An initial reading of the Joint Parliamentary Committee (JPC) report on the Personal Data Protection Bill 2019 submitted last week suggests that the industry will have to contend with a more fragmented and overbearing regulatory framework than was proposed in the previous Data Protection Bill (PDP Bill). The report is a significant step as India aims to enact a dedicated data protection law, which has been nearly four years in the making.
For the Narendra Modi government, data security is a high priority area and the report recommends that it bring back mirror copies of sensitive and critical data from abroad. It also retains the PDP Bill’s focus on data localisation, and stresses the need for the government to frame an extensive policy on the same.
The regulation of social media intermediaries and the need to hold them more accountable is another prominent theme in the report. It suggests treating such platforms as publishers of content and also recommends the establishment of a statutory media regulatory authority along the lines of the Press Council of India (PCI). The media had widely reported this recommendation and thrown many companies in a tizzy.
Thankfully, this did not translate into amendments in the Bill because the JPC rightly said that the current legislation is about the regulation of personal data, not social media.
JPC recommendations for social media companies
There are, however, enough reasons for companies to be circumspect. Currently, social media companies that primarily enable online interaction between users are regulated as “social media intermediaries” by the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules 2021, which have been framed under the Information Technology Act 2000. The use of the term “intermediaries” is significant because, under the IT Act, such entities are not liable for user-generated content provided they meet certain conditions under the law. The JPC’s report has sought to substitute the term “intermediaries” with “platforms”, to signal that such entities can be treated as publishers and be liable for the content they host. However, as we have pointed out earlier, substantial recommendations on the liability of social media platforms are out of place in a data protection law, whose primary purpose is to protect the rights of individuals over their data. A more appropriate way to address concerns over the liability of social media companies may have been to contribute to ongoing deliberations over reforming the IT Act. Further, if the report’s recommendation to treat social media companies as “platforms” rather than “intermediaries” is retained, it could lead to a conflict in the interpretation of their liability under the IT Act.
The amended Bill gives the central government more power to make key decisions on many aspects. For example, one of its provisions gives wider powers to the Centre to exempt any of its agencies from Bill’s application on grounds such as the sovereignty and integrity of India, the security of the State, public order, and others. Congress leaders Jairam Ramesh and Manish Tewari, who were members of the JPC, expressed their dissent against this clause. The Bill also gives the central government considerable power over cross-border transfers of certain categories of personal data.
Protectionist lens of the amended Bill
The amended Bill also contains a protectionist lens in some places, which is evident from provisions related to cross-border transfers. The Bill requires the Data Protection Authority (DPA) to consult with the central government before approving any such transfer, which was not the case under PDP Bill 2019. The DPA will now be bound by the direction of the central government in the exercise of its functions in all cases, and not just on questions of policy. Such provisions could lead to considerable executive influence over business decisions and increased friction in data flows due to uncertainty. In some places, the JPC has tried to allay concerns of excessive executive power. For example, it has recommended the appointment of independent members like domain experts and Directors from the Indian Institute of Technology and the Indian Institute of Management, to the DPA’s Selection Committee. While this is an improvement from the PDP Bill 2019, which only required bureaucrats to be on the Committee, even these independent members will be nominated by the central government.
The implementation of the Bill can affect commercial operations as it creates tension between privacy and competition. The data portability clause allows consumers to port inferred data from one online service provider to another. These inferences are of immense value to businesses and may involve companies’ analyses about behaviours, interest or attributes of people. The Bill throws up intellectual property (IP) rights concerns, too, as it prohibits companies from objecting to such transfers by claiming the protection of trade secrets. On the other hand, Singapore’s Personal Data Protection Act excludes personal data derived by an organisation. The company has the option not to transmit personal data if it reveals confidential commercial information that can harm the competitive position of the organisation. Even the European Union’s data protection law, the GDPR, leaves out inferred data and covers only the data that is provided by consumers. Other forms of commercial complications may arise as the Bill also demands algorithmic transparency in some cases. This can promote trustworthiness but will be a tricky provision to navigate as algorithmic transparency can interfere with IP rights.
Other causes for concern
Other areas in the Bill also create some cause for concern, as they deviate from international practises and have significant implications for service providers and users alike. One of them is related to the processing of children’s personal data. Several countries have adopted a graded approach by recognising differing maturity levels among children. The United States requires parental consent only below the age of 13, while the EU suggests an age range of 13-16 years. In contrast, the amended Bill retains the approach adopted under the PDP Bill 2019 and requires parental consent for any person under the age of 18. Several stakeholders have argued for the need for a more nuanced approach regarding the age of consent. The JPC’s approach may erect significant barriers to the development of innovative online services.
The second issue relates to non-personal data under the Data Protection Bill. The JPC has recommended regulating both personal and non-personal data under one law to protect privacy, streamline regulation and ensure simplicity. No other data protection law in the world regulates both these kinds of data under the same framework. Further, any framework on non-personal data will have to address aspects such as the interplay between personal and non-personal data, the risks associated with non-personal data, and clarify obligations for businesses. However, the JPC’s report has not delved into much detail.
The JPC report comes at a time when India is deliberating a new governance framework for the flow of information on social media. The digital landscape is rife with tension and companies are waiting for regulatory clarity to structure their businesses. In this state of flux, JPC’s report only creates more confusion rather than clarity.
The authors work at the Koan Advisory Group, a technology policy consulting firm. Views are personal.
This article is part of ThePrint-Koan Advisory series that analyses emerging policies, laws and regulations in India’s technology sector. Read all the articles here.
(Edited by Srinjoy Dey)