protection Bill’. This is intended to reflect that the bill, in order to better ensure privacy, will also be dealing with non-personal data, such as personal data that has been anonymised.
Other salient additions include amending the section restricting the transfer of personal data outside India to say “sensitive personal data shall not be shared with any foreign government or agency unless such sharing is approved by the central government”.
The report explains the amendment by saying, “in order to safeguard the data of Indians and keeping in view the shifting nature of international relations, it is necessary to have a directive in the bill to restrict any country, to which sensitive personal data of Indians would be transferred, from sharing it with a third country or agency, unless such sharing is approved by the central government”.
The penalty for violating this condition would be Rs 15 crore, or 4 per cent of the violating entity’s total worldwide turnover of the preceding financial year, “whichever is higher”. A penalty of this amount was already present for other violations in the existing bill.
At a time when Indian consumer data has reportedly been leaked due to data breaches such as those at Air India and Domino’s India, the committee recommends that any affected company or state entity be required to inform the Data Protection Authority — an agency proposed under the bill — “within 72 hours of becoming aware of such breach”.
The committee also recommends that where applicable, companies or any entity processing personal data (referred to as ‘data fiduciary’) be required by regulations to show their “fairness of algorithm or method used for processing of personal data”.
In a press note, the committee also says that social media intermediaries in many instances also act as publishers, and not just intermediaries where others post content. For example, it argues that social media companies can control who accesses content hosted on the platform, and should thus be considered publishers.
Therefore, the committee suggests that such companies be held accountable for content hosted, just as a publisher would be.
It also recommends that no social media platform be allowed to operate in India unless its parent company, which controls the technology powering its services, sets up an office in the country.
The report also proposes a separate regulatory body to be set up to regulate the media. It says, “the existing media regulators such as the Press Council of India are not appropriately equipped to regulate journalism sector that seeks to use modern methods of communication such as social media platforms or the internet at large”.
“In this regard, the committee feel that there is need for the establishment of a statutory body for media regulation” with respect to data protection, it adds.
(Edited by Rohan Manoj)