Personal Data Protection Bill : What Does Joint Parliamentary Committee Report Say?

After 2 years of deliberation, the Joint Parliamentary Committee on Personal Data Protection Bill has tabled its Report in both Houses of the Parliament on Thursday. The JPC report which reviewed the country's first data protection law contains a new version of the Data Protection Law titled as 'The Data Protection Bill, 2021.'

The proposal for a data protection law came after the Supreme Court declared in Puttuswamy Judgement (2017) that privacy is a fundamental right and directed the government to come up with the data protection regime. In 2019 a Personal Data Protection Bill, 2019 was introduced in Lok Sabha that focused on the protection of data of individuals. In December 2019, the Bill was referred to a Joint Parliamentary Committee for further scrutiny on the demand of opposition members.

Key takeaways from the Report

1. Change in Name and Scope of the Bill
   The JPC Report has changed the name of the draft law from the 'Personal Data Protection Bill' to the 'Data Protection Bill, 2021'. This is as per the expansion in the regulatory ambit as the draft law will also regulate "non-personal data". As explained by the Internet Freedom Foundation, the principal purpose behind this framing is to provide a seemingly blank cheque to the Government under Clause 92 which states, "Nothing in this Act shall prevent the Central Government from framing (***) any policy for the digital economy, including measures for its growth, security, integrity, prevention of misuse,(***) and handling of non personal data including anonymised personal data."
2. Data Protection Authority to deal with both personal and non-personal data
   The committee has said that the PDP Bill should cover both sets of data till an additional framework is established to distinguish between personal and non-personal data.
3. Exemptions for government bodies
   The JPC report retains the controversial clause providing that central government will have the authority to exempt any agency of the government from the provisions of the act. It however adds a qualification that- "subject to just, fair, reasonable and proportionate procedure. "
   The earlier version of the draft gave the central government the power to grant exemptions without qualifying that the procedure for granting exemptions must be just, fair, reasonable and proportionate.
   The Report notes that the JPC is "concerned about the possible misuse of the provisions if the privacy rights of the individual have to be subsumed for the protection of the larger interests of the State" and by way of the added qualification, the committee aims to "strike a balance between Article 19 of the Constitution, Puttaswamy judgment and individual rights with respect to privacy."
   It may be noted that members of the Committee had recommended certain amendments to the Clause  -  Public order be removed as a ground for exemption; Judicial oversight/parliamentary oversight be required for granting exemptions; Written order with reasons for exempting a certain agency from the ambit of the Bill; Introduction of safeguards to reflect that the exemptions are by law, necessary and proportionate.
   The Committee however feels that though the State has rightly been empowered to exempt itself from the application of the Act, this power may, however, be used only under exceptional circumstances and subject to conditions laid down in the Act.
4. Data Breaches
   The committee has recommended that clause 25(3) include a 72-hour reporting period for data breaches.
5. Powers of the Government
   JPC Report has retained the controversial clause exempting the Governmental agencies from the purview of the law with a minor change. The central government should have absolute power over the Data Protection Authority (DPA) and be able to exempt any government body from the provisions of the bill citing 'just, fair, reasonable and proportionate procedure'.
6. Children's Data
   Section 3(8) of the Bill defines a "child" as a person who has not completed eighteen years of age. Data fiduciaries processing children's data have a different set of obligations to follow including getting consent from a parent or guardian before processing the child's data.

While the JPC report has been tabled before the Parliament, the members have not been unanimous in their recommendation. Several members have noted their dissent on key provisions of the Bill. Provisions on exemption to government agencies, how data fiduciaries must handle the personal data of children, and the composition of Data Protection Authority have been contentious issues.

Bill has been conceived with Pre-Puttuswamy mindset: MP Manish Tewari's Dissent

In his dissent note annexed to the JPC Report, MP Manish Tewari notes that the Bill has been conceived with a "pre-Puttuswamy mindset" that fails to capture the essence of the landmark piece of judgement. He further states that the Bill "creates two parallel universes- one for the private sector where it would apply with full rigor and one for the government where it is riddled with exemptions and escape clauses" despite Fundamental Rights being principally enforceable against the state.

The MP dissented on clauses 12 and 35 of the Bill which allow for the government to process personal data without consent from users in certain cases and give the government the power to exempt any of its agencies from any or all provisions of the Bill.

"A Bill that seeks to provide blanket exemptions even for a limiter period to the state and its instrumentalities is ultra vires the Right to Privacy," Tewari notes in his dissent.

Mr.Tewari further adds that Clause 35 should read as:

"No such exemption shall be granted till the time it is judicially determined by the Appellate Tribunal provided in clause 68. Any person shall have right to access the Appellate Tribunal by filing an appropriate application delineating the reasons why such an exemption should or should not be granted. The said exemption must be vide a reasoned order and duly notified so as to ensure that the remedy available under Clause 76 can be exercised by the concerned."

Data Protection Bill is Orwellian in Nature: MPs Mahua Moitra and Derek O'Brien

Mr.Derek O Brien and Ms. Mahua Moitra in their combined dissent note that despite amendments being moved to Clause 35 of the Bill which gives the Central Government the power to exempt any agency of the government from application of the Act, "not only has the Committee failed to introduce proper safeguards in Clause 35 to prevent its misuse but has also made recommendations to empower Central Government with more unqualified powers." They recommend that the sweeping powers granted to the Central Government to exempt any government agency from the application of the Act be removed. They also recommend that non-personal data should be excluded from the provisions of the Bill.

Powers granted to state inconsistent with Puttuswamy Judgement: MP Vivek Tankha

Vivek Tankha too dissented clauses 12 and 35 of the Data Protection Bill, 2021. In his dissent note, the MP states that "the PDP Bill bases itself on an incorrect assumption that the right to privacy arise only for protection against breach qua private and the state is exempt from the constitutional responsibilities."

"The government agencies have a special status, treated as a distinct class, which makes the recommendation inconsistent with the spirit of the judgement laid down in K. Puttuswamy case," he adds.

In this light he adds that amendments to these provisions are necessary to prevent abuse of the power of exception so liberally granted to the state.

He recommends the need to put a check on sharing of personal data unless "it is inconsistent with national security, sovereignty, foreign relations or for prevention/detection of any crime/cognizable offence." Though, he adds, "these exceptions may be allowed only in exceptional cases and by a reasoned order for posterity and constitutional courts to judge the level of personal intrusion."

Need to Constitute Data Protection Authority at State Level: Amar Patnaik

MP Dr. Amar Patnaik in his dissent note recommends an overarching, data protection authority independent of the Union Government. He raises the issue of a data protection authority under the control of the central government being inimical to the principle of federalism. He further added that, "the separation will ensure structural, fiscal, and functional autonomy and protect the commission from adverse changes to tenure, composition, salary, and appointment methods."

Age of consent for children needs to be lowered in a digital age: MP Ritesh Pandey

In his dissent note, MP Ritesh Pandey objected to the high age of consent and the power of the government to exempt any of its agencies from the Bill. Pandey recommends that age of consent be brought down to fourteen years, since the current definition of 18 years and below "does not stand with the principle of the best interest of a child in the digital age."

"Although protecting children's privacy and welfare is a vital concern of the Bill, the definition of a child should be anyone under the age of 14, so as to allow young users to benefit from innovative technologies without the onus of obtaining consent from their parent/guardian. This amendment also takes into account the social barriers that young women face in accessing the internet, particularly in rural India," he adds.

With regard to government power to exempt agencies, Pandey noted:

"Section 35 of the current bill effectively enhances existing surveillance powers of the government without the limitations built in Section 5 and guaranteeing best practices of security under Section 24. Therefore, granting access to personal data to the Central Government, without appropriate safeguards and judicial oversight is against established constitutional principles and should not form part of the Bill."

MP Gaurav Gogoi notes in his dissent on the wide exemptions provided to government and its agencies under Clauses 13 and 35; lack of parliamentary oversight and engagement and regulation of non-personal data under the framework.

In addition to the dissent notes of the members of the Joint Parliamentary Committee, the Internet and Mobile Association of India in its statement on the JPC Report has expressed its concerns and said that the Data Protection Bill "has changed fundamentally from the 2019 version." The industry body raised concerns over age restriction of 18 years on certain services that will exclude an important demographic from the digital ecosystem, and will contradict most data regimes that create enabling provisions for 13-18 years. IAMAI noted that inclusion of non-personal data within the personal data protect bill is contrary to the recommendations of the expert committee appointed by MEI ITY to develop a framework for non-personal data governance.

The Bill and the Committee's report will be taken up debate and deliberation by the Parliament soon. If assented to, the Report and the Bill will pave way for India's first data protection laws.

Read detailed analysis of the JPC's Report and recommendations here:

1. Key takeaways from the JPC Report on the Datta Protection Bill, Internet Freedom Foundation, https://internetfreedom.in/key-takeaways-the-jpc-report-and-the-data-protection-bill-2021-saveourprivacy-2/.
2. A complete guide to the Data Protection Bill, 2021, Medianama, https://www.medianama.com/2021/12/223-data-protection-bill-2021-guide/.