The Joint Parliamentary Committee (JPC) report on the Personal Data Protection (PDP) Bill, 2019 was tabled in both Houses of Parliament on Thursday.
Congress Member of Parliament Jairam Ramesh extended the JPC report in the Rajya Sabha while BJP MP PP Chaudhary, the chairperson of the panel, tabled the report in the Lok Sabha.
The JPC report, which reviewed the country’s first proposed data protection law, has been tabled two years after it was introduced in the Lok Sabha. Here’s all you need to know about the committee’s report on the bill.
PDP ACT TO DEAL WITH PERSONAL AND NON-PERSONAL DATA
The JPC has recommended that since the Data Protection Authority (DPA) will handle various types of data at various security levels, it will be difficult to distinguish between personal and non-personal data.
The committee has said that the PDP Bill should cover both sets of data till an additional framework is established to distinguish between personal and non-personal data.
“As soon as the provisions to regulate non-personal data are finalised, there may be a separate regulation on non-personal data in the Data Protection Act to be regulated by the Data Protection Authority,” the report said.
TIMELINE FOR IMPLEMENTATION OF ACT
The committee has advised the government to set a timeline for the implementation of the Act once it has been notified.
The JPC recommended a 24-month period after the notification of the Act for the appointment of the chairperson and members of the DPA.
IMPACT ON SOCIAL MEDIA PLATFORMS
The committee has recommended that all social media platforms that do not act as intermediaries be considered publishers and, therefore, be held accountable for the content they host.
A mechanism may be devised by which social media platforms which do not act as intermediaries are held responsible for the content from unverified accounts on their platforms, the report said.
The committee has also suggested that no social media platform be permitted to operate in India unless the parent company in charge of the technology sets up an office in the country.
The JPC has recommended that a statutory media regulatory authority, similar to the Press Council of India, be established to regulate the content on all such media platforms, regardless of whether their content is published online, in print or anywhere else.
STATUTORY BODY FOR MEDIA REGULATION
The committee has said that self-regulation and existing media regulators are insufficient and ill-equipped to regulate the journalism industry.
“The committee has desired that Clause 36(e) may be amended to empower any statutory media regulator that the government may create in the future and until such time the government may also issue rules in this regard,” the report said.
SAFETY OF FINANCIAL TRANSACTIONS
The committee has expressed concerns about the safety of the SWIFT network, which enables international financial transactions between banks.
It has recommended that an alternative indigenous financial system be developed along the lines of similar systems elsewhere, such as Ripple (USA) and INSTEX (EU), to ensure privacy while also boosting the digital economy.
REGULATING HARDWARE MANUFACTURERS
The committee has recommended that a new sub-clause 49(2)(o) be added to allow the DPA to regulate hardware manufacturers and related entities.
The committee has urged the government to establish a dedicated lab/testing facility with branches across India to provide certification on the integrity and security of all digital devices.
The central government has been instructed to take protective measures and secure sensitive data in the possession of foreign entities. The JPC has said that a copy of such data must be mandatorily brought to India in a timely manner.
The central government has also been asked to ensure that the new data localisation provisions are followed by all local and foreign entities. The government has been asked to prepare and issue a comprehensive policy on data localisation in the coming days.
ON GOVT SURVEILLANCE
“The government’s surveillance of data stored in India must be strictly based on necessity as laid down in the legislation,” the report said.
The committee has recommended that clause 25(3) include a 72-hour reporting period for data breaches. The committee wished for specific guiding principles to be followed by the DPA when developing regulations against data breaches.
It has been recommended that the authority ensure the data principals’ privacy is protected. In case the data principal has suffered immaterial or material harm due to delayed reporting, the burden to prove that the delay was reasonable shall lie on the data fiduciary, the report said.
The data fiduciary shall be responsible for the harm suffered by the data principal due to an untimely complaint. Fiduciaries will also have to maintain a log of all data breaches, as per the report.
A data fiduciary shall not retain any personal data for longer than is necessary and shall delete personal data at the end of processing.
Since the government will also become a data fiduciary, in the event of a breach or an offence, the head of the department concerned should first conduct an in-house investigation, the report recommends. This process is intended to determine who was responsible for the particular offence, post which the liability can be decided.