Data Protection Bill 2021: A few pointers from JPC Report

The Joint Parliamentary Committee (JPC) Report, along with the Data Protection Bill, 2021, was?tabled in both houses of the Parliament on 16th Dec.2021 after two years of deliberations. Since the landmark 'Puttaswamy Judgement' in 2017, the Government of India has been under an obligation to pass legislation to protect Indians’ personal data.

Following are the main points of the JPC Report :

1. Creation of Data Protection Authority (DPA)

The current draft includes a new power of the Data Protection Authority (DPA) to appoint any agency authorised by the central government to monitor, test, and certify hardware and software of computing devices to “prevent any interdiction or seeding that may cause personal data breach”.

Power of DPA:?

The Central Government has been given absolute power to direct the Data Protection Authority (DPA) in all matters. In the 2019 draft, the authority was bound by the central government’s directions specifically ‘on questions of policy’. The committee said that the authority should be bound by the directions of the central government under all cases and not just on questions of policy.

Exemptions for government bodies:?

The Central Government will have the authority to exempt any agency of the government from the provisions of the act, subject to just, fair, reasonable, and proportionate procedure.

Agencies to be held liable:?

Particular ‘government data fiduciaries’ will be held liable for offences under the provisions of the act, instead of state departments or ministries. The earlier draft placed the liability directly on the ‘department or authority or body of the State’ which committed the offence.

Personnel to be held liable:?

In case a government body commits an offence under the act, the head of office must conduct an in-house enquiry, and the person deemed responsible for the offence will be punished accordingly.

Appointments to Data Protection Authority will be made by a selection committee

The DPA shall consist of a chairperson, not more than six members, one of whom shall be qualified “‘an expert in the area of law. They will be appointed by a selection committee comprising —

• Cabinet secretary as the Chairperson of the Selection Committee
• Secretary in the Ministry of Department dealing with Legal Affairs as a member
• Secretary in MeitY will be another member
• Attorney General of India will be a member too
• An independent expert will be nominated by the Union government from fields of data protection or Information Technology as a member
• Director of any Indian Institute of Technology (IIT) will be nominated by the government as a member
• Director of any Indian Institute of Management (IIM) will be nominated by the government as a member.

New duty of DPA:?

The current draft includes a new power of the data protection authority to appoint any agency authorised by the central government to monitor, test, and certify hardware and software of computing devices to “prevent any interdiction or seeding that may cause personal data breach”.

2. Age of consent for children will be 18 :

Multiple stakeholders had requested that the bill lower the age of consent to either the US standard (13 years) or GDPR standard (13-16 years), but the JPC decided to leave the age of consent at 18 citing the Contract Act as the basis for this.

3. Concept of guardian data fiduciary removed:?

The concept of guardian data fiduciaries is absent in the Data Protection Bill 2021 as opposed to the PDP Bill, 2019.?The JPC explained that there is no advantage in creating a separate class of data fiduciary known as guardian data fiduciary and that “the concept of guardian data fiduciary may lead to circumvention and dilution of law.”

4. A new definition for social media intermediaries:

The JPC recommended that all social media platforms, which do not act as intermediaries, should be treated as publishers and be held accountable for the content they host. It also proposed classifying social media platforms as significant data fiduciaries, instead of intermediaries and fiduciaries processing children’s data or providing services to them.

5. One regulator for all media platforms

The JPC also recommended the creation of statutory authority for the regulation of content on all media platforms.?The committee recommends that a statutory Media Regulatory Authority, on the lines of the Press Council of India, may be set up for the regulation of the contents on all such media platforms irrespective of where their content is published, whether online, print, or otherwise.

This recommendation could lead to new liabilities and compliance requirements for social media platforms, streaming platforms, and news media organisations.

6. Cross-border data transfers based on countries meeting adequacy requirements:

Sensitive personal data can be transferred outside the country when the Central Government, after consultation with the DPA, has allowed the transfer to a country or, such entity or class of entities in a country or, an international organisation on the basis of its finding that:

• such sensitive personal data shall be subject to an adequate level of protection, having regard to the applicable laws and international agreements;
• such transfer shall not prejudicially affect the enforcement of relevant laws by authorities with appropriate jurisdiction;
• such sensitive personal data shall not be shared with any foreign government or agency unless such sharing is approved by the Central Government

7. A policy for gradual data localisation recommended:

The JPC has recommended that the Central Government must prepare and pronounce an extensive policy on data localisation encompassing aspects like:

• development of adequate infrastructure for the safe storage of data of Indians which may generate employment
• introduction of alternative payment systems to cover higher operational costs
• inclusion of a system that can support local business entities and startups to comply with the data localisation provisions laid down under this legislation

8. Report data breaches within the stipulated time:

• The JPC has recommended significant changes to the role of the DPA during a data breach by requiring data fiduciaries to report all data breaches to the DPA.
• They will be required to submit the notice to the DPA within 72 hours after becoming aware of the data breach, the committee added.
• The DPA should ask the data fiduciaries to maintain a log of all data breaches (both personal and non-personal data breaches), to be reviewed periodically by the Authority, irrespective of the likelihood of harm to the data principal.

9. Data Protection Officer as one of the key managerial personnel:

Definition:?The Bill defined a Data Protection Officer as an officer who will be appointed by a significant data fiduciary under Section 30 of the Bill.

Functions of Data Protection Officers:?Every significant data fiduciary shall appoint a data protection officer who will be responsible for carrying out some of these functions —

• Providing information and advice to the data fiduciary on matters related to the Act
• Assisting and cooperating with authority on matters of compliance of data fiduciary
• Monitoring personal data processing activities of the data fiduciary
• Providing advice to the fiduciary on carrying out data protection impact assessments

Key Managerial Position:?The draft stated that one cannot be appointed as a data protection officer unless the person is a “senior level officer or key managerial person” having adequate knowledge in technical matters, particularly data protection or privacy. These are the officers which the draft said, falls under the term “key managerial personnel”

• Chief Executive Officer or Managing Director or the manager
• Company secretary
• Whole time director
• Chief Financial Officer

10. The new legislation will deal with personal and non-personal?data both

The report changed the name of the draft law from the ‘Personal Data Protection Bill’ to the ‘Data Protection Bill, 2021’. This is as per the expansion in the regulatory ambit as the draft law will also regulate “non-personal data”.

11. Non-personal data (NPD) should not have a separate framework:?

The JPC recommended that the legal framework on NPD must be a part of the Data Protection Act instead of separate legislation. The report also called for both personal and non-personal data to be regulated by one Data Protection Authority (DPA) to avoid confusion and mismanagement. There was no mention of the non-personal data regulation in the draft Personal Data Protection Bill, 2019.

12. Penalties on fiduciaries will be dealt with in a single window

The committee has added clause 62 to the bill as penalties should be dealt with in a single window. This requires complaints filed to the Data Protection Authority(DPA), as laid down in Section 32 (relating to grievance redressal by a data fiduciary), to be forwarded to the Adjudicating officer to adjudge the complaint or application for compensation. Earlier, the bill simply laid down that a principal can approach the Data Protection Authority 30 days after a complaint that the data fiduciary does not address/satisfy.

Two years for implementing the Act :

The JPC has recommended that the bill must provide 24 months for implementation of any and all the provisions of the Act so that the data fiduciaries and data processors have enough time to make the necessary changes to their policies, infrastructure, processes, etc. The committee suggested that the phased implementation?should be undertaken to ensure:

• The Chairperson and Members of DPA are appointed within three months
• The DPA commences its activities within six months from the date of notification of the Act
• The registration of data fiduciaries should start no later than nine months
• Adjudicators and appellate tribunal commence their work no later than twelve months
• Provisions of the Act shall be deemed to be effective no later than 24 months from the date of notification of this Act.

( Excerpts from various news reports and an article published in Medianama)