- AI
- Arbitration
- Asia
- Automobile
- Bangladesh
- Banking
- Biodiversity
- Biological Inventions
- bLAWgathon
- Brand Valuation
- Business
- Celebrity Rights
- Company Act
- Company Law
- Competition Law
- Constitutional Law
- Consumer Law
- Consumer Protection Authority
- Copyright
- Copyright Infringement
- Copyright Litigation
- Corporate Law
- Counterfeiting
- Covid
- Design
- Digital Media
- Digital Right Management
- Dispute
- Educational Conferences/ Seminar
- Environment Law Practice
- ESIC Act
- EX-Parte
- Farmer Right
- Fashion Law
- FDI
- FERs
- Foreign filing license
- Foreign Law
- Gaming Industry
- GDPR
- Geographical Indication (GI)
- GIg Economy
- Hi Tech Patent Commercialisation
- Hi Tech Patent Litigation
- IBC
- India
- Indonesia
- Intellectual Property
- Intellectual Property Protection
- IP Commercialization
- IP Licensing
- IP Litigation
- IP Practice in India
- IPAB
- IPAB Decisions
- IT Act
- IVF technique
- Judiciary
- Khadi Industries
- labour Law
- Legal Case
- Legal Issues
- Lex Causae
- Licensing
- Live-in relationships
- Lok Sabha Bill
- Marriage Act
- Maternity Benefit Act
- Media & Entertainment Law
- Mediation Act
- Member of Parliament
- Mergers & Acquisition
- Myanmar
- NCLT
- NEPAL
- News & Updates
- Non-Disclosure Agreement
- Online Gaming
- Patent Act
- Patent Commercialisation
- Patent Fess
- Patent Filing
- patent infringement
- Patent Licensing
- Patent Litigation
- Patent Marketing
- Patent Opposition
- Patent Rule Amendment
- Patents
- Personality rights
- pharma
- Pharma- biotech- Patent Commercialisation
- Pharma/Biotech Patent Litigations
- Pollution
- Posh Act
- Protection of SMEs
- RERA
- Section 3(D)
- Signapore
- Social Media
- Sports Law
- Stamp Duty
- Stock Exchange
- Surrogacy in India
- TAX
- Technology
- Telecom Law
- Telecommunications
- Thailand
- Trademark
- Trademark Infringement
- Trademark Litigation
- Traditional Knowledge
- UAE
- Uncategorized
- USPTO
- Vietnam
- WIPO
Introduction
Data Protection laws provide a set of laws that deal with the matters related to privacy, policies, and procedures and it is imperative for the protection of one’s privacy and regulating its collection, storage, and dissemination. Currently, there is no express legislation in India that lays down proper guidelines for data protection. The Information Technology Act, 2000 along with the Indian Contract Act, 1872 provide some basic protection however, there is an imminent need for comprehensive legislation pertaining to data protection. Ever since the landmark judgment of Justice K.S. Puttaswamy v. Union of India (2017) which legitimized the Right to Privacy under the Constitution of India, the government has been under an obligation to pass a law governing data.
In the year 2019, a bill was introduced in the Rajya Sabha which was referred to as “The Personal Data Protection Bill, 2019” with the objective of unlocking the data economy and providing protection to personal data. However, the bill was not passed as there were many discrepancies with respect to its provisions and hence, the same was referred to the Joint Parliamentary Commentary (JPC) which was set up for the purpose of review of the bill. The JPC released its report on 16th December 2021 after reviewing the Bill and it made certain suggestions that emphasized laying down stricter compliance requirements for the companies and placing more obligations on the government agencies. The report also amended the title of the Bill and renamed it “The Data Protection Bill, 2021”.
Some Key Changes Incorporated in the Draft Data Protection Bill, 2021
Inclusion of Non-Personal Data
One of the most important changes suggested by the JPC was to amend the scope of the Bill and make it a lot vaster to include not just personal data but all kinds of non-personal data as per clause 3(28) which includes “data other than personal data”. The committee recommended this as they opined that even non-personal data can affect privacy as it is very difficult to distinguish between personal data and non-personal data. Moreover, if non-personal data is not covered under the data protection bill, then a separate bill will have to be passed in order to regulate the non-personal data.
Privacy and Consent
Another change incorporated in the draft Bill was regarding the express consent and providing people with the option to choose whether they want to provide their personal data or not. As per the recommendation made by the JPC committee, if the person chooses not to share his/her personal data, they will be allowed to enjoy their right to do so. But, as all rights are subject to certain reasonable restrictions, there have been attempts made to specify the circumstances under which non-consensual processing of personal data can be allowed. In the earlier draft of the 2019 Bill pertaining to data protection, it was provided that non-consensual usage can be allowed when “such processing is necessary”. However, the 2021 draft of the Bill fails to incorporate the procedural safeguards provided in the landmark judgment of Justice K.S. Puttaswamy v. Union of India (2017)which requires the presence of “proportionality” &“legitimate purpose”. The 2021 Draft Bill, provides that non-consensual usage can be allowed whenever it “can be reasonably expected” thereby failing to incorporate the procedural safeguards laid down in the aforementioned case.
Social Media Platforms
The Draft Bill, 2021 made certain changes with respect to the “social media intermediaries” as now the term has been amended to “social media platforms” and the same has been defined under clause 3(44) of the Draft Data Protection Bill,2021, as any platform which works towards enabling online interaction between multiple users. This amendment has been undertaken in order to hold these platforms liable for any content that hosts. However, including these social media companies within the ambit of “platforms” will still not provide a viable solution to the issue of data privacy. Classifying these social media platforms strictly as an “intermediary” or strictly as a “platform” will not be as effective because a middle ground has to be found wherein as per the varying circumstances, these companies can be legally exempted or be held liable for the content posted by their users.
Breach of Data
The JPC report also discusses the issue pertaining to the breach of data and its disclosure and reporting mechanisms. It lays down several regulations which include providing a predefined time period of 72 hours for reporting the breach. Under this, proper justification will also have to be provided by the companies explaining the reason behind the delay in reporting the breach if any. As per the 2019 Bill, the data fiduciaries only needed to inform the Data Protection Authority(DPA) in the event of any “harm” caused. This definition of “harm” has been amended in the latest draft to include psychological manipulation along with the loss of reputation or any kind of financial loss. This draft also proposes to make it mandatory to report all the data breaches irrespective of any harm caused or not.
Data Localisation
The JPC report emphasized the importance of data localization and opined that all the sensitive data related to national security, personal data, economic activities, etc. should be necessarily stored within the national borders. The committee even recommended the steps that need to be undertaken for the purposes of transferring all the sensitive data that has been stored offshore and bringing them back within the national borders. However, there have been certain incongruities with respect to the grounds on which these data can be transferred. In the 2019 draft of the Bill, it was provided that the transfer of sensitive data can be restricted if it is against the public or the state policy. But, there is no information available as to what all can be included within the definition of public and state policy and this could lead to the arbitrary use of powers that have been assigned to the DPA.
Appointment of Data Protection Officer
The JPC also amended the draft and made it mandatory for all the prominent data fiduciaries to appoint a Data Protection Officer. The committee recommended that only a person who is at a key managerial position or at a senior position in the company can be appointed to perform the duties of a Data Protection Officer. This is done to ensure that the person who is being appointed as the DPO is well versed in the workings of the company.
Testing and certification of Hardware and Software
The Committee also took into consideration the implications of the data breaches due to the hardware and the software being used for the purpose of data collection and storage. It opined that certain basic minimum criteria need to be set that need to be fulfilled before the approval is granted for the hardware or the software. The JPC recommended that the DPA should establish a framework for keeping a check and also ensure that regular testing is being done so that the data remains protected.
Conclusion
The Joint Parliamentary Committee has successfully incorporated many necessary changes in its report, which deal with several issue which were prevalent in the Personal Data Protection Bill, 2019. However, some of these changes have also led to certain criticisms which have been raised against the 2021 Draft Bill. This criticism deal with the powers that have been assigned under the Bill which could lead to the violation of certain fundamental rights of the individuals.
Author: Siddharth Raj Choudhary – a Student of School of Law (Bennett University), an intern at Khurana & Khurana, Advocates and IP Attorney, in case of any queries please contact/write back to us via email vidushi@khuranaandkhurana.com .