The much awaited Joint Parliamentary Committee Report (‘JPC Report’) on the Personal Data Protection Bill, 2019 (‘PDPB’) is finally here. We have updated you on the key takeaways from the JPC Report.
In this post we present a bird’s eye view of how user rights are dwindling from the Srikrishna Committee to PDPB to the Joint Parliamentary Committee on Data Protection.
Background
In 2017, a month before the Supreme Court pronounced its judgment in Justice K.S.Puttaswamy (Retd.) vs Union Of India AIR 2017 SC 4161], the Union Government constituted a Committee of Experts to deliberate on a data protection framework. The Committee was headed by Justice BN Srikrishna.
In 2018, it published its report along with a draft of the legislation on data protection (‘2018 Bill’). In 2019, the Union Government introduced the PDPB and referred it to a Joint Parliamentary Committee (‘JPC’) consisting of 20 members. After almost two years, the JPC has tabled its report which contains the Draft Data Protection Bill, 2021.
We have already updated you on the key takeaways from the JPC Report. In this post, we explain how the Srikrishna Committee Report (‘Srikrishna Report’), the PDPB and Draft Data Protection Bill, 2021 have proposed different data protection regimes. We do this because these three documents are significant milestones on India’s long and protracted road towards a data protection legislation.
As our analysis below demonstrates, the proposed law has become increasingly less respectful of individual rights, and more concerned with the impact of the regulation on the Union Government.
For example, the Srikrishna report provided for a data protection authority (‘DPA’) which is entirely independent of executive control. In contrast, the Draft Data Protection Bill, 2021 made the Union Government the sole authority to determine the composition of the DPA despite the fact that the DPA will regulate government agencies. Read our analysis on 8 key metrics to see how the proposed law has evolved and how far it has strayed from the ruling of the Supreme Court in Puttaswamy.
Consent Framework
Srikrishna Report
The Srikrishna Report stated that data processing practices in the digital economy are founded on consent (Page 32). Accordingly, the 2018 Bill provided for personal data to be processed on the basis of the free, informed, specific and clear consent of the data principal. Moreover, it stated that consent must be capable of being withdrawn (Clause 12).
PDPB
The PDPB adopts the provisions on consent contained in the 2018 Bill but states that consent must be explicitly obtained after giving the data principal the choice of separately consenting to the use of different categories of sensitive personal data [Clause 11(3)]. However, the PDPB also states that the provision on consent shall not be applicable for the performance of any function of the State authorized by law for the provision of any service or benefit to the data principal from the State or for issuance of any certification, license or permit for any action of the data principal [Clause 12].
Draft Data Protection Bill, 2021
The Draft Data Protection Bill, 2021 broadly adopts the consent framework provided in the PDPB.
User Rights
1) Right to confirmation and access
Srikrishna Report
The Srikrishna Report stated that the right to confirmation and access enables a data fiduciary to enforce the substantive obligations of data fiduciaries (Page 39). Accordingly, the 2018 Bill provided data principals with the right to confirm whether a data fiduciary is processing or has processed personal data of the data principal as well as seek a brief summary of the personal data (Clause 24).
PDPB
The PDPB adopts the provisions of the 2018 Bill but also confers upon the data principal the right to access in one place the identities of the data fiduciaries with whom their personal data has been shared by a data fiduciary along with the categories of personal data shared with them [Clause 17(3)].
Draft Data Protection Bill, 2021:
The Draft Data Protection Bill, 2021 has provided the right to the data principal to nominate a legal heir or a legal representative as their nominee who can exercise their right to confirmation and access exercise the right to be forgotten in the event of the death of such data principal [Clause 17(4)].
2) Right to correction and erasure
Srikrishna Report
The 2018 Bill provided that the data principal has the right to obtain from the data fiduciary the correction of inaccurate or misleading personal data, the completion of incomplete personal data and the updating of personal data that is out of date. The data fiduciary could disagree with the need to make such changes but then the data principal could require the data fiduciary to indicate that the personal data in question is disputed by them. (Clause 25)
PDPB
The PDPB adopted the provisions of the 2018 Bill [Clause 18].
Draft Data Protection Bill, 2021:
The JPC Report has not recommended any significant changes to the right to correction and erasure.
3) Right to data portability
Srikrishna Report
The Srikrishna Report was of the opinion that the right to data portability is critical in making the digital economy seamless, and empowers the data principals by giving them greater control over their personal data (Page 75). Thus, the 2018 Bill enables data principals to have their personal data transferred if such processing has been carried out through automated means [Clause 26(1)]. The 2018 Bill does not permit data portability if portability is not technically feasible or if it would reveal trade secrets of any data fiduciary or if processing is necessary for functions of the State [Clause 26(2)].
PDPB
The PDPB adopted the provisions of the 2018 Bill [Clause 19].
Draft Data Protection Bill, 2021
Under the Draft Data Protection Bill, 2021, the JPC has discussed the importance of protecting the right to data portability from frivolous claims of trade secrets that may be used to deny data portability. Therefore, the Draft Data Protection Bill, 2021 has recommended that technical feasibility shall be the only ground on the basis of which data portability may be denied. However, the decision of determining whether claims of technical feasibility are valid has been left to the data fiduciary “in such manner as may be specified by regulations” [Clause 19(2)(b)].
4) Right to be forgotten
Srikrishna Report
The Srikrishna Report recommended that the Indian data protection regime included a right to be forgotten for data principals. The 2018 Bill, therefore, provided that the data principal shall have the right to restrict or prevent continuing disclosure of personal data by a data fiduciary related to the data principal on the grounds of purpose fulfilment or the disclosure no longer being necessary (Clause 27). However, the right may only be enforced if an application to be forgotten is approved by an adjudicating officer appointed by the Union Government (Clause 68).
PDPB
The PDPB accepted the provision in the 2018 Bill but imposed an obligation on the data principal to demonstrate to the Adjudicating Officer that their right in preventing disclosure of personal data overrides the right to speech/receive information of any other citizen [Clause 20(2) proviso]. PDPB also enables the data principal to appeal the decision of the Adjudicating Officer [Clause 20(5)].
Draft Data Protection Bill, 2021
The Draft Data Protection Bill, 2021 has recommended to expand the right to be forgotten for processing as well which was previously limited to only disclosure [Clause 20(1)].
Exemptions to the Government
The Srikrishna Report
The Committee proposed that the government not be exempted from the rigours of the data protection regime unless it is authorised by a law which is made by the Parliament, and is necessary and proportionate. Moreover, such an exemption should only be granted if it is necessary for the security of the state (Clause 42 of 2018 Bill) and prevention, detection, investigation and prosecution of contravention of law (Clause 43 of 2018 Bill).
PDPB
The PDPB empowered the Union Government to exempt any government agency from the purview of data regulation subject to such procedure, safeguards and oversight mechanism as may be prescribed by the Union government (Clause 35). Thus, the PDPB concentrates the powers under the regulation with the Executive entirely. The PDPB also expanded the grounds on which the Union could notify such exemptions to include “sovereignty, integrity, friendly relations with foreign states and public order”.
Draft Data Protection Bill, 2021
The Draft Data Protection Bill, 2021 has cemented the exemption for Government Departments provided in the PDPB by inserting a non-obstante provision in Clause 35 which reads - “Notwithstanding anything contained in any law for the time being in force…”. It further recommends that the expression “such procedure” in Clause 35 must be interpreted as a procedure that is just, fair, reasonable and proportionate [Clause 35(iii)]. However, this is only a change in the procedural safeguard and not a change in the conditions under which the exemption under the provision will be granted and, thus, fails to quell the concern that the data regulation exempts the government.
Data Breach
Srikrishna Report
The Committee (Page 62) and the 2018 Bill recommended that data fiduciaries should notify the Data Protection Authority of any personal data breach relating to personal data processed by them ‘where such breach is likely to cause harm to data principal’ [Clause 32(1)]. The notification to the DPA must contain the nature of personal data breached, number of data principals affected, consequences of such breach, and action being taken by fiduciary to notify such breach [Clause 32(2)]. The 2018 Bill also states that the DPA may inform the data principal of a breach depending on the severity of the harm caused by such a breach or if some action is required on the part of the data principal to mitigate the harm [Clause 32(5)].
PDPB
PDPB replicated the provisions of the 2018 Bill [Clause 25].
Draft Data Protection Bill, 2021
In a welcome development, the Draft Data Protection Bill, 2021 has dropped the obligation on data fiduciaries to inform the DPA of a data breach only when ‘breach is likely to cause harm to data principal’ [Clause 25(5)]. The JPC has recommended that data fiduciaries must inform the DPA whenever there is a breach of personal data. The Draft Data Protection Bill, 2021 has also imposed an obligation on data fiduciaries to inform the DPA within 72 hours [Clause 25(3)].
Significant Data Fiduciaries
Srikrishna Report
The Report emphasized the importance of the need to place additional obligations on entities that are capable of causing significantly greater harm to data principals as a consequence of their data processing activities. Accordingly, the 2018 Bill empowered DPA to categorize certain data fiduciaries as significant data fiduciaries based on factors such as the volume of personal data processed, the sensitivity of personal data processed and the use of new technologies for processing [Clause 38(1)]. The 2018 Bill also conferred discretion upon the DPA to impose additional obligations on significant data fiduciaries.
PDPB
The PDPB allowed the DPA to notify even the social media intermediaries as significant data fiduciaries, which wasn’t the case in the 2018 Bill [Clause 26(4)]. Moreover, unlike the 2018 Bill which conferred the DPA with the discretion to impose additional obligations on significant data fiduciaries, the PDPB mandates significant data fiduciaries to conduct data protection impact assessment [Clause 27], enable auditing of its policies by an independent auditor, [Clause 29] and appoint a data protection officer [Clause 30].
Draft Data Protection Bill, 2021
The Draft Data Protection Bill, 2021 has permitted the DPA to categorize those data fiduciaries that deal with the processing of data related to children as significant data fiduciaries [Clause 26(1)(g)]. It has also stated that the data protection officer appointed by significant data fiduciaries must be a ‘senior level officer in the State’ or a ‘key managerial personnel in relation to a company’ [Clause 30(1)]. Key managerial personnel has been defined to mean the Chief Executive Officer or the Managing Director, the Company Secretary, the whole-time Director, the Chief Financial Officer or such other personnel as may be prescribed by the DPA [Explanation to Clause 30(1)].
Social Media Intermediaries
Srikrishna Committee Report
The Srikrishna Committee Report does not make any references to social media intermediaries apart from stating that these entities process personal data of children (Page 43).
PDPB
The PDPB defines social media intermediary as an intermediary who primarily or solely enables online interaction between two or more users. Furthermore, the PDPB states that social media intermediaries may be notified as significant data fiduciary depending on their number of users and their impact on electoral democracy, security of state, public order or the sovereignty and integrity of India [Clause 26(4)]. Every social media intermediary which is notified as a significant data fiduciary must enable users to voluntarily verify their accounts [Clause 28(3)].
Draft Data Protection Bill, 2021
The JPC Report recommends that all social media platforms which do not act as intermediaries be treated as publishers and be held accountable for the content they host (Para 1.15.12.7). To this end, it recommends that a mechanism be devised whereby social media platforms can be held accountable for content from unverified accounts. However, the Draft Data Protection Bill, 2021 does not provide a mechanism to treat social media intermediaries as publishers but simply recommends that the phrase ‘social media intermediary’ in the law be replaced with the term ‘social media platform’ [Clause 26(f), Clause 28(3) and Clause 28(4)].
On Composition of the DPA
Srikrishna Report
The Srikrishna Report recommended that the DPA be governed by a board consisting of six whole-time members and a chairperson appointed by the Central Government on the recommendation of a selection committee. It also recommended that the selection committee to appoint the DPA should consist of the Chief Justice of India (‘CJI’) or their nominee (who is a judge of the Supreme Court of India), the Cabinet Secretary, Government of India, and one expert nominated by the CJI in consultation with the cabinet secretary [Clause 50]. The Srikrishna Committee had recommended a committee headed by the CJI to appoint the DPA because it expected the government agencies to be regulated by the data protection law (Page 151).Thus, there was a need to ensure the independence of the DPA from the Union Government.
PDPB
Unlike the Srikrishna Report, the PDPB vested the executive with the sole authority to appoint the DPA, despite the fact that the DPA would also regulate government agencies. As per the PDPB, the selection committee of the DPA would be chaired by the Cabinet Secretary and other members would include Secretaries to the Union Government [Clause 42].
Draft Data Protection Bill, 2021
The Draft Data Protection Bill, 2021 has continued to vest the authority to select the DPA with the executive but has expanded the committee to include an expert nominated by the Union Government, the Attorney General of India, a Director of any of the Indian Institutes of Technology, and a Director from any of the Indian Institutes of Management. Both the directors would also be nominated by the Central Government [Clause 42(2)].
Offences and Penalties
Srikrishna Report
The Srikrishna Report had recommended that offences under the data protection law should be linked to any intentional or reckless behaviour, or to damage caused with knowledge to the data principals (Page 166). The 2018 Bill penalised obtaining, transferring, disclosing & selling of personal and sensitive personal data in violation of the provisions of the data protection law with imprisonment for a term not exceeding 5 years or fine or both (Clause 91). The 2018 Bill also penalised reckless re-identification of personal data which has been de-identified by data fiduciary with imprisonment not exceeding 3 years or fine or both. (Clause 92)
PDPB
The PDPB penalised the re-identification of personal data which has been de-identified by a data fiduciary without the consent of such data fiduciary, with imprisonment or fine or both (Clause 82). The PDPB does not penalise other violations of the data protection law.
Draft Data Protection Bill, 2021
The Draft Data Protection Bill, 2021 has adopted the provisions of the PDPB on offences. However, it has made an arbitrary classification to classify government authorities that are processing data as separate “government data fiduciaries” which would be liable for any offense committed. The Bill further states that where an offence is committed by a government data fiduciary, an in-house enquiry shall be conducted by the Head of Office of the concerned data fiduciary and subsequently the liability may be decided. This creates a situation where the government data fiduciary evaluates its own crime [Clause 86].
Regulation of Non-Personal Data
Srikrishna Report
The Srikrishna Report and the 2018 Bill did not apply to non-personal data. The Srikrishna Committee left the question of non-personal data to the ‘wisdom of a future committee in the hope that they will be duly considered’. (Page 13)
PDPB
PDPB allows the Union to direct any data fiduciary or data processor to provide any anonymised personal data or other non-personal data to enable better targeting of delivery of services or formulation of evidence-based policies [Clause 91(2)].
Draft Data Protection Bill, 2021
The JPC Report has in its recommendations indicated that, since the aim of the Bill is to protect privacy, restricting the scope of the Bill to personal data would be detrimental (Para 1.15.8.3). Thus, the Draft Data Protection Bill, 2021 permits the central government to frame any policy for the digital economy including the handling of non-personal data [(Clause 92(1)]. In what is a positive step, the Draft Data Protection Bill, 2021 also directs the Central Government to annually disclose to the Parliament the directions it may make to data fiduciaries under Clause 91(2) [(Clause 92(2)].
(Internet Freedom Foundation is an Indian non-governmental organisation that conducts advocacy on digital rights and liberties. IFF files petitions and undertakes advocacy campaigns to defend online freedom, privacy, net neutrality, and innovation. This piece has been reproduced after taking permission from the author/ organisation. The Quint neither endorses nor is responsible for the views expressed.)
(At The Quint, we question everything. Play an active role in shaping our journalism by becoming a member today.)