Summary of the JPC recommendations on the Personal Data Protection Bill, 2019

The Joint Parliamentary Committee (JPC) on the Personal Data Protection Bill, 2019 has come out with its report. The committee that was formed for the consideration of Personal Data Protection Bill, 2019 on 11 December 2019 is an ad hoc Joint Select Committee also called as a Joint Parliamentary Committee. It was formed by the virtue of the motion passed by Lok Sabha on 11 December 2019 during the winter session of the Parliament. You can read our FAQ on the JPC committee here.

This is a brief sumamry of the report. We will be publishing a detailed analysis soon.

 

  • Timeline for implementation of the Bill
    The committee has observed that there is no specific timeline provided in the Bill which deals with timeline for the implementation of the bill and therefore provides for a period of 24 months after the enactment. It has further provided for phases for implementation of the bill. These are:

 

3 Months

Chairperson and Members of DPA are appointed

6 Months

The DPA commences its activities

Within 9 Months

The registration of data fiduciaries should start

Within 12 Months

Adjudicators and appellate tribunal commence their work

Within 24 months

All provisions of the act to be implemented

 

  • Regulation of Non Personal Data under the same Legislation
    The committee has recommended that Non Personal Data is to be regulated under the Personal Data Bill. Any further policy or legal framework that maybe adopted will be a part of the Data Protection Bill instead of being a separate legislation. The reason given by the committee is that limiting the scope of a data protection legislation to personal data only will be detrimental to privacy. In addition, for administrative convenience and of governing data protection it is necessary to ensure that all the data is dealt with by one Data Protection Authority. Pursuant to this the Committee recommended the following:

 

  1. The title of the Bill be changed to THE DATA PROTECTION BILL, 2021. Accordingly, changes have been receommended in the Long Tile and Preamble of the Bill as well.

  2. Clause 2 of the Bill which provides for application of the Act, has now been broadened to include non personal data including anonymised data.

  3. Definitions of non personal data and non personal data breach have been added in clause 3. Non personal data has been defined as the data other than personal data.
     

  • On Right to be Forgotten or Erasure
    The committee observed that there is a need to protect the privacy of an individual which has been given under Right to be Forgotten; however, there might be scenarios where such erasure might not be possible due to legal obligations. Therefore, it recommended that the DPA must evolve in line with the best practices internationally and they should frame the regulations which can really ensure that the rights of data principal could be exercised in a simple manner and at the same time the data fiduciaries could discharge those obligations in the way that is practically possible. Also, it must take into consideration the interests of the government. (recommendation 7).

  • On Data Breaches
    The committee has added a definition clause [clause 13(4)] of Data Breach as a breach of personal and non personal data. Clause 25 of Bill provides for steps to be taken in case of a Data Breach. It states that, when a Data Breach occurs , the Data Fiduciary has to send a notice to the DPA of such breach, following which the DPA may direct the fiduciary to report such a breach. Now, with respect to the notice to the DPA, the Committee has recommended that it shall be made within 72 hours of Data Fiduciary becoming aware of the breach. With respect to reporting, the committee has recommended for addition of a proviso which enables the DPA to direct the data fiduciary to take “urgent remedial measures” to remedy or mitigate the harm, in addition to “appropriate remedial measures”. The committee has also recommended a sub clause 6, giving powers to the DPA to take such necessary steps, in case of a non personal data breach, as prescribed.

  • On Protection of Data of Children
    The committee recommended (recommendation 5) that a fresh consent must be obtained from a child when he attains the age of majority, which shall be 18 years as per the Majority Act. This must be done before three months of the child attaining majority. However, the provision of services shall not cease unless and until the person opts out or gives fresh consent. In addition, a fiduciary exclusively dealing with data of children has to be registered with the DPA andaccordingly it has been added as a Significant Data Fiduciary under clause 26(1)(g) (recommendation 47). The committee has also deleted the concept of Guardian Data Fiduciary under clause 16, considering it to be unnecessary (recommendation 37).

  • On Data Localisation
    The committee has observed the importance of Data Localisation from the perspective of national security, privacy of citizens and economic value of data. The Committee states that data localisation is an essential component of data protection.It has recommended that apart from Clauses 33 and 34 of the Bill which provide for Data Localisation, the Central Government must ensure a mirror copy of “sensitive and critical personal data” which is already in possession of entities outside India be obtained and brought to India in a time bound manner (recommendation 12).

  • On Social Media Intermediaries
    The committee observed that most of the social media intermediaries work as internet based intermediaries as well as platforms which are used for communication by individuals. Thereby the committee recommended to adopt social media platform as a more appropriate term in lieu of social media intermediary. Thus, it recommended addition of clause 3(44) defining a social media platform as “platform which primarily or solely enables online interaction between two or more users and allows them to create, upload, share, disseminate, modify or access information using its services;”. (recommendation 27)

  • On Exemption to Government Agencies
    Clause 35 of the Bill allows the central government to exempt agencies from application of the provisions of the Bill. The committee observed that the procedure to be adopted by these agencies after the exemption must be fair, reasonable and proportionate, therefore, it has recommended addition of explanation of the phrase “such procedure” (recommendation 56).

  • On Right of the Deceased
    The committee observed that there is no mention of the rights of a deceased data principal in the Bill. It has therefore suggested addition of clause 17 in the Bill which provides a data principal right to appoint a nominee, to be forgotten, to append the terms of agreement, in relation to personal data, in the event of one’s death. (recommendation 39)

  • On Data Transfer, Processing and Portability
    Clause 19 provides for Portability of Data by a data principal to another fiduciary. Trade Secret and technical feasibility are exceptions to data principal’s right to portability. However, the committee has recommended removal of the same as it is difficult to be defined. It has also recommended that technical feasibility must be determined by the DPA. (recommendation 40) It has also recommended that the Right to be Forgotten under clause 20 shall include processing of data and not just disclosure. (recommendation 41). The committee has further recommended that transfer of sensitive personal data and critical personal data outside India has to be done with prior approval of central government and must satisfy the condition of Public Policy. It has further added an explanation to define Public Policy(recommendation 52 & 53).

  • On Data Protection Authority and Appellate Tribunal
    The committee observed that the composition of Selection Committee for the members of DPA is limited to bureaucrats. Therefore, it recommended increase in the number of members of the Selection Committee and inclusion of the Attorney General of India, an Independent Expert, a Director from any of the IITs and a Director from any of the IIMs (recommendation 63). With respect to the Appellate tribunal the committee recommended that a lawyer and a reputed jurist may also qualify to be members of the tribunal (recommendation 68)

  • On Liability of State for violation of Provisions of the Act
    The committee has recommended that the Head of a Government department must not be made liable for a non compliance with the provisions of the bill. As given under clause 85. As this may hinder the working of a department and affect the decision making of a department, It has provided that an internal enquiry is to be conducted to determine the liability. (recommendation 85).

  • On Right of the Deceased

  • The committee observed that there is no mention of the rights of a deceased data principal in the Bill. It has therefore suggested addition of clause 17(4) in the Bill which provides a data principal right to appoint a nominee, to be forgotten, to append the terms of agreement, in relation to personal data, in the event of one’s death. (recommendation 39)

  • On Data Transfer and Portability

  • Clause 19 provides for the Portability of Data by a data principle to another fiduciary. Trade Secret and technical feasibility are exceptions to data principal’s right to portability, however, the committee has recommended removal of trade secret as it is difficult to be defined. It has also recommended that technical feasibility must be determined by the DPA (recommendation 40).

  • The committee has recommended that transfer of sensitive personal data and critical personal data outside India has to be done with prior approval of central government and must satisfy the condition of Public Policy. It has further added an explanation to define Public Policy(recommendation 52 & 53).

  • On Data Protection Authority and Appellate Tribunal

  • The committee observed that the composition of the Selection Committee for the members of DPA is limited to bureaucrats. Therefore, it recommended an increase in the number of members of the Selection Committee and the inclusion of the Attorney General of India, an Independent Expert, a Director from any of the IITs and a Director from any of the IIMs (recommendation 63). With respect to the Appellate tribunal, the committee recommended that a lawyer who has been practicing before a High Court or the Supreme Court or a reputed jurist may also qualify to be member of the tribunal (recommendation 68).

  • On Retention of Data by Data Fiduciary

  • The committee observed that the restriction on retention of data, under clause 9 only till the processing is done is way to restrictive and has further broadened the scope of retention till satisfaction of the purpose for which it is processed (recommendation 32).

  • On Processing of Data by Employer

  • The committee has suggested that the qualification for nonconsensual processing of data by an Employer as a data fiduciary should not be based only on necessity but also on what an employee can reasonably expect (recommendation 36).

  • On Data Protection Officer

  • The committee observed that there is hardly any guidelines provided for the appointment of Data Protection Officers by significant data fiduciaries under clause 30 of the bill. Therefore, it is recommended that a senior level officer in the State or a Key Managerial Personnel is appointed as a Data Protection Officer. It further Key Managerial Personnel as a CEO or Managing Director, Company Secretary, Chief Financial Officer or such other person as may be prescribed (recommendation 50).

  • On Complaints, Compensation, and Penalities

  • The committee has recommended the addition of clause 62 which introduces a single-window to file complaints and to receive compensation (recommendation 73). It has been recommended that the penalties instead of being determined on basis of the entity's turn-over, will be prescribed by the central government (recommendation 71).

     

     

     

     

     

You can find the copy of the Joint Parliamentary Committee report on the Personal Data Protection Bill, 2019 below-