An Assessment of the JPC Report on PDP Bill, 2019

This article assesses various changes to the Personal  Data Protection Bill, 2019 proposed by a Joint Parliamentary Committee in the Data Protection Bill, 2021. The article points to the possible shortcomings of the JPC proposal and makes suggestions to strengthen the Data Protection Bill, 2021.

In December 2021, the latest draft of India's proposed data protection law, the Data Protection Bill, 2021[1] (DP Bill, 2021), was made public alongside the report of the Joint Parliamentary Committee on the Personal Data Protection Bill, 2019[2] (JPC report). The DP Bill, 2021 would now be discussed in both houses of Parliament, which could result in the first comprehensive legislation on data protection in India. This article assesses the significant changes made by the JPC report to the Personal Data Protection Bill, 2019 (PDP Bill, 2019)[3] as they appear in the DP Bill, 2021.

Introduction to the PDP Bill, 2019
The PDP Bill, 2019 was a comprehensive draft of data protection legislation introduced in the Lok Sabha in December 2019. The bill aimed to protect the right to privacy concerning individuals' personal data (Preamble and Long Title). It also aimed to create a relationship of trust between the data principal (the person to whom personal data belongs) and the data fiduciary (the entity deciding the means and purpose of processing personal data (Preamble and Long Title).

The PDP Bill, 2019 would apply to processing personal data of data principals by data fiduciaries. (Chapter I) Data fiduciaries would have obligations (Chapter II) and would be required to process personal data based on consent or other non-consensual grounds of processing (Chapter III). Data principals would have rights such as the right to erasure, access, and data portability (Chapter IV).

The PDP Bill, 2019 provided an exemption clause making it possible for the central government to exempt any agency from the application of the law. (Chapter VIII) It provided for the establishment of a Data Protection Authority for the enforcement of the law (Chapter IX). The PDP Bill, 2019 provided penalties and compensation (Chapter X).

The JPC has proposed changes to the PDP Bill, 2019 in the Data Protection Bill, 2021, which are discussed in the following section.

Assessment of Significant Clauses in the Data Protection Bill, 2021

Scope and Objectives

The DP Bill, 2021 has introduced changes to the scope and objectives of the PDP Bill, 2019. The stated aim in the Long Title and the Preamble suggests protecting "digital privacy" rather than "privacy,” as suggested by PDP Bill, 2019. The effort is to restrict the scope of the proposed law to cover digital data alone.

This creates the possibility of exempting non-digital data from the ambit of the law, leading to a lack of data protection for non-digital data. Such an exemption for non-digital data is concerning because a large amount of processing can happen through manual processing, forming part of non-digital filing systems.

Second, the proposal is to replace "personal data" in the title of the PDP Bill, 2019 with "data" (Long Title and Preamble DP Bill, 2021). Consequently, the proposed draft suggests Data Protection Bill, 2021 and not "Personal" Data Protection Bill, 2021 as the new title of the law. It highlights the effort to incorporate non-personal data under the ambit of the new framework. The clause on material scope now proposes that the law should apply to "the processing of non-personal data including anonymised data" (Clause 2, DP Bill, 2021). The JPC proposal is to have a framework on non-personal data as part of the same enactment when the provisions on non-personal data are final.[4]

The proposal to regulate personal and non-personal data under single legislation creates ambiguity because the proposed regulatory frameworks for personal and non-personal data have different envisaged foundational bases. While the right to privacy forms the foundational basis of personal data protection, community interest in maximising value from non-personal data is the basis for non-personal data governance.[5] The difference in envisaged bases creates the need for separate legislation instead of the single legislation proposed by the JPC.

Third, the objective of the proposed law now includes the "interest and security of the state" (Long Title and Preamble DP Bill, 2021). Such an objective was missing in the PDP Bill, 2019.

Balancing privacy rights with state security interests is a complex exercise (Shukla 2021). In the past, there have been potential issues requiring such balancing when Rule 4 of the Digital Media Ethics Rules under the Information Technology (IT) Act was challenged in Indian courts (Shukla 2020). While state security is an important objective, there is a need to ensure that state security interests do not give way to general and indiscriminate processing of data affecting privacy and leading to surveillance.

Consent

The PDP Bill, 2019 had a clause making the requirement of consent necessary for processing personal data. The DP Bill, 2021 has proposed a sub-clause which states that the provision of goods or services shall not be "denied based on the exercise of choice" (Clause 11[4][ii] DP Bill, 2021).

This clause relates to the idea of free consent and strengthens the data principals' position. Now, the data principal cannot be denied a service because they refuse to provide consent for the processing of personal data.

However, a few aspects of consent still need to be addressed by DP Bill 2021. There is a need for the law to recognise that consent is not bundled, and requests for consent are separated from other requests. Such a provision is required because the data principal would not have a free choice when consent is bundled.

Non-consensual Processing

Like the PDP Bill, 2019, the DP Bill, 2021 proposes "reasonable purposes" as a ground for the non-consensual processing of personal data (Clause 14, DP Bill, 2021). For practical purposes, reasonable purposes may include the operation of search engines, credit scoring, and processing publicly available personal data. Thus, the processing for such purposes can be carried out non-consensually.

There are potential issues with allowing the processing for non-consensual purposes without safeguards (Reddy 2020). A precaution that could be provided is that the reasonable purpose must be balanced with the data principal's rights.

The DP Bill, 2021 has changed the PDP Bill 2019's clause that allows the state's non-consensual processing of personal data (Clause 12 DP Bill, 2021). The word "including" has now been prefixed before the list of functions[6] for which processing can happen on non-consensual grounds (Clause 12(a) DP Bill, 2021).

This makes the list illustrative rather than exhaustive, creating a possibility for the non-consensual processing of personal data for various state functions. There is thus a need to circumscribe the state functions for which non-consensual processing of personal data is allowed. Besides, the safeguard of proportionality should determine the extent of processing allowed by the state under this clause.

The DP Bill, 2021 proposes a clause on non-consensual processing for employment (Clause 13 of the DP Bill, 2021). The processing can happen if necessary "or" if it "can reasonably be expected by the data principal" (Clause 13[1] DP Bill, 2021). The word "or" and the clause it "can reasonably be expected by the data principal" have been added by the JPC to the clause under PDP Bill, 2019.

It is possible that the use of the word "or" could dilute the clause. Contrary to the intent of the JPC, the clause seems to imply that personal data may be non-consensually processed even when the processing is unnecessary. Therefore, instead of the word "or," the clause could use the word "and.”  The data fiduciary could then process the personal data for employment only if necessary and reasonably expected. This is important considering the imbalance of power between employees and employers. The processing of personal data in the employer-employee relationship requires strong safeguards, especially because non-consensual processing is allowed.  

Children's Data

The PDP Bill, 2019 classified data fiduciaries as guardian data fiduciaries when they process large amounts of children's data or operate websites directed to children (Clause 16[4] PDP Bill, 2019). The classification of data fiduciaries as "guardian data fiduciary."[7] In the PDP Bill, 2019 has been omitted. The clause on processing children's personal data now applies to all data fiduciaries.

As per the proposed DP Bill, 2021, data fiduciaries must verify children's age and obtain consent from their parents or guardians before processing any personal data (Clause 16(2) DP Bill, 2021). Besides, data fiduciaries are barred from all profiling, tracking, behavioural monitoring, or targeted advertising directed at children (Clause 16(4) DP Bill, 2021).

While the clause protects children's privacy, the practical implementation of the clause is challenging. There are questions such as how websites would verify that a user is a child and how websites would operate to exclude advertising, targeting and tracking mechanisms for such identified users. Such concerns need to be addressed by clarifying the possible ways of verification.

Right to be Forgotten

The PDP Bill, 2019 had proposed the right to be forgotten as a right requiring the restriction of continuing disclosure of personal data (Clause 20 PDP Bill, 2019). The DP Bill, 2021 has added the term "processing" to the clause.

This suggests that the right is not restricted to the continuing disclosure of personal data but extends to the restriction of the continuing processing of data (Right to be forgotten, Clause 20 DP Bill, 2021). Now, the right to be forgotten requires that data must not only be restricted from disclosure in the public domain. The data processing must also be restricted. Thus, there is greater protection for the data principal.

Nevertheless, the clause also imposes an onerous burden of proof on the data principals, which is missing in the PDP Bill, 2019. The DP Bill, 2021 requires that data fiduciaries need to prove that their right to restrict the processing overrides "the right of the data fiduciary to retain, use and process such data" (Clause 20(2) Proviso DP Bill, 2021). As the right to be forgotten is essential to privacy and for a person to overcome the past, an onerous burden of proof limits an essential right of the data principal.

Automated Decision-making (Algorithms)

Unlike PDP Bill, 2019, the DP Bill, 2021 introduced a clause requiring data fiduciaries to provide information about the "fairness of algorithm or method used for processing of personal data" (Clause 23 DP Bill, 2021).

While this clause brings transparency when artificial intelligence is used to process personal data, there is a need for a clause that allows data principals to challenge decisions made about them using artificial intelligence. Such a clause is essential to meet several challenges in processing personal data by artificial intelligence, such as the possibility of making biased decisions and discrimination.

Exemptions for the State

The DP Bill, 2021 proposed including a non-obstante clause in the exemption clause under PDP Bill, 2019. The exemption clause under DP Bill 2021 states, "Notwithstanding anything contained in any law for the time being in force", the government may exempt any agency from the provisions of the law "subject to such 'procedure' as may be specified" (Clause 35 DP Bill, 2021). An explanation has been added, clarifying that this "procedure" must be a "just, fair, reasonable and proportionate measure" (Clause 35 Explanation (iii) DP Bill, 2021).

A lack of safeguards of necessity and proportionality raises the question of the constitutionality of the exemption clause, which needs to meet the Puttaswamy Triple test.[8] The explanation added by the DP Bill, 2021 that the procedure must be a "just, fair, reasonable and proportionate measure" (DP Bill, 2021) is only a procedural safeguard (Internet Freedom Foundation 2021). Therefore, DP Bill, 2021 merely suggests that the procedure should be proportionate. It should also provide the substantive requirements of necessity and proportionality as per the triple test.  

Data Breach Notification

The DP Bill, 2021 has proposed the removal of the condition from PDP Bill, 2019 that the data fiduciary is required to inform of a breach only when the breach is likely to cause harm to data principals (Clause 25 DP Bill, 2021). This creates more robust protection as the requirement now is to report all data breaches. The proposed requirement is also to report a breach within 72 hours (Clause 25 DP Bill, 2021). The breach needs to be reported to the DPA, which "shall" direct the data fiduciary to report the breach to the data principal after considering the severity of harm (Clause 25(5) DP Bill, 2021).

However, the DP Bill, 2021 does not have a clause requiring the data fiduciary to provide data breach notification to the data principal. There is a need for such a provision so that data fiduciaries may immediately inform data principals of data breaches which carry a risk to their privacy. This would allow them to take remedial measures expeditiously.  

Voluntary Verification of Profiles by Social Media Platforms

The DP Bill, 2021 proposes "social media platforms" to voluntarily verify user accounts and provide a visible mark of verification, which shall be visible to all users of the service (also, under Clause 28(3)-(4) PDP Bill, 2019). The DP Bill 2021 uses the term "social media platform" instead of the "social media intermediary" used by PDP Bill 2019.

There are potential privacy issues with this proposed clause. First, the verification of social media accounts greatly hinders online anonymity. A high level of informational privacy is engaged through anonymous internet activity.[9] Second, verification of profiles using identity documents has the potential to streamline the existing surveillance by social media companies. The fear of constant surveillance could also result in a chilling effect on free speech on social media.

Transfer of Data outside India—Data Localisation

A complex set of conditions for the transfer of data beyond the territory are, in effect, the mandate of data localisation (Basu et al 2019). One of the contentious data localisation principles is that sensitive personal data shall continue to be stored in India (Clause 33 PDP Bill, 2021). Besides, critical personal data shall only be processed in India (Clause 33 DP Bill, 2021).

The JPC report has supported data localisation in India. The JPC reasons that it would help fulfil national security objectives, law enforcement (as it could be difficult to access data stored in foreign countries), and employment generation by enhancing data centre infrastructure and ensuring data privacy.[10]

However, data localisation has also been questioned for these stated benefits. There is a view that data localisation may increase market access barriers for digital firms and negatively impact investment (CUTS International 2020). Companies could face significant compliance and other costs (Bailey and Parsheera 2018) and may need to restructure their business and system architecture (CUTS International 2020). Moreover, data localisation might not ensure data access to drive innovation (CUTS International 2020). It has also been suggested that it is a fallacy to assume that data localisation would lead to better privacy protections (Bailey and Parsheera 2018).

Both sides of the debate need to be assessed, and appropriate policy objectives guide India's proposed data localisation clause.

Enforcement Mechanism - Independence of the DPA

The DP Bill 2021 proposal does not explicitly distinguish between state and non-state entities, except in the exemption clause. Consequently, the DPA may even have jurisdiction over the state's data protection matter. As the DPA is entrusted with protecting the fundamental right to privacy even against the executive, it requires the DPA to be independent (Patnaik 2020).

The PDP Bill, 2019 had suggested that the selection committee would be composed only of members of the executive (Clause 42 of PDP Bill, 2019). The DP Bill, 2021 proposes including the Attorney General and an independent expert in the selection committee of the chairman and members of the DPA (Clause 42 DP Bill, 2021). This is a positive step towards ensuring an independent DPA.

But, the DP Bill, 2021 proposes that all the directions of the central government would bind the DPA      (Clause 87(2) DP Bill, 2021). The PDP Bill, 2019, had provided that the central government orders would bind the DPA on "questions of policy.” The DP Bill, 2021 has omitted the phrase "questions of policy," suggesting that the central government orders would now bind DPA on all matters (Bedi 2021). Moreover, the powers of the central government limit the discretion of the DPA. This is clear from the powers given to the central government under various proposed clauses of the DP Bill, 2021. Therefore, safeguards are needed, especially since the state is also the most prominent data fiduciary.

Penalties  

The DP Bill, 2021 has proposed including "as may be prescribed" while laying down penalties (Clause 57, DP Bill, 2021), limiting up to 2% and 4% of worldwide turnover.

Introduction of "as may be prescribed" suggests that penalties may be reduced through executive order. There is a need to ensure that penalties are prescribed at a global standard. It would deter data fiduciaries from non-compliance and promote global compliance standards in India.

Conclusions

There is now a need to ensure strengthened consent mechanisms and data protection rights. Non-consensual processing must have an adequate safeguard. Broad exemptions under the proposed law need safeguards such as necessity and proportionality. The independence and discretion of the data protection authority must be ensured. There is a need for strong enforcement and prescribing penalties at a global standard. As India moves towards enacting data protection legislation, there is a need to ensure a strong data protection framework and robust enforcement.

 

 

 

 

 

 

Back to Top