JPC retains exemption clause, adopts personal data Bill

Contact Counsellor

CategoryPolity

Last Updated24/11/2021

Recently, a Joint Parliamentary Committee (JPC) has adopted the draft report on Personal Data Protection (PDP) Bill, 2019.
The Bill will be soon tabled in the upcoming Winter Session of Parliament.
The committee has been deliberating on the report since 2019.

With the increase in user-generated data and the exponential industrial value of data, it’s becoming vital that the government bodies take necessary steps to protect the data rights of their citizens.
Data protection regulations ensure the security of individuals’ personal data and regulate the collection, usage, transfer, and disclosure of the said data.
They also provide access to data of the individuals and places accountability measures for organizations processing personal data and supplements it by providing remedies for unauthorised and harmful processing.

Amid the proliferation of computers and the Internet, consumers have been generating a lot of data, which has allowed companies to show them personalised advertisements based on their browsing patterns and other online behaviour.
Companies began to store a lot of these datasets without taking the consent of the users, and did not take responsibility when the data leaked.
To hold such companies accountable, the government in 2019 tabled the Personal Data Protection Bill for the first time.

Inclusion of non-personal data: The bill has proposed to include non-personal & personal data and also that Data Protection Authority (DPA) should handle this. Any further policy/legal framework on non-personal data in the future should be made part of this legislation and not separate legislation.
Data collection by electronic hardware: Hardware manufacturers that collect data through digital devices have also been suggested to be included.
Stricter regulations for social media platforms: It has recommended that all social media platforms, which do not act as intermediaries, should be treated as publishers and be held accountable for the content they host. It also recommended setting up a statutory media regulatory for the regulation of content on such platforms.
However, the committee grants some exceptions to data fiduciaries below a certain threshold, not to hamper the growth of firms that are classified under MSMEs.
Policy on Data Localisation: Development of an alternative indigenous financial system for cross-border payments and that the Central Government, in consultation with all the sectoral regulators, must prepare and pronounce an extensive policy on data localisation.

The committee has retained the Clause with minor change.
It allows the Government to keep any of its agencies outside the purview of the law.
The Clause in the name of “public order”, ‘sovereignty’, “friendly relations with foreign states” and “security of the state” allows any agency under the Union Government exemption from all or any provisions of the law.
The clause is for “certain legitimate purposes” and also there is precedent in the form of the reasonable restrictions imposed upon the liberty of an individual, as guaranteed under Article 19 of the Constitution and the Puttaswamy judgment.

Possible misuse: Clause 35 is open to misuse since it gives unqualified powers to the Government.
Creation of two parallel universes : For private sector it would apply with full rigour and for the Government it is overflowed with exemptions, carve-outs and escape clauses.
Against the fundamental Right to Privacy: Bill does not provide required safeguards to protect the right to privacy and gives an overboard exemption to the Government.
No provision of checks and balances: on collection of data by hardware manufacturers.

Right to privacy has been reiterated as a Fundamental Right in KS Puttaswamy Case(2018) and Data protection comes under its ambit. The idea of privacy is not reflected in the Bill in full thrust and hence, due changes need to be done. Also, the Government should make efforts to establish a mechanism for the formal certification process for all digital and IoT devices that will ensure the integrity of all such devices with respect to data security.