After detailed deliberations, the Joint Committee of Parliament on the Personal Data Protection Bill has made several important recommendations, and a debate is currently raging in the country over some of those proposals.
The Committee’s recommendations need to be understood in the broader context of personal data protection and to support the growth of a robust innovation and data-driven digital economy.
The Committee has proposed to include a new clause to include non-personal data within the ambit of the Bill, since renamed as Data Protection Bill, 2021.
This has been done to take a holistic approach towards processing of data, both personal and non-personal, as with the advent of advanced technologies like artificial intelligence and sophisticated data analytics, it may not be too difficult in future to relate anonymised personal data (a form of non-personal data) to individuals.
However, the revised Bill only contains a provision for formulating rules regarding non-personal data at a later stage. Currently, it does not have any substantive provisions in this regard.
A key provision in the Bill to allow certain exemptions to the government data fiduciaries has generated a lot of discussion.
The exemptions under Section 35 of the Bill need to be on a case-to-case basis and only on the grounds of sovereignty and integrity of India, security, etc. which are within the ambit of reasonable restrictions under Article 19(2) of the Constitution.
Further, the reasons for exemptions have to be just, fair, reasonable and proportionate which are as per norms laid down by the Supreme Court in its 2017 privacy judgement in the Puttaswamy case.
The exemptions under Section 12 are narrower and more specific for facilitating better delivery of government services, disaster management, dealing with epidemics and medical emergencies, etc.
Government entities are not exempted from their obligations as data fiduciaries and complying with the rights of data principals in general. There are adequate safeguards in the Bill to prevent any misuse of such exemptions, including oversight by the Data Protection Authority (DPA).
Another recommendation that has generated much debate relates to making social media platforms liable for content hosted on their platforms from unverified accounts and making verification of accounts mandatory.
However, this is only for those platforms that do not act as intermediaries eligible for safe harbour as per Section 79 of the Information Technology Act, 2000. This is only a recommendation that needs to be examined by the government later and is not part of the revised Bill.
Concerns have also been raised over the compliance burden on startups and its impact on innovation.
To address this concern, the Bill places much greater emphasis on compliance by the significant data fiduciaries with additional obligations, such as periodic audits, appointment of data protection officers, etc. Startups and small businesses do not need to comply with these additional obligations as they would not be classified as significant data fiduciaries.
The Bill also provides for the creation of a sandbox to encourage innovation. Processing of personal data of foreign nationals is also exempted under the Bill.
Another key concern is regarding the provisions for data localisation.
Section 33 of the Bill makes it clear that sensitive personal data shall continue to be stored in India, while Section 34 allows its transfer outside India under certain conditions.
The EU GDPR places similar conditions on data transfer to only those countries which fulfil the ‘data adequacy’ norms.
These provisions will make it easier for Indian entities to attract more outsourcing business from abroad as India would fulfil these norms. Storage of sensitive personal data within India would support the growth of hyperscale data centres and an innovative data-driven economy.
Concerns have also been raised over another recommendation relating to norms for testing the integrity of hardware and software on devices.
This has been done to prevent any unauthorised data breaches through insertion of any untrusted hardware. This provision has been added within the scope of functions of the DPA under Section 49 and can be implemented only after the DPA formulates an appropriate code of practice in consultation with the relevant stakeholders.
The concept of privacy has evolved from the Aristotelian concept of idios, meaning “one’s own” or “private”, in ancient times to its modern-day focus on informational privacy.
The Data Protection Bill, 2021 provides a holistic framework for addressing informational privacy that will also help greatly in the growth of a robust digital economy in India.
(The above article appeared in The Economic Times on January 9, 2022 and is available at: https://economictimes.indiatimes.com/tech/catalysts/ettech-opinion-a-holistic-approach-to-personal-data-protection/articleshow/88775228.cms?from=mdr. The views are personal.)