The Data, an intangible Asset, can be consumed and exploited by various organisations for multiple purposes including for better and more efficient utilization of resources, real-time delivery of services and effective management of Disasters etc. Data is a new resource that is vital for the internet economy, supporting innovation and building new age business. The value chain of data is enumerated as below:
DATA → INFORMATION → KNOWLEDGE → EFFECTIVE USAGE
The Personal Data Protection Bill, 2019 was introduced in Lok Sabha by the Minister of Electronics and Information Technology, on 11 December, 2019, wherein the Bill was notified to provide protection of personal data of individuals and establishes a Data Protection Authority for the same. The Bill was intended to protect individual rights by regulating the collection, movement, and processing of data that is personal, or which can identify the individual.
In lieu of the same, as on 3rd August, 2022 the Government decided to withdraw the Personal Data Protection Bill as it considers a “comprehensive legal framework” is required to regulate the online space to boost innovation in the country through a new bill.
The Bill is indispensable for the businesses, both domestic and international, that operate in India and handle Indians’ personal data because they will be responsible for paying the associated costs of compliance. Along with the corporate sector, the state has been an active participant in the data game in India. It has been collecting and keeping enormous amounts of data with little accountability through a variety of policy initiatives and processes, the most well-known of which is “Aadhaar”. Therefore, a strong data protection regime is expected to be held to a high standard, ideally matching the General Data Protection Regulation in Europe, which is considered to be the world’s leading data protection standard (GDPR).
CHRONOLOGY OF THE DRAFT BILL
- As on 24th August, 2017 landmark judgment on data privacy was given by 9 Judges Bench of Hon’ble Supreme Court in the matter of Justice K.S. Puttaswamy vs Union of India.
- The Justice Srikrishna panel was set up in 2017 in the backdrop of the Supreme Court’s verdict holding privacy is a fundamental right, and its direction to the government to formulate a data protection framework for the country.
- In July 2018, the committee submitted a draft data protection Bill to the Ministry of Electronics and IT, which said that it would draft a fresh Bill borrowing from the proposal presented in the Srikrishna Committee Bill.
- In December 2019, the Bill was referred to the JCP, which was then headed by the BJP’s MP, Meenakshi Lekhi. As the committee started a clause-by-clause analysis of the Bill, it also sought and received extensions for presenting its report in September 2020 and March 2021.
- In July 2021, BJP MP Prem Prakash Chaudhary was appointed as chairperson of the JCP after Meenakshi Lekhi was appointed as Minister of State for External Affairs. The JCP received yet another extension to submit its report after Chaudhary’s appointment.
- In December 2021, the JCP tabled its report in Parliament, which Justice Srikrishna said was heavily in favour of the government. In a media interview, he said that the Bill could turn India into an “Orwellian state”.
- The JCP tabled its Report after 78 sittings spread over 184 hours and 20 minutes, and after having received 6 extensions.
- Considering the report of the JCP, a comprehensive legal framework is being worked upon as The Personal Data Protection Bill, 2019 was deliberated in great detail by the Joint Committee of Parliament (JCP) and 81 amendments were proposed and 12 recommendations were made towards a comprehensive legal framework on the digital ecosystem.
HIGHLIGHTS OF THE IMPORTANT RECOMMENDATIONS
- Legislation will deal with personal and non-personal data both:
The inclusion of non-personal data under the broader purview is one of the main recommendations that modifies the Bill’s structure. It is not possible, according to the committee, “to discriminate between personal data and non-personal data not just in the initial stage but at latter stage also, when mass data is collected or transferred”.
- A timeline for phased implementation of data protection:
Companies, enterprises, and even government organizations deal with many types of data because technology has become an integral part of everyone’s life. The JCP recommended that a transition period up to 24 months may be granted from the date of announcement of the Act in order to guarantee that all such data aggregators have enough time to comply with the new Data Protection rules.
- All data fiduciaries who deal solely with children’s data are required to register themselves with the Data Protection Authority (DPA).
- Social Media Platforms are designated as intermediaries under the Information and technology Act and the IT Act is not able to regulate social media platforms adequately. The committee suggest that social media platforms that do not act as intermediaries and should be considered as publishers and to be held accountable for the content they contain.
- The Committee has noted that data protection in the financial sector is a matter of genuine concern for everyone, especially in light of the widespread privacy breaches on the SWIFT (Society for Worldwide Interbank Financial Telecommunications) network. The Committee strongly suggest for development of an alternative indigenous financial system. In light of the Data Protection and to encourage more innovations simultaneously, the committee also proposed the amendment in the Patent Act, 1970.
- Concrete steps to be taken by the Central Government as there are provisions for Cross-border transfer of data as national security is of paramount importance for India.
COMPARATIVE VIEW WITH EU REGULATION AND INDIA’S BILL
The JCP’s suggestions for the Personal Data Protection Bill are quite comparable to international norms like the General Data Protection Regulation of the European Union in some ways but differ in others, such the prospect for imprisonment.
|GENERAL DATA PROTECTION REGULATION, EU||JCP RECOMMENDATION ON DATA PROTECTION BILL|
|In order for a user to opt in or out, they must have given their informed consent regarding how their data is processed.||While preserving privacy, data processing should be fair and open.|
|In order for users to take action to protect the information, supervisory authority must be notified of a breach within 72 hours of the disclosure.||The Data Protection Authority must be notified within 72 hours, DPA will determine whether users need to be informed and what actions need to be done.|
|GDPR provisions will be implemented over a 2 year transition period.||Total 24 months, including 9 months for data fiduciaries to register and 6 months for the DPA to commence.|
|Anonymous data, such as non-personal data, are exempt from the data protection principles.||Non-personal data must be covered by data privacy laws because it is hard to distinguish one from another.|
|There are no imprisonment terms; simply fines of up to 20 million euros, or in the case of an enterprise, up to 4% of their total global turnover for the prior fiscal year.||They might face up to 3 years in prison, a fine of Rs 2 lakh or both if de-identified data is re-identified.|
The government has taken this step after nearly 4 years of the Bill being in the operation. It had gone through multiple iterations, including a review by a Joint Committee of Parliament (JCP), and faced major push back from a range of stakeholders including big tech companies such as Facebook and Google. Many issues that were important but outside the purview of a contemporary Digital Privacy law were mentioned in the JCP Report on the Personal Data Protection Bill.
The Committee understand that privacy is a fundamental right of the citizen which empowers him/her to ensure the protection of his personal data being shared. By handpicking to pull out the Bill, it is unclear whether the Government would address the demand for a shuffling of the legislation with the 2018 draft Bill that came about after extensive consultations with civil society or whether this would be more in line with the JCP Report, which has also been criticised by civil society for retaining provisions that allow the Government access to private data of citizens without adequate defence.
Meanwhile, the dearth of a proper data protection law in the country is an inconsistency when compared with major countries. Now, a comprehensive approach to the laws will be undertaken by the government as it was necessary to comprehensively redraw the contours of the proposed law the government is aiming to bring the legislation for data protection in Parliament’s Winter Session and the new Bill would incorporate the broader ideas of data protection as recommended by the JCP, and would be in line with the Supreme Court’s landmark privacy judgment of 2017.