The story so far: The Joint Parliamentary Committee on the Personal Data Protection Bill submitted its report on November 22 . The Personal Data Protection Bill, 2019 , stems from the 2017 judgment of the Supreme Court in the Puttaswamy vs.Union of India case that recognised privacy as a fundamental right protected by the Constitution. The committee, which had been deliberating on the Bill since it was introduced in Parliament in 2019, has made several recommendations for modifying the draft . However, it steered clear of the main sticky points such as government access to private data, leading to dissent notes from panel members from the Opposition.
Editorial | Falling short: On data protection provisos
What has the JPC left untouched?
The committee has retained Section 35 of the Bill. It gives the Government the right to authorise any of its agencies to circumvent the provisions of the law if it finds it necessary to do so under “public order”, “sovereignty”, “friendly relations with foreign states” and “security of the state”. It is being interpreted as essentially a carte blanche for the Union Government to act as it wishes when it comes to accessing data on citizens. The draft Bill leaves it to the Government to frame the rules for oversight and safeguards for this provision. The critics of this provision, particularly the dissenting JPC members, are seeking judicial oversight and a more detailed prescription for the agencies that can access the data and the conditions under which they can do so. The final JPC report does not favour any change in this provision. The JPC also leaves untouched the state’s ability to process personal data without consent, as allowed under Section 12. The JPC has also left mostly untouched the draft Bill’s provisions for data localisation. The Bill requires a copy of any user data generated in India to be kept in the country, which critics say is unnecessary and may facilitate surveillance.
What does it say on social media?
The JPC has suggested that any social media that is not an intermediary be treated as a publisher. Under India’s Information Technology Act, an intermediary is a website or service that only receives, stores, and transmits information online, without any sort of selection or curation of the content. Such intermediaries enjoy “safe harbour” protection from being held liable for the content that they are hosting or transmitting. A publisher, however, is legally liable for the content that it is hosting. In its report, the JPC says it is of the “strong view that these designated intermediaries may be working as publishers of the content in many situations”, making choices on what content is being shown to whom. The JPC has also suggested a regulatory body for social media on the lines of the Press Council of India. This will have major implications for companies like Facebook. What it will mean for freedom of speech online also remains to be seen.
The draft Bill already places social media in a separate class of intermediaries when it comes to data protection, adding provisions for voluntary verification of accounts. The modes for verification of accounts are to be prescribed by the Government, which leads to the question of who will be excluded and who will be allowed to be verified, and about the repercussions of not being verified. Critics of this provision also see it as being misplaced in a data protection legislation. They say that social media is best handled within the ambit of the Information Technology Act itself.
Has the ambit of the Bill been changed?
According to the JPC recommendation, the Bill should cover both personal and non-personal data. Non-personal data would include the traffic information that Google Maps collects and other such information. The JPC has even recommended changing the name of the Bill as the Data Protection Bill, 2021, dropping the word ‘personal’. This takes the Bill beyond its original ambitions, as laid down by the B.N. Srikrishna Commission that worked on drafting it in the wake of the Puttaswamy verdict.