Personal Data Protection Bill : What Does Joint Parliamentary Committee Report Say?

Joint Parliamentary Committee Report on Data Protection Bill After 2 years of deliberation, the Joint Parliamentary Committee on Personal Data Protection Bill has tabled its Report in both Houses of the Parliament on Thursday. The JPC report which reviewed the country's first data protection law contains a new version of the Data Protection Law titled as 'The Data Protection Bill, 2021.' The proposal for a data protection law came after the Supreme Court declared in Puttuswamy Judgement (2017) that privacy is a fundamental right and directed the government to come up with the data protection regime. In 2019 a Personal Data Protection Bill, 2019 was introduced in Lok Sabha that focused on the protection of data of individuals. In December 2019, the Bill was referred to a Joint Parliamentary Committee for further scrutiny on the demand of opposition members. Key takeaways from the Report Change in Name and Scope of the BillThe JPC Report has changed the name of the draft law from the 'Personal Data Protection Bill' to the 'Data Protection Bill, 2021'. This is as per the expansion in the regulatory ambit as the draft law will also regulate "non-personal data". As explained by the Internet Freedom Foundation, the principal purpose behind this framing is to provide a seemingly blank cheque to the Government under Clause 92 which states, "Nothing in this Act shall prevent the Central Government from framing (***) any policy for the digital economy, including measures for its growth, security, integrity, prevention of misuse,(***) and handling of non personal data including anonymised personal data."Data Protection Authority to deal with both personal and non-personal dataThe committee has said that the PDP Bill should cover both sets of data till an additional framework is established to distinguish between personal and non-personal data.Exemptions for government bodiesThe JPC report retains the controversial clause providing that central government will have the authority to exempt any agency of the government from the provisions of the act. It however adds a qualification that- "subject to just, fair, reasonable and proportionate procedure. "The earlier version of the draft gave the central government the power to grant exemptions without qualifying that the procedure for granting exemptions must be just, fair, reasonable and proportionate.The Report notes that the JPC is "concerned about the possible misuse of the provisions if the privacy rights of the individual have to be subsumed for the protection of the larger interests of the State" and by way of the added qualification, the committee aims to "strike a balance between Article 19 of the Constitution, Puttaswamy judgment and individual rights with respect to privacy."It may be noted that members of the Committee had recommended certain amendments to the Clause - Public order be removed as a ground for exemption; Judicial oversight/parliamentary oversight be required for granting exemptions; Written order with reasons for exempting a certain agency from the ambit of the Bill; Introduction of safeguards to reflect that the exemptions are by law, necessary and proportionate.The Committee however feels that though the State has rightly been empowered to exempt itself from the application of the Act, this power may, however, be used only under exceptional circumstances and subject to conditions laid down in the Act.Data BreachesThe committee has recommended that clause 25(3) include a 72-hour reporting period for data breaches.Powers of the GovernmentJPC Report has retained the controversial clause exempting the Governmental agencies from the purview of the law with a minor change. The central government should have absolute power over the Data Protection Authority (DPA) and be able to exempt any government body from the provisions of the bill citing 'just, fair, reasonable and proportionate procedure'.Children's DataSection 3(8) of the Bill defines a "child" as a person who has not completed eighteen years of age. Data fiduciaries processing children's data have a different set of obligations to follow including getting consent from a parent or guardian before processing the child's data. While the JPC report has been tabled before the Parliament, the members have not been unanimous in their recommendation. Several members have noted their dissent on key provisions of the Bill. Provisions on exemption to government agencies, how data fiduciaries must handle the personal data of children, and the composition of Data Protection Authority have been contentious issues. Bill has been conceived with Pre-Puttuswamy mindset: MP Manish Tewari's Dissent In his dissent note annexed to the JPC Report, MP Manish Tewari notes that the Bill has been conceived with a "pre-Puttuswamy mindset" that fails to capture the essence of the landmark piece of judgement. He further states that...

Personal Data Protection Bill : What Does Joint Parliamentary Committee Report Say?

Sneha Rao

Tags