Joint Parliamentary Committee Report Summary
Personal Data Protection Bill, 2019
- The report of the Joint Parliamentary Committee on the Personal Data Protection Bill, 2019 (Chair: Mr P. P. Chaudhary) was tabled in Parliament on December 16, 2021. The Bill was introduced in Lok Sabha on December 11, 2019. It provides for the protection of personal data of individuals and establishes a Data Protection Authority (DPA). Key observations and recommendations of the Committee include:
- Scope of the Bill: The Bill is aimed at the protection of personal data. It defines personal data as data about or relating to a natural person who is directly or indirectly identifiable. Non-personal data means data other than personal data. The Committee observed that it is impossible to clearly distinguish between personal and non-personal data. As data is collected as mass data and movement of data is also in a similar fashion, such segregation is not possible at every stage. Hence, the Bill should provide for the protection of all kinds of data. DPA should be empowered to also regulate non-personal data. Accordingly, the short title of the Bill should be changed to the ‘Data Protection Act, 2021’.
- Definition of ‘harm’: The Bill provides for compensation against harmful processing of personal data. Harm has been defined in the form of an exhaustive list. It includes: (i) bodily or mental injury, (ii) financial loss, (iii) denial of service/benefit, (iv) identity theft, (v) discrimination, and (vi) unreasonable surveillance. The Committee observed that the scope of the term ‘harm’ is wide, and technological innovations may lead to new interpretations of the term. It recommended that the definition should include ‘psychological manipulation which impairs the autonomy of the individual’, and the government may prescribe other harms.
- Data Breaches: The Bill requires a data fiduciary (a person who determines the purpose and means of processing personal data) to notify the DPA about any breach of personal data (unauthorised access or disclosure, or loss of access) where such a breach is likely to cause harm to the data principal. The Committee observed that the phrase ‘likely to cause harm’ is presumptive and leads to ambiguity. It recommended that a data fiduciary should be mandated to report every personal data breach to DPA without any discretion, within 72 hours of it becoming aware of the breach. Also, DPA should be empowered to regulate any breach of non-personal data.
- Exemption to state agencies: The Bill empowers the central government to exempt the processing of personal data by a government agency from the application of any or all provisions of the Bill. Such exemption may be provided if it is: (i) necessary or expedient, and (ii) in the interests of specified grounds including national security and public order. The exemption order must prescribe procedures, safeguards, and oversight mechanisms to be followed by the agency. The Committee observed that such clauses have precedence in the form of reasonable restrictions imposed on the liberty of individuals. However, this provision may be misused. Hence, the Bill should specify that the procedure to be followed should be ‘fair, just, reasonable, and proportionate’.
- Data portability: Under the Bill, a data principal has a right to receive his personal data where data has been processed through automated means. This right will not be enforceable where such compliance would: (i) reveal a trade secret of the data fiduciary, or (ii) not be technically feasible. The Committee observed that data fiduciaries may conceal their actions by denying data portability on these two grounds. It recommended that reveal of trade secrets should not be a ground for denial. Any denial on the ground of technical non-feasibility should be determined as per prescribed regulations.
- Right to be forgotten: The Bill provides that a data principal has the right to restrict continuing disclosure of personal data which is no longer necessary for the purpose it was collected or if the consent is withdrawn. The Committee observed that even after exercise of this right by a data principal, a data fiduciary may continue to process personal data of that data principal. Hence, this right should also allow restriction on any processing. It further recommended that this right should not override the right of the data fiduciary to retain, use, and process such data as per the Bill.
- Selection committee for DPA: The Bill sets up a selection committee to recommend appointments to DPA. It comprises: (i) Cabinet Secretary (Chair), (ii) Secretary of Legal Affairs, and (iii) Secretary of Electronics and Information Technology. The Committee recommended that members of the selection committee should also include: (i) Attorney General of India, (ii) an independent expert from fields such as data protection, information technology, or cyber laws, and (iii) Directors of an IIT and an IIM.
- Timeline for implementation: The Committee recommended that the Bill must specify a timeline for implementation of the Act. All provisions of the Act should come into effect within 24 months. DPA should commence its activities within six months from the notification of the Act and registration of data fiduciaries should start within nine months.
DISCLAIMER: This document is being furnished to you for your information. You may choose to reproduce or redistribute this report for non-commercial purposes in part or in full to any other person with due acknowledgement of PRS Legislative Research (“PRS”). The opinions expressed herein are entirely those of the author(s). PRS makes every effort to use reliable and comprehensive information, but PRS does not represent that the contents of the report are accurate or complete. PRS is an independent, not-for-profit group. This document has been prepared without regard to the objectives or opinions of those who may receive it.