Key Takeaways From The Joint Parliamentary Committee (Jpc) Report on Personal Data Protection (PDP) Bill

Extracts from the analysis by Internet Freedom Foundation. Given that non-personal data can often be de- anonymised, or can impact individuals even when it remains in an aggregated, non-identifiable manner through digital systems we have recommended its regulation by the Data Protection Authority, says IFF in its representation

By Internet Freedom Foundation Team

The report of the Joint Parliamentary Committee on the Personal Data Protection Bill, 2019 was finally tabled in Parliament on December 16, 2021.

Read on to learn about the key takeaways from the report on issues such as user consent, user rights, the nature of the proposed Data Protection Authority, and exemptions granted to governments.

Background

After almost two years, the report of the Joint Parliamentary Committee (‘JPC’) on the Personal Data Protection Bill, 2019 was finally released on December 16, 2021. The Report also contains a new version of the law titled, “The Data Protection Bill, 2021”. This period has seen multiple consultations, a change in JPC members, and even a change in the Chairperson.

Here is the first part of the top 10 issues along with analysis of the ramifications of the Bill.

1. Objectives become worse

One of the first noticeable changes is in the preamble of the Draft Data Protection Bill, 2021. The JPC, after arguing against the privileges of the digital economy over data protection, has decided to continue with large parts of the 2019 Bill that place economic interests (at the very least) on the same footing as the need to protect informational privacy. The Draft Data Protection Bill, 2021 undermines the primacy of an individual’s privacy by adding the words “to ensure the interest and security of the State” in the first paragraph of the Preamble. This clearly marks a primary objective of the law to serve security interests that are misplaced within a data protection law.

Any data protection law has consent as its foundational framework which is contained in Clause 11. This flows into the requirement for people to put to notice and have the choice to exercise consent. This has been made clearer by both the JPC and the Draft Data Protection Bill, 2021

The report’s emphasis on promoting the digital economy through data protection legislation is also apparent with the insertion of, “that fosters sustainable growth of digital products and services” to the Preamble. This is unfortunate, as it continues to prioritize economic benefits for enterprises over the protection of Indians who would be data subjects or users of digital services.

Such a hierarchy is in opposition to the judgment of the Supreme Court in Justice K.S.Puttaswamy vs Union Of India (2017) (“the Right to Privacy Judgement”).

However, there is a welcome insertion of, “individual” within the text of the Preamble as the subject of protection. This provides some needed clarity in recognition that the law will serve ordinary Indians rather than artificial entities such as companies or the state.

2. Scope and name change to “Data Protection Bill”

The JPC Report has changed the name of the draft law from the “Personal Data Protection Bill”, to the “The Data Protection Bill, 2021”. This is as per the expansion in the regulatory ambit as the draft law will also regulate “non-personal data”. This follows from the definition provided by Clause 3(28), as, “data other than personal data” which is essentially data that is not identifiable with an individual.

However, the principal purpose behind this framing is to provide a seemingly blank cheque to the Government under Clause 92 which states, “Nothing in this Act shall prevent the Central Government from framing (***) any policy for the digital economy, including measures for its growth, security, integrity, prevention of misuse,(***) and handling of non-personal data including anonymised personal data.” Essentially, without providing any legal ingredients, or any legislative reasoning, the Central Government, in any of its ministries can formulate frameworks or policies in these subjects that may conflict or go behind the Draft Data Protection Bill, 2021.

Given that non-personal data can often be de-anonymised, or can impact individuals even when it remains in an aggregated, non-identifiable manner through digital systems we have recommended its regulation by the Data Protection Authority. Here, it becomes imperative for its regulation to be shifted from the Central Government more appropriately to the Data Protection Authority that should enjoy independence. This would also adhere to the spirit of the comments in the JPC Report that argue for it, but fail to implement it through legislative language (“1.15.8.4. The Committee, therefore, recommends that since the DPA will handle both personal and non-personal data, any further policy / legal framework on non-personal data may be made a part of the same enactment instead of any separate legislation”).

3. Consent: a torn safety net?

Any data protection law has consent as its foundational framework which is contained in Clause 11. This flows into the requirement for people to put to notice and have the choice to exercise consent. This has been made clearer by both the JPC and the Draft Data Protection Bill, 2021, which have specified that if a person exercises a choice to not provide personal data they will not be denied a service or the enjoyment of any legal right or claim.

Such language could have been made clearer as in Clause 14 of the Indian Privacy Code.

At the same time, several concerning changes have been made that expand the scope of the non-consensual processing of personal data. Any variation or exemption from the principle of consent must be made after the satisfaction of some qualifying conditions.

The conditions where the privacy of individuals may be limited in some circumstances have been defined by the Supreme Court, they include necessity, a legitimate purpose, a proportionality evaluation, and procedural safeguards as per the Right to Privacy Judgement. However, the Personal Data Protection Bill, 2019 in Clause 12 provides for the processing of personal data without consent when “such processing is necessary”.

Here, the Draft Data Protection Bill, 2021 not only fails to insert the additional safeguards of, “legitimate purpose” and, “proportionality” but also makes the exemption broader. It further adds, “quasi-judicial authorities” as entities that can process personal data without consent. Clause 13 also has an insertion to make non-consensual processing easier when it “can reasonably be expected by the data principal”. This undermines the principle of express consent in contexts of employment since employees will not need to be specifically notified when their personal data is processed. This is especially disappointing since the JPC, in its comments on clause 13, explicitly cites Article 88 of the General Data Protection Regulation, which deals with the processing of employment-related data, contains much stronger safeguards against excessive data collection by employers, and calls for, “suitable and specific measures to safeguard the data subject’s human dignity, legitimate interests, and fundamental rights, with particular regard to the transparency of processing”.

Other vague exemptions have also been retained, as the Draft Data Protection Bill, 2021 has chosen to keep clause 14 of the 2019 Bill, which exempts user consent for data collection for purposes that range from credit scoring to the operation of search engines.

The JPC Report states that, “social media platforms have been designated as intermediaries in the IT Act and the Act had not been able to regulate social media platforms adequately” (Para 1.15.12.7) and also (correctly) that, “the present bill is about protection of personal data and social media regulation is altogether a different aspect.

The only safeguard added by the JPC was the need to ensure that such non-consensual collection of data was in the legitimate interest of the data principal, though even here this is predicated on whether it is “practicable (sic)” to do so. At this time, we may also point out that the JPC Report and the Draft Data Protection Bill, 2021 contain grammar and spelling errors that require correction.

4. Weakened user rights

The Draft Data Protection Bill, 2021, following earlier versions of the PDPB, provides users with certain rights such as the right to confirmation and access (Clause 17), the right to correction and erasure (Clause 18), the right to data portability (Clause 19), and the right to be forgotten (Clause 20). The first noticeable change is the expansion of Clause 17 with the insertion of sub-clause 4 to include rights that can be exercised in the event of the demise of the data principle primarily for the intended objective of the nomination of legal heirs and representatives. This is a welcome addition but it does not square with several other provisions that continue to undermine user rights from prior versions of the Data Protection Bill.

For example, the Draft Data Protection Bill, 2021 has retained Clause 18(2) of the 2019 Bill, which allowed data fiduciaries to reject requests for correction, completion, update, or erasure of personal data if they disagreed with such requests (on the basis that certain data is still necessary for the purpose for which it was processed).

Additionally, Clause 19 limits the purpose of data portability which is incredibly important for mitigating harms by big tech. This is through the insertion of vague language in Clause 19(2) of the Draft Data Protection Bill, 2021 as a result of which, requests for data portability may be refused by Data Fiduciaries due to technical infeasibility. Further, such refusal will be specified in the future by regulations.

The treatment of the right to be forgotten provision is also of interest as there is a noticeable change in Clause 20(2) which provides an exemption from its application for, “the right of the data fiduciary to retain, use and process such data”. This makes little sense as data principals (people) have legal rights and the data fiduciaries (an artificial entity) that process their data have duties and responsibilities under the law. Beyond this logical error, the consequence of such change is that it increases the discretion of government departments and companies to hold on to personal data.

The JPC report, while acknowledging harms that will result under Clause 21 from the charging of fees to exercise user rights, chooses to retain this provision. In some marginal relief, the Draft Data Protection Bill, 2021 inserts a proviso that specifies that any charges that are levied by Data Fiduciaries will be subject to regulations formulated by the Data Protection Authority.

One welcome change is within Clause 62 which provides for the ability of ordinary citizens who are data subjects to avail remedies by filing a complaint with the Data Protection Authority. This Clause also provides for compensation.

5. Social Media and Intermediary Liability

Scrutiny of social media platforms has been a primary topic of consideration in technology policy with the revelations of the Facebook Files. This has impacted the JPC Report with several fresh insertions in the Draft Data Protection Bill, 2021.

At the outset, we would like to point out that, while data protection laws are important instruments to regulate the flow of data to big technology platforms, they by themselves are distinct from broader social media regulation that deserves an independent statute (e.g. UK’s Online Harms Whitepaper). Here the JPC Report states that, “social media platforms have been designated as intermediaries in the IT Act and the Act had not been able to regulate social media platforms adequately” (Para 1.15.12.7) and also (correctly) that, “the present bill is about the protection of personal data and social media regulation is altogether a different aspect which needs a detailed deliberation” (Para 2.126 at Page 99).

However, despite these observations, it goes on to recommend significant changes to social media regulation.

The JPC Report has noticed and commented on several problems with social media that range from, “the prevalence of fake accounts”; “instigated people across the globe to plan, organise and execute revolutions, protests, riots and spread violence”. Based on these concerns the JPC Report recommends the following changes:

• Publishers: “The foremost point of concern for the Committee was that the IT Act had designated social media platforms as ‘intermediaries’. In this regard, the Committee was of the view that the social media platforms may not be designated as such because, in effect, they act as publishers of content, whereby, they have the ability to select the receiver of the content, as well as control the access to any content posted on their platform.” (Para 1.15.12.4.)
• Verification: “A mechanism may be devised in which social media platforms, which do not act as intermediaries, will be held responsible for the content from unverified accounts on their platforms. Once (sic) application for verification is submitted with necessary documents, the social media intermediaries must mandatorily verify the account.” (Para 1.15.12.7.)
• Local Offices: “Moreover, the Committee also recommend (sic) that no social media platform should be allowed to operate in India unless the parent company handling the technology sets up an office in India.” (Para 1.15.12.7.)
• Social Media Regulatory Body: “Further, the Committee recommend (sic) that a statutory media regulatory authority, on the lines of Press Council of India, may be set up for the regulation of the contents on all such media platforms irrespective of the platform where their content is published, whether online, print or otherwise.” (Para 1.15.12.7.)

Flowing from these recommendations there are significant changes in the Draft Data Protection Bill, 2021 with the preamble changing the phrase, “social media intermediaries” to “social media platforms”. This corresponds with the insertion of a fairly vague definition of, “social media platforms” under Clause 3(44) that now reads as, “social media platform” means a platform which primarily or solely enables online interaction between two or more users and allows them to create, upload, share, disseminate, modify or access information using its services”.

The principal regulations on “social media platforms” have been made with significant changes to Clause 26 which determines a “significant data fiduciary”. Here, for a social media platform to be a significant data fiduciary Clause 26(1)(f) provides for threshold limits of user numbers that are notified by the Data Protection Authority or, “significant impact on the sovereignty and integrity of India, electoral democracy, security of the State or public order…”. This classification permits further regulatory compliance such as a data impact assessment under Clause 27; mandatory registration with the Data Protection Authority under Clause 28(3); the appointment of a data protection officer, or increases the powers of oversight of the Data Protection Authority under Clause 30.

While these may be welcome additions, they are offset by the process of verification of social media users. This undermines the principle of data minimisation as it would increase personal data held by social media platforms and increase surveillance of users by tying their online profiles to their real-world identities. Such social media intermediaries, as per Clauses 28(3) and 28(4) of the Bill, would have to enable users to “voluntarily verify their accounts in such manner as may be prescribed”, after which verified accounts may be identified with some visible mark. We fear such a provision even though it is premised on choice, as such choice when offered by social media platforms may become mandatory or the norm through practice and future regulations.

There are significant changes in the Draft Data Protection Bill, 2021 with the preamble changing the phrase, “social media intermediaries” to “social media platforms”.

Verification of accounts will also adversely affect minorities, whistleblowers, and victims of sexual assault, who often resort to anonymous identities on social media websites to share their experiences. Such a provision is not found in any data protection law globally and is a deviation from established privacy norms as it can increase the risk from data breaches and entrench more power in the hands of large players who can afford to build and maintain such verification systems.

While the Draft Data Protection Bill, 2021 does not make any provisions to treat platforms as publishers, the JPC Report itself makes recommendations for a regulatory framework premised on such an understanding. We believe this is flawed and social media companies do not fall within a clear binary of, “passive intermediaries” completely exempt from legal compliance, nor, “publishers” that are liable for user-generated content, for the purposes of some specific harms that require independent and detailed study. Here, we contest the assertions of the JPC Report as it undermines well-established principles of intermediary liability that promote free speech and expression as noted by the Supreme Court in Shreya Singhal v. Union of India.

feedbackvnd@cybermedia.co.in