Governance
JPC Report on the PDP Bill
- 23 Nov 2021
- 7 min read
Why in News
Recently, a Joint Parliamentary Committee (JPC) has finalised and adopted the draft report on The Personal Data Protection (PDP) Bill, 2019 by a majority.
- The Bill will be soon tabled in the upcoming Winter Session of Parliament. The JPC has got five extensions to submit a report on the Bill in two years.
Key Points
- PDP Bill:
- It was first brought to the Parliament in 2019 and was referred to the JPC for examination at the time.
- The Bill was drafted after a Supreme Court ruling that declared 'Right to Privacy' a fundamental right in August 2017, Puttaswamy judgment.
- It is commonly referred to as the “Privacy Bill” and intends to protect individual rights by regulating the collection, movement, and processing of data that is personal, or which can identify the individual.
- The Bill is landmark legislation meant to regulate how various companies and organizations use individuals’ data inside India.
- The 2019 draft of the Bill proposed the formation of a Data Protection Authority (DPA), which would regulate the use of users’ personal data by social media companies and other organizations within the country.
- It was first brought to the Parliament in 2019 and was referred to the JPC for examination at the time.
- Report:
- Clause 35/Exemption Clause:
- The committee has retained the Clause with minor change.
- It allows the Government to keep any of its agencies outside the purview of the law.
- The Clause in the name of “public order”, ‘sovereignty’, “friendly relations with foreign states” and “security of the state” allows any agency under the Union Government exemption from all or any provisions of the law.
- The clause is for “certain legitimate purposes” and also there is precedent in the form of the reasonable restrictions imposed upon the liberty of an individual, as guaranteed under Article 19 of the Constitution and the Puttaswamy judgment.
- Recommendations:
- Policy on Data Localisation:
- Development of an alternative indigenous financial system for cross-border payments on the lines of Ripple (U.S.) and INSTEX (EU) and that the Central Government, in consultation with all the sectoral regulators, must prepare and pronounce an extensive policy on data localisation.
- Certification for Digital Devices:
- Government should make efforts to establish a mechanism for the formal certification process for all digital and IoT (Internet of Things) devices that will ensure the integrity of all such devices with respect to data security.
- Accountability of Social Media:
- It has recommended that all social media platforms, which do not act as intermediaries, should be treated as publishers and be held accountable for the content they host, and should be held responsible for the content from unverified accounts on their platforms.
- The government should also define the threshold of users of significant social media platforms and process of voluntary user verification.
- Sharing Data:
- Under clause 94, previously clause 93, which deals with granting powers to the government to make rules, the panel recommends that the government decide the manner in which a data fiduciary can share, transfer or transmit the personal data to any person as part of any business transaction.
- A data fiduciary is an entity or individual who decides the means and purpose of processing personal data.
- The government should take the final call on whether sensitive personal data can be shared with a foreign government or agency.
- The recommendations also give the government the scope to set up a future statutory body to look into the use of personal data by journalistic organisations.
- The recommendations suggest the government will decide the penalty for those failing to comply with the provisions, which was earlier defined with respect to the global turnover of the company as part of the bill.
- Under clause 94, previously clause 93, which deals with granting powers to the government to make rules, the panel recommends that the government decide the manner in which a data fiduciary can share, transfer or transmit the personal data to any person as part of any business transaction.
- Policy on Data Localisation:
- Clause 35/Exemption Clause:
- Concerns:
- The committee expressed concerns with possible misuse. Though the State has rightly been empowered to exempt itself from the application of this Act, this power may be used only under exceptional circumstances and subject to conditions as laid out in the Act.
- The Bill creates two parallel universes — one for the private sector where it would apply with full rigour and one for the Government where it is riddled with exemption, carve outs and escape clauses.
- A Bill that seeks to provide blanket exemptions either in perpetuity or even for a limited period to the ‘state’ and its instrumentalities, is beyond the legal power of the Fundamental Right to privacy as laid down in Puttaswamy judgement.
- Bill does not provide adequate safeguards to protect the right to privacy and gives an overboard exemption to the Government. Clause 35 is open to misuse since it gives unqualified powers to the Government.
- The Bill pays little attention to “harms arising from surveillance and effort to establish a modern surveillance framework”.
- The Bill has no provision to keep a check on collection of data by hardware manufacturers.