After 78 sittings spread over 184 hours and 20 minutes, and half a dozen extensions, the Joint Committee of Parliament (JCP) on the Personal Data Protection Bill tabled its report in both Houses on Thursday.
Among the key recommendations is that social media companies that do not act as intermediaries are to be treated as content publishers. This means they become liable for the content they host.
The JCP, which was formed in December 2019 to deliberate on issues surrounding personal data protection, expanded its mandate to include discussions on non-personal data, thereby changing the mandate of the Bill from personal data protection to broader data protection. In all, the committee has made 99 recommendations, of which 12 are in connection with the provisions made in the Bill, and the rest are in the form of modifications.
NON-PERSONAL TOO: The key recommendations that changes the nature of the Bill itself is for inclusion of non-personal data within the larger umbrella. The reason, the committee said, was that it was impossible “to distinguish between personal data and non-personal data, when mass data is collected or transported”. This means that all issues under the new legislation will be dealt with by a single Data Protection Authority (DPA) instead of separate ones for personal and non-personal.
TRANSITION PERIOD: As technology has become an inseparable part of everyone’s life, companies, firms and even government organisations deal with various kinds of data. To ensure that all such data aggregators get ample time to comply with the rules under the new Bill, the JCP suggested that up to 24 months be given from the date of notification of the Act. All data fiduciaries that deal exclusively in children’s data have to register themselves with the DPA. For this, a period of 9 months from the notification of the Act has been suggested.
SOCIAL MEDIA LIABILITY: A third major recommendation is that social media platforms that do not act as intermediaries should be treated as publishers, and therefore be held liable for the content they host. While there is confusion among stakeholders on what this recommendation entails, given that most social media companies are treated as intermediaries, a general consensus is that this would strip these companies of protections they are accorded under Section 79 of the Information Technology Act.
PENALTY: The committee has recommended a fine of up to Rs 15 crore or 4% of the total global turnover of the firm for data breaches, and a jail term of up to 3 years if de-identified data is re-identified.
TIMELY ALERT: In case of any data breach, the data aggregator or fiduciary must notify the DPA within 72 hours of becoming aware of it. The DPA shall then decide the quantum of severity of the data breach and accordingly ask the company to report it and “take appropriate remedial measures”.
With the growth of the Internet, consumers have been generating a lot of data, which has allowed companies to show them personalised advertisements based on their online behaviour. Companies began to store a lot of these datasets without taking the users’ consent, and did not take responsibility when the data leaked.
To hold such companies accountable, the government in 2019 tabled the Personal Data Protection Bill for the first time.
In its report, the committee stressed a need to set up new processes to unify such data present across spectrums and organisations such as public and private sector companies, research organisations and academic institutions.
Among the major concerns that the JCP recommendations sought to address are data protection, minimal user trust in companies handling data, impact of data breaches on health and well-being of individuals, proliferation of bots and fake accounts and data localisation.
The JCP said there was a sense of unease in the general public about what companies handling their data knew about them. “The rapid commercial use of personal data has resulted in undermining the end user trust and confidence. Concerns and tensions about misuse of sensitive and critical personal data is rising exponentially,” the committee said in its report.
To deal with such situations, it said, it was important to build a “legal, cultural, technological and economic infrastructure” for a secure and user-friendly data ecosystem.
Apart from the obvious economic and privacy concerns, the JCP report also discusses the impact on mental health and emotional well-being that a user experiences due to a data breach. It cites findings that among such individuals, as much as 86 per cent felt worried, angry and frustrated, while 85 per cent experienced disturbed sleeping habits.
A copy of the JCP report has now been made available to all MPs ahead of the debate; they will also be given the option to provide any suggestions for the final Bill, if they wish.
The Ministry of Electronics and Information Technology, the nodal ministry for handling the Bill, will discuss the recommendations made by the JCP. Comments or suggestions from industries, public policy groups and others, however, will no longer be accepted since consultations with external stakeholder consultations are over.
If Lok Sabha passes the Bill, or as it is amended, it will go through the same process in Rajya Sabha. If it is rejected by Rajya Sabha or there are disagreements between the two Houses, a joint sitting of both Houses is called by the President.
Once a Bill is passed by both Houses, it is sent to the President, who can either accept it in its entirety and make it into an Act, or send it back with suggestions and recommendations. But If Lok Sabha clears the Bill again without changes, the President must accept the bill as it is and give assent to make it into a law.
Newsletter | Click to get the day’s best explainers in your inbox