Updated: December 18, 2021 9:15:23 am
A report of the Joint Committee of Parliament on the Personal Data Protection Bill tabled in Lok Sabha and Rajya Sabha Thursday has recommended that social media companies which do not act as intermediaries be treated as content publishers and held accountable for the content they host.
“A mechanism may be devised in which social media platforms, which do not act as intermediaries, will be held responsible for the content from unverified accounts on their platforms. Once application for verification is submitted with necessary documents, the social media intermediaries must mandatorily verify the account,” the committee said.
The committee’s recommendation, however, has left stakeholders seeking more clarity. Some are of the view the provision takes away the protection to social media intermediaries if they moderate content in any way. Some others believe it needs to be clarified either by the government or through judicial interpretation that social media platforms have been kept out of the purview of intermediaries.
The Bill was introduced two years back in the Lok Sabha by former Union Minister Ravi Shankar Prasad on December 11, 2019, and immediately referred to the standing committee on December 16. The committee’s report was presented in the Lok Sabha by its chairperson PP Chaudhary and laid in the Rajya Sabha by Congress MP Jairam Ramesh.
Fixing a timeline for the Bill’s implementation in a phased manner, and to allow stakeholders sufficient transition time, the committee has said the Data Protection Authority (DPA) commence operations within six months, registration of data fiduciaries start within nine months, and the appellate tribunal begin work not later than 12 months of the notification of the Act. Overall, it said, any and all provisions of the Bill be implemented within 24 months.
Pointing out it is impossible to distinguish between personal and non-personal data when mass data is collected or transported, the committee has said there should be only one DPA dealing with privacy and personal data as well as non-personal data. “To avoid contradiction, confusion, and mismanagement, a single administration and regulatory body is necessitated,” it said.
In case of a data leak, the DPA should be notified within 72 hours of the company becoming aware of the breach. The DPA shall then “take into account the personal data breach and the severity of harm that may be caused” to the persons whose data has been leaked, and accordingly ask the company to report it and “take appropriate remedial measures”.
The Chairperson and the members of the DPA shall be appointed by the Union government based on the recommendation of a selection committee chaired by the Cabinet Secretary. Other members of the committee would be the Attorney General of India, the IT and law secretaries. An independent expert, and a director each from the IIT and the IIM, will be nominated by the Centre.
If the data fiduciary fails to take prompt and appropriate action following a breach, does not register with the DPA, does not conduct data audit as required under the proposed Act or does not appoint a data protection officer as per the rules, it could attract a penalty of up to Rs 5 crore or 2 per cent of the total worldwide turnover of the preceding financial year, whichever is higher.
Further, if a company violates the provisions of processing personal data or data of children, or transfers data outside India against the prescribed rules, it shall be fined up to Rs 15 crore or 4 per cent of its total worldwide turnover of the preceding financial year, whichever is higher.
For government departments, however, the liability in case of data breach will not be directly placed with the head of the departments. In case of any offence under the Act, the head of the government department will first conduct an in-house probe to determine the person or officer responsible for the said violation, and only then will the liability be decided.
A jail term of up to 3 years or a fine of up to Rs 2 lakh or both shall be imposed if a person intentionally and without the consent of data fiduciary or data processor re-identifies personal data which has been de-identified.