The right to privacy in India was declared a fundamental right by the Hon’ble Supreme Court of India on August 24, 2017, in its landmark judgment in the case of Justice K.S. Puttaswamy (Retd.) and Anr. v. Union of India And Ors.[i] (“Right to Privacy Case”). After this case, the need was felt to have a stronger legislation in place to protect the personal data and privacy of individuals. Accordingly, in August 2017, the Central Government appointed a data protection committee chaired by retired Supreme Court judge, Justice Srikrishna and on July 27, 2018, the committee released an extensive white paper on the importance of data protection. Subsequently in July 2018, the committee released the draft Personal Data Protection Bill, 2018. Based on the recommendations of the industry stakeholders, and a year thereafter, the Personal Data Protection Bill, 2019 (“PDP Bill”) was introduced in the lower house of the Indian Parliament, with few modifications.
The PDP Bill had, on December 12, 2019, been referred to a Joint Parliamentary Committee (“JPC”) for further debate and examination.
On December 16, 2021, after nearly 2 years of deliberation on the PDP Bill, the JPC has tabled its report[ii] on the PDP Bill (hereinafter referred to as the “Report”). The Report lays down various recommendations and modifications to the PDP Bill.
This note provides a summary of the Report and the recommendation provided by the JPC on the PDP Bill. It is important for the stakeholders to understand the recommendations and the effect it will have on the right of privacy of individuals.
Key recommendation of the Report
A brief summary of the key recommendations of the Report is provided hereinbelow:
- Change in name and scope to “Data Protection Bill”: The PDP Bill only sought to regulate the personal data[iii] of individuals as defined therein. However, as per the recommendations of the Report, the JPC has suggested to change the name of the draft bill to “Data Protection Bill”, thereby covering non-personal data as well. It is to be noted here that the present draft of PDP Bill empowers the Central Government to gain access to anonymized or non-personal data from any data fiduciary to enable itself for better targeting of delivery of services or formulation of evidence-based policies. There are concerns from the stakeholders that including both personal and non-personal data in the same legislation will dilute the objectives of the PDP Bill, which was aimed to provide a framework for protection of personal data only.
- Selection of Data Protection Authority (DPA): As per the PDP Bill, the stakeholders involved in the selection for DPA were limited, which included members from the Ministry of Legal Affairs and Ministry of Electronics and Information Technology. However, the Report recommends that the selection committee for the DPA should have wider representation from technical, legal, and academic experts, as may be prescribed, in addition to the bureaucrat officers comprising the selection committee. Thus, the members of the DPA will indirectly be in control of the Central Government, as all members in the selection committee are appointed on behest of the Central Government.
- Exemptions to government: The PDP Bill provided for exemption to the Government for compliances under the draft legislation, with the aim of protecting national interest. The Report adds conditions to this exemption, by recommending that the Government may exempt itself from the provisions only after a fair, just, reasonable and proportionate procedure. This is in line with the Right to Privacy Case, wherein the Apex Court has laid down the tests of legality, legitimate aim, proportionality and procedural safeguards which must be met for infringement of the right to privacy of individuals by the Government in pursuance to the exemptions available to it.
- Data breaches: As per the PDP Bill, the companies are required to report personal data breaches, when such breaches cause harm to the data principal. However, in addition to the same, the Report not only mandates maintenance of log of all kinds of data breaches, regardless of whether the breach relates to personal or non-personal data irrespective of the likelihood of harm to the data principal, but also puts a time period of 72 hours for reporting such breach. Meaning thereby, that in addition to reporting requirements for personal data breaches, the maintenance of log will be mandatory for personal as well as non-personal data and not conditional upon the data principal bearing any harm.
- Social Media regulation: The Report points out that social media intermediaries should be subject to higher scrutiny. In order to curb the menace of fake news and fake accounts, the Report suggests that all user accounts on social media intermediaries should be verified. The Report claims that the intermediary framework under the Information Technology Act, 2000, has failed to achieve its objectives and thus recommends that the social media intermediaries should be treated as ‘publishers’ in certain specific contexts, especially in relation to content from unverified accounts. Moreover, it has been recommended that no social media platform should be allowed to operate in India unless the parent company handling the technology sets up an office in India. Further, a statutory media regulatory authority, on the lines of Press Council of India, may be setup for the regulation of the contents on all such media platforms irrespective of the platform where their content is published, whether online, print or otherwise.
- Children’s data: The PDP Bill had specific provisions for protection of data relating to children. The PDP Bill had defined the concept of guardian data fiduciary as a data fiduciary that operates commercial websites or online services directed at children, or processes large volumes of personal data of children. Under the PDP Bill, such a guardian data fiduciary was exempt from obtaining the consent of the parent or guardian of the child as required by other data fiduciaries. The Report has recommended deletion of the concept of guardian as a separate class of data fiduciary as it may dilute the objective of safeguarding children. The Report also recommends that all data fiduciaries should be barred from carrying out profiling, tracking, or behavioural monitoring of, or targeted advertising directed at children, and processing personal data that may cause significant harm to children. This bar was previously applicable on guardian data fiduciaries alone.
- Data Localisation: While under the PDP Bill, provisions related to data localization already existed, the JPC has strongly advised that all data should be stored in India as it is important for national and security reasons. The Report suggests that the Government should bring mirror copies of all sensitive and critical personal data already stored abroad and that all entities operating in India should gradually move towards localisation of all data. In addition to data localisation, the Report also proposes preparation of a comprehensive data localisation policy by the Central Government, which will be aimed around developing adequate infrastructure for local storage of data and helping start-ups comply with localisation requirements, while keeping in mind the ‘ease of doing business’ objectives of the Government.
- Data Protection Officer (DPO): While the PDP Bill mandated a significant data fiduciary to appoint a DPO, the Report proposes that the DPO appointed should have an important role in the management and operations of the significant data fiduciaries, and shall be a senior level officer or key managerial personnel, having technical knowledge in the field of operations of the respective significant data fiduciary.
Dissent notes to the Report
Several members of the lower house of the Parliament (Lok Sabha) have raised their voices against the recommendations provided by the Report.[iv] The main concerns regarding the recommendations of the Report and the proposed “Data Protection Bill” are that it gives sweeping powers to the Government to exempt any or all of its authorities from the provisions of the proposed legislation. The dissenting members also note that the Report does not provide any safeguards to guarantee the right of privacy of the individuals. By changing the name of the legislation and widening its scope, the recommendations of the Report have weakened the framework for protection of privacy. There have been apprehensions that the recommendations of the Report by the JPC have alienated from the framework of the PDP Bill.
What’s next for right to privacy in India
Post the Right to Privacy Case and subsequent introduction of the PDP Bill, it was believed that the right to privacy, being a fundamental right, will be more strengthened and will protect the individuals against unfair invasion of their privacy. However, the Report by JPC on the PDP Bill has created further uproars. While the winter session of the Parliament has ended on December 23, 2021,[v] it is unlikely that the Report will be further discussed or any recommendations carried out this year, given that the changes and deviation from the original PDP Bill are notable in the Report. The ultimate outcome of the right to privacy is dependent on the discussions and modifications made in the PDP Bill, based on the recommendations by the JPC. Since this proposed legislation will be India’s first comprehensive data protection law, it will be interesting to see how the Government proposes to modify the PDP Bill and protect the right to privacy of the individuals, while balancing national security and interests of India which necessitates infringement in certain cases within the contours of law already laid down by the Supreme Court of India.
[i] (2017) 10 SCC 1.[ii]https://prsindia.org/files/bills_acts/bills_parliament/2019/Joint_Committee_on_the_Personal_Data_Protection_Bill_2019.pdf.[iii] Personal data means data about or relating to a natural person who is directly or indirectly identifiable, having regard to any characteristic, trait, attribute or any other feature of the identity of such natural person, whether online or offline, or any combination of such features with any other information, and shall include any inference drawn from such data for the purpose of profiling.[iv]https://www.business-standard.com/article/current-affairs/jpc-members-record-dissent-towards-parts-of-personal-data-protection-law-121112200607_1.html.[v]https://prsindia.org/sessiontrack/winter-session-2021/session-alert.