New Delhi: Changing the name of the data protection bill, regulating non-personal data, treating social media platforms as publishers, and including data collection by electronic hardware — these are some of the changes the Joint Committee of Parliament (JCP) on the Personal Data Protection Bill 2019 has reportedly suggested.
According to reports in The Indian Express, The Economic Times, among other media outlets, the committee is expected to submit its report in the last week of the ongoing winter session of Parliament, after receiving the sixth such extension Wednesday.
The ongoing session of Parliament ends on 23 December. The committee’s recommendations are not binding.
The report will be tabled for discussion, after which the bill will be reintroduced in the House.
The 2019 bill was introduced in the Rajya Sabha by the then Union Minister of Electronics and Information Technology, Ravi Shankar Prasad, on 11 December 2019. It was referred to a joint parliamentary committee the same day.
The aforementioned media reports also dwelt on the recommendations the panel has arrived at. Here is what the new data protection bill is likely to look like if the panel’s recommendations are accepted.
Also Read: More power & data access to govt — all about personal data protection bill
What is personal, non-personal data?
According to reports, the panel is in favour of widening the ambit of the legislation to include not just personal data, but non-personal data as well, and allow the Data Protection Authority (DPA) — an independent public authority to be created by the law, which would monitor its implementation — to handle both categories of data.
Non-personal data is expected to include industrial databases and anonymised personal data as well.
Now, the 2019 bill defines ‘personal data’ as any data that may contain any characteristics or traits of a person and can be used to identify them. It also defined ‘sensitive personal data’, which includes financial data, health data, data on sexual orientation and activity, biometric data, genetic data, data on transgender status, intersex status, caste or tribe, and religious or political belief or affiliation.
‘Non-personal data’ is usually any set of data that does not contain personally identifiable information. It also includes data which used to be personal data, but which has been ‘anonymised’, to remove information in a way that the person to whom the data relates cannot be identified. Usually, any data that does not come under the definition of personal data is non-personal data.
For instance, when ordering groceries online, the delivery service will have data like the name, age, gender and other information on the person making the order. However, this set of data becomes non-personal if identifiers of the individual, like the name and contact information, are removed. Non-personal data could also include anonymised data of land records or vehicle registration or traffic challans.
‘Data protection bill’
While the 2019 bill exclusively focused on personal data, it did talk about non-personal data. Section 91(2) allowed the central government to direct any data fiduciary or data processor to provide it with any anonymised personal data or other non-personal data.
This would need to be done in consultation with the DPA, to “enable better targeting of delivery of services or formulation of evidence-based policies by the Central government”.
The user or the person to whom the data in question belongs is the data principal. Data fiduciary is the entity that controls the storage of this data, as well as defines the purpose and the ways in which the data can be processed. Data processor is any entity who processes the data collected by a data fiduciary.
So, for instance, when you use any mobile app, you are the data principal, the app is the data fiduciary and any advertiser processing your data from the app would be the data processor.
This isn’t the first time that regulation of non-personal data is being looked into. In September 2019, the Ministry of Electronics and Information Technology (MeitY) had appointed a committee of experts chaired by Infosys co-founder Kris Gopalakrishnan to recommend a framework to regulate non-personal data in India.
This committee has since submitted two reports, one in July 2020 and another in December 2020. The second report had also favoured an amendment in provisions of the 2019 bill that mention non-personal data, “in order to ensure that the two frameworks are mutually exclusive yet work harmoniously”.
But now, since the JCP has recommended inclusion of non-personal data as well in the 2019 bill, it has recommended that the legislation now be called the ‘Data Protection Bill 2021’.
Also Read: Some delay in adopting IT rules OK, ‘averse’ to suing social media firms: Minister Chandrasekhar
More liability for social media platforms?
As for social media intermediaries currently governed by the Information Technology Rules 2021, the Indian Express report suggests that the proposal envisages redesignating social media intermediaries as social media platforms, and treating such platforms as publishers to hold them accountable for the content they host.
Under the new IT Rules 2021, social media intermediaries include telecom service providers, network service providers, internet service providers, web-hosting service providers, search engines like Google, online payment sites, online-auction sites, e-commerce platforms like Amazon and Flipkart, and platforms such as Facebook, Twitter, Blogspot and WordPress.
Currently, Section 79 of the Information Technology Act (IT Act) provides intermediaries, including social media intermediaries, protection against liability for content posted on their websites by third parties, including users. It codifies the ‘safe harbour’ regime, granting them protection from legal liability for anything illegal that its users do, as long as these intermediaries follow certain due diligence directions such as adhering to the government’s content takedown requests.
Meanwhile, actual publishers, like newspapers, are responsible for the content they host. The idea is that publishers have direct control over the content that they host.
So for instance, in a defamation case, if the allegedly defamatory content is a newspaper article, then the newspaper itself, along with the author of the article, can be held liable for it.
However, if it is a case of an allegedly defamatory Facebook post or a tweet, then it is usually just the user who can be held guilty for it, as long as the social media intermediary can show the court that it was merely acting as a facilitator and played no role in initiating or modifying the content, and that it adhered to the due diligence requirements.
At first glance, the committee’s recommendations now seem to be pushing for more liability for social media platforms. The committee has recommended formation of a separate statutory media regulatory authority for regulation of content on such platforms.
The 2021 IT Rules tried to do a similar thing by saying that if any intermediary fails to comply with the guidelines, the provisions of Section 79(1) of the Information Technology Act 2000 shall not apply to such an intermediary, making them liable for punishment under any law in India, including criminal prosecution under provisions of the IT Act and the Indian Penal Code.
However, the Rules are under challenge in at least 17 petitions filed across the country in the high courts of Kerala, Delhi, Karnataka, Madras, Calcutta and Bombay, challenging different provisions of these rules.
Would you know if there’s a data breach?
The committee also wants the DPA to frame regulations for data collection by electronic hardware, including telecom gear, Internet of Things (IoT) etc.
Anything that can connect to the internet is an IoT device. So it includes smartphones, laptops, tablets, fitness watches, cybersecurity scanners, smart home devices, air quality sensors, smart traffic lights, and a host of other such devices that collect large volumes of personal data.
Further, the committee has favoured a 72-hour time-frame for data fiduciaries to report data breach. It has also recommended that the definition of ‘harm’ should include psychological manipulation that impairs the autonomy of a person.
The 2019 bill required data fiduciaries to inform the DPA of any breach of personal data only where such a breach is likely to cause harm to the data principal. The bill defined ‘harm’ to include financial loss, loss of reputation or withdrawal of a service.
Privacy by design
Additionally, the committee has favoured granting exceptions to smaller firms from the principle of ‘privacy by design’ — a set of good practices based on some ‘foundational principles’.
The DPA could, therefore, grant such exemptions to data fiduciaries below a certain threshold, so as to not hamper the growth of firms that can be classified under MSMEs.
The 2019 bill required every data fiduciary to prepare a privacy-by-design policy, declaring the systems that the fiduciary has put in place to avoid harm to users, its obligations, the technology it uses to process personal data, and the protection of privacy at every stage, from collection to deletion of personal data.
This policy was required to be approved by the DPA and published on the website of the data fiduciary as well as the DPA.
Along with the report, at least half a dozen MPs from the Congress, the Trinamool Congress and the Biju Janata Dal (BJD) have given dissent notes to the committee.
The majority of these MPs have objected to Section 35 of the bill, which allows the central government to exempt any government agency from the provisions of the bill, in the interest of national security and the prevention of incitement to any cognisable offence.
Congress MP Jairam Ramesh tweeted about his dissent note. He has also suggested certain changes to Section 12(a)(i), which allows “non-consensual processing” of personal data by governments and government agencies, if it is for any legal function that the government is supposed to perform. For example, in case of issuance of any certificate, licence or permit, or in compliance with any order or judgment of a court or a tribunal, or in case of a medical emergency for the data principal.
He suggested making the exemptions “less sweeping and less automatic”.
(Edited by Saikat Niyogi)
Also Read: How Personal Data Protection Bill treats privacy of children’s data and age of consent