NEW DELHI: The Joint Parliamentary Committee (JPC) report on the Personal Data Protection Bill, 2019, was tabled in Parliament on Thursday, two years after it was first introduced in the Lok Sabha.
The report, tabled in the Lok Sabha by BJP member P P Chaudhary, calls for a single regulatory body for personal and non-personal data and a statutory media regulatory authority to regulate social media content.
The JPC report calls for tighter regulation for social media platforms by treating them as publishers who will be regulated for the content they host.
It has suggested that no social media platform be allowed to operate in India unless the parent company handling the technology sets up an office in the country.
Notably, the report seeks to widen the scope of the draft legislation by including non-personal data. Congress MP Jairam Ramesh tabled the bill in the Rajya Sabha.
Many panel members from Opposition parties have given dissent notes on Clause 35 of the proposed law, which talks about empowering the Centre and its law enforcing agencies to process data without seeking permission from the individual.
Critics say the suggested changes further undermine the objectives of the bill by placing economic and state security interests on the same footing as informational privacy.
“While recommending that service shan’t be denied to users for want of conset, the report allows for non-consensual processing of data without necessary safeguards. It weakens user rights by carving exceptions for complying with user requests by data fiduciaries,” says Internet Freedom Foundation.
According to Chaudhary, who is also the chairperson of the panel, when it comes to sovereignty and integrity of the nation, the government can authorise any agency to process personal data.
The report, however, did not recommend any major dilution of the contentious exemption clause, which gives powers to the government to keep any of its agencies outside the purview of the data protection legislation.
Privacy advocates have been opposing the said provision, and some Opposition members of Parliament (MPs) too had flagged concerns through their dissent notes.
The 30-member Joint Committee on Personal Data Protection Bill, 2019, headed by BJP MP P P Chaudhary, tabled its report in both the houses on Thursday.
The key takeaways from the report include widening the scope of the draft legislation to also cover non-personal data, tighter regulation for social media platforms along with establishment of a statutory media regulatory authority on the lines of Press Council of India.
The committee in its report observed that since India has become a big consumer market, there is a large collection, processing and storage of data happening daily.
"The committee opined that it is imperative to store data in India and to restrict access to it by categorising them as sensitive and critical personal data, thus giving impetus to data localisation," the report said.
The committee's report made it clear that "India may no more leave its data to be governed by any other country".
The panel has also favoured a framework to regulate hardware manufacturers who also collect data along with the software.
It advocated a mechanism for certification of all digital and Internet of Things (IoT) devices.
"The committee, considering the immediate need to regulate social media intermediaries have expressed a strong view that these designated intermediaries may be working as publishers of the content in many situations, owing to the fact that they have the ability to select the receiver of the content and also exercise control over the access to any such content hosted by them," the report said.
The panel recommended that all social media platforms, which do not act as intermediaries, be treated as "publishers" and be held accountable for the content they host.
"Further, the committee has recommended that a statutory media regulatory authority, on the lines of Press Council of India, may be set up for the regulation of the contents on all such media platforms irrespective of the platform where their content is published, whether online, print or otherwise," it said.
A mechanism should be devised where social media platforms, which do not act as intermediaries, will be held responsible for the content from unverified accounts on their platforms.
"Once application for verification is submitted with necessary documents, the social media intermediaries must mandatorily verify the account," said the report.
The changes it has proposed to the Bill include classifying social media platforms as significant data fiduciary.
The committee suggested that no social media platform should be allowed to operate in India unless the parent company sets up a local office.
It has sought to bring non-personal data in its ambit too, saying restricting the new legislation only to personal data protection or to name it as Personal Data Protection Bill is "detrimental to privacy".
Accordingly, it has suggested that the title of the bill be amended to Data Protection Bill, 2021.
"The committee, therefore, recommend that since the DPA (Data Protection Authority) will handle both personal and non-personal data, any further policy / legal framework on non-personal data may be made a part of the same enactment instead of any separate legislation," it said.
Suggestions made by the panel are not binding.
The committee has favoured a 24-month timeline for implementation of the provisions of the legislation so that the data fiduciaries and data processors have enough time to make the necessary changes to their policies, infrastructure and processes.
The committee, its report, said though there are provisions (in the Bill) for cross-border transfer of data, "some concrete steps must be taken by the central government to ensure that a mirror copy of the sensitive and critical personal data which is already in possession of the foreign entities be mandatorily brought to India in a time-bound manner".
A 72-hour timeline for reporting of breach of personal data has been suggested by it.
The panel has also favoured flexible penalty provisions for 'data fiduciaries' (those determining the purpose and means of processing of personal data).
Accordingly, it recommended rewording the specific clause to include the term "as may be prescribed, not exceeding" before the penalties which have been prescribed for violation of norms by data fiduciary.
The panel noted that at present there is no single unified agency that regulates the various forms of media, specifically news media, in the country.
"In the committee's view, the existing media regulators such as the Press Council of India are not appropriately equipped to regulate journalism sector that seeks to use modern methods of communication such as social media platforms or the internet at large," it said.
In this regard, the committee felt that there is need for the establishment of a statutory body for media regulation in order to fulfil the said objectives.
(With PTI Inputs)