On Thursday, 16 December, a joint parliamentary committee (JPC) finally tabled its report on the Personal Data Protection Bill 2019 in both Houses of Parliament, which means that India might finally get its long-overdue data protection law in the ongoing winter session.
However, the recommendations suggested by the JPC report do not appear to have resolved the concerns raised about the 2019 Bill, including the exemptions granted to the government.
While some recommendations are positive and recognise new privacy challenges, including on regulating data collected by hardware and the requirement to disclose data breaches within a fixed time, the JPC report also suggests changes that take the proposed law even further away from the well-crafted draft Bill proposed by the Justice BS Srikrishna Committee.
Seven of the 30 committee members, all MPs from Opposition parties, had submitted dissent notes to the chairperson of the JPC, PP Chaudhary.
The dissenting members were Jairam Ramesh, Manish Tewari, Vivek Tankha, and Gaurav Gogoi (from Congress), Derek O'Brien and Mahua Moitra (from the Trinamool Congress), and Amar Patnaik (from the Biju Janata Dal).
In their dissent notes, the MPs called the Bill "Orwellian" and took objection to the JPC's failure to consider amendments to the Bill to ensure compliance with the Supreme Court's right to privacy judgment.
Here's what we know about the report's recommendations, and why these are concerning.
Why Is the JPC Report on the Personal Data Protection Bill Being Criticised?
1. Key Recommendations Made by JPC Report
The full text of the JPC report is not yet available, but the following recommendations and decisions are known to us at present from source-based news reports and the comments by the dissenting members:
No significant changes to Section 35 of the 2019 Bill (state use exemption), which allows the Union government to exempt its agencies from complying with the requirements under the law, including that any processing of data has to be for a limited purpose, done with consent and after providing notice. The exemption can be applied if the government thinks that it is "necessary or expedient" in the interest of the sovereignty and integrity of India, security of the state, friendly relations with other states, or public order.
It is being suggested that the Bill be amended to state that the procedure for applying the exemption needs to be "just, fair and proportionate," according to Hindustan Times.
No changes to Section 12 of the 2019 Bill, which allows the processing of personal data without a person's consent if this is necessary, among other things, for provision of services or benefits from the government, or issue of licences/certifications/permits from the government for any action or activity.
Social media platforms should be treated as publishers (that is, not as intermediaries) unless they mandatorily verify users. This would make them responsible for content posted by users.
Any data fiduciary which passes on information to a third party will need to mandatorily disclose this information to the person whose data has been passed on. However, this will not apply to information passed on for the purposes of state use.
Senior management personnel of companies have to be appointed to the position of data protection officers.
Non-personal data should also be included within the ambit of the law.
Data breaches will need to be reported within 72 hours by companies.
Data collection by electronic hardware (telecom equipment like 5G and home devices like Alexa) should also be specifically addressed by the data protection law.
Data localisation requirements need to be complied with for all sensitive and critical personal data – even for data already collected by foreign entities operating in India (like Visa, Mastercard, etc). Copies of such data will now need to be retained in India as well.
The Data Protection Authority, which is to be set up under the law to regulate how data is to be managed and processed, should be bound by directions of the Union government in all cases – not just questions of policy.
Expand2. Why Failure To Amend Provisions on Govt Exemptions Is Dangerous
In his dissent note, Jairam Ramesh had said that Section 35 of the 2019 Bill gives "unbridled powers to the Central Government to exempt any government agency from the entire Act itself."
He argued that this treats the government as a "separate privileged class whose operations and activities are always in the public interest" and considers privacy of the individual secondary in this context.
The state use exemption in the Personal Data Protection Bill 2019 has been a matter of concern ever since it was introduced. If government agencies can avoid data protection requirements on such broad grounds, there is great scope for misuse of personal data for surveillance.
This is not to say that there should not be some form of exemption for urgent cases of national security. The problem is that Section 35 goes far beyond that.
In 2018, the Justice BS Srikrishna Committee had included a state use exemption in its draft data protection Bill, however, in that draft, the state use exemption could only apply in the interests of the security of the State.
While this may seem nitpicky, this is extremely important from a legal point of view.
Security of the State is a specific, well-defined ground for restrictions on fundamental rights recognised in Article 19 of the Constitution. Allowing a state use exemption only on this ground would have meant that it could not be used except in serious cases where the country was under threat.
The Modi government's 2019 Bill, however, recognises several other grounds for the state use exemption, including 'public order'. The Supreme Court has attempted to define public order and differentiate it from mere law and order problems, but it still remains an ambiguous term which is often misused by governments of all stripes.
The JPC should have been looking to restrict the scope of the state use exemption to prevent misuse, but by failing to remove the additional grounds for it, fails to offer any real protection.
The JPC has also failed to expressly reintroduce wording on how any attempt to apply the state use exemption would only be exercised under the terms of new legislation, and would comply with the tests of proportionality as laid down by the Supreme Court in the Puttaswamy (right to privacy) judgment.
This is particularly concerning as Section 35 doesn't just allow for the exemption when "necessary" but also when this is "expedient," which does not meet the proportionality standard. The Srikrishna Committee draft included these aspects as safeguards.
Jairam Ramesh's proposed amendments included both these aspects, but were not accepted by the JPC.
A failure to restrict the state use exemption also dilutes one of the useful recommendations for mandatory disclosure of information being passed on to a third party.
Expand3. Why No Safeguards for Non-Consensual Data Processing Power?
The failure to accept any amendments to Section 12 is also worrying. This provision to allow non-consensual data processing for government benefits has been a matter of concern since the Srikrishna Committee's draft Bill itself, since it imposes no express proportionality requirements.
It is unclear why there should be no consent for taking data when it comes to people accessing government benefits.
This is essentially an erosion of privacy and data protection principles on the assumption that the poor and disadvantaged are not concerned with privacy and data protection.
Given the kinds of data breaches that have already occurred in connection with Aadhaar data, the need to ensure that data collection in connection with public services and benefits is done in a more restricted manner, should have been even clearer.
Expand4. Why Is Social Media Content Regulation Creeping Into a Data Protection Law?
The 2019 Bill itself introduced the concept of user verification for 'social media intermediaries' where they were of a significant size. Such social media intermediaries would need to offer voluntary user verification, according to the draft.
At that time itself, concerns were raised, for instance by the Software Freedom Law Centre, about why this was being included within the ambit of a data protection law.
The new recommendations by the JPC report appear to go a bit further, saying that significant social media intermediaries that do not mandatorily require user verification, should lose their status as 'intermediaries', which would make them liable for content posted by users.
This could see platforms like Twitter held legally responsible for posts by 'unverified' accounts, which means they will be forced to disallow anonymous accounts (which despite certain drawbacks allow for privacy and protection for those who would be at risk if their identity were known).
It is clear that regulation of content on social media and digital media is a key concern for this government – the controversial new IT Rules in 2021 also seek to do this – but there is still no rationale to include this in a data protection law.
Obviously, certain personal data would need to be processed to allow for a verification process and hence needs protection, but this would have been covered under existing aspects of the law anyway.
The fact that the JPC wants to make this verification process mandatory and impose consequences for failing to do so raises serious concerns about its approach to reviewing the draft law.
Expand5. Is the Data Protection Authority Going To Be Rendered Toothless?
When the 2019 Bill came out, there were already question marks over whether attempts were being made to dilute its ability to take on the government.
This is because the 2019 Bill made a major change from the Srikrishna Committee draft when it came to the appointment of the Data Protection Authority (DPA).
In the Srikrishna Committee draft, the DPA was to be appointed by the Union government on the basis of recommendations made by a selection committee comprising of:
The Chief Justice of India or a Supreme Court judge nominated by the CJI. This 'Judicial Member' would have been the chairperson of the selection committee.
The Cabinet Secretary.
A person of repute nominated by the other two members.
However, in the government's 2019 Bill, the requirement for a judicial member on the selection committee disappeared, as did the inclusion of a 'person of repute', meaning the DPA members would solely be appointed from among the Union government's bureaucrats.
Not only does the JPC report fail to make any suggestions to rectify the composition of the selection committee, it also wants the DPA to be required to fall in line with all directions of the government.
As Mahua Moitra and Derek O'Brien pointed out, this would "affect the independent functioning of the DPA."
An authority which is appointed solely by the government and which follows its instructions is hardly likely to ever be able to take a strong line against the government for any possible violations of the law.
While it may retain the ability to enforce the law when it comes to private entities, there are therefore legitimate concerns that the DPA being rendered toothless qua the government.
(At The Quint, we are answerable only to our audience. Play an active role in shaping our journalism by becoming a member. Because the truth is worth it.)
Expand
Key Recommendations Made by JPC Report
The full text of the JPC report is not yet available, but the following recommendations and decisions are known to us at present from source-based news reports and the comments by the dissenting members:
No significant changes to Section 35 of the 2019 Bill (state use exemption), which allows the Union government to exempt its agencies from complying with the requirements under the law, including that any processing of data has to be for a limited purpose, done with consent and after providing notice. The exemption can be applied if the government thinks that it is "necessary or expedient" in the interest of the sovereignty and integrity of India, security of the state, friendly relations with other states, or public order.
It is being suggested that the Bill be amended to state that the procedure for applying the exemption needs to be "just, fair and proportionate," according to Hindustan Times.
No changes to Section 12 of the 2019 Bill, which allows the processing of personal data without a person's consent if this is necessary, among other things, for provision of services or benefits from the government, or issue of licences/certifications/permits from the government for any action or activity.
Social media platforms should be treated as publishers (that is, not as intermediaries) unless they mandatorily verify users. This would make them responsible for content posted by users.
Any data fiduciary which passes on information to a third party will need to mandatorily disclose this information to the person whose data has been passed on. However, this will not apply to information passed on for the purposes of state use.
Senior management personnel of companies have to be appointed to the position of data protection officers.
Non-personal data should also be included within the ambit of the law.
Data breaches will need to be reported within 72 hours by companies.
Data collection by electronic hardware (telecom equipment like 5G and home devices like Alexa) should also be specifically addressed by the data protection law.
Data localisation requirements need to be complied with for all sensitive and critical personal data – even for data already collected by foreign entities operating in India (like Visa, Mastercard, etc). Copies of such data will now need to be retained in India as well.
The Data Protection Authority, which is to be set up under the law to regulate how data is to be managed and processed, should be bound by directions of the Union government in all cases – not just questions of policy.
Why Failure To Amend Provisions on Govt Exemptions Is Dangerous
In his dissent note, Jairam Ramesh had said that Section 35 of the 2019 Bill gives "unbridled powers to the Central Government to exempt any government agency from the entire Act itself."
He argued that this treats the government as a "separate privileged class whose operations and activities are always in the public interest" and considers privacy of the individual secondary in this context.
The state use exemption in the Personal Data Protection Bill 2019 has been a matter of concern ever since it was introduced. If government agencies can avoid data protection requirements on such broad grounds, there is great scope for misuse of personal data for surveillance.
This is not to say that there should not be some form of exemption for urgent cases of national security. The problem is that Section 35 goes far beyond that.
In 2018, the Justice BS Srikrishna Committee had included a state use exemption in its draft data protection Bill, however, in that draft, the state use exemption could only apply in the interests of the security of the State.
While this may seem nitpicky, this is extremely important from a legal point of view.
Security of the State is a specific, well-defined ground for restrictions on fundamental rights recognised in Article 19 of the Constitution. Allowing a state use exemption only on this ground would have meant that it could not be used except in serious cases where the country was under threat.
The Modi government's 2019 Bill, however, recognises several other grounds for the state use exemption, including 'public order'. The Supreme Court has attempted to define public order and differentiate it from mere law and order problems, but it still remains an ambiguous term which is often misused by governments of all stripes.
The JPC should have been looking to restrict the scope of the state use exemption to prevent misuse, but by failing to remove the additional grounds for it, fails to offer any real protection.
The JPC has also failed to expressly reintroduce wording on how any attempt to apply the state use exemption would only be exercised under the terms of new legislation, and would comply with the tests of proportionality as laid down by the Supreme Court in the Puttaswamy (right to privacy) judgment.
This is particularly concerning as Section 35 doesn't just allow for the exemption when "necessary" but also when this is "expedient," which does not meet the proportionality standard. The Srikrishna Committee draft included these aspects as safeguards.
Jairam Ramesh's proposed amendments included both these aspects, but were not accepted by the JPC.
A failure to restrict the state use exemption also dilutes one of the useful recommendations for mandatory disclosure of information being passed on to a third party.
Why No Safeguards for Non-Consensual Data Processing Power?
The failure to accept any amendments to Section 12 is also worrying. This provision to allow non-consensual data processing for government benefits has been a matter of concern since the Srikrishna Committee's draft Bill itself, since it imposes no express proportionality requirements.
It is unclear why there should be no consent for taking data when it comes to people accessing government benefits.
This is essentially an erosion of privacy and data protection principles on the assumption that the poor and disadvantaged are not concerned with privacy and data protection.
Given the kinds of data breaches that have already occurred in connection with Aadhaar data, the need to ensure that data collection in connection with public services and benefits is done in a more restricted manner, should have been even clearer.
Why Is Social Media Content Regulation Creeping Into a Data Protection Law?
The 2019 Bill itself introduced the concept of user verification for 'social media intermediaries' where they were of a significant size. Such social media intermediaries would need to offer voluntary user verification, according to the draft.
At that time itself, concerns were raised, for instance by the Software Freedom Law Centre, about why this was being included within the ambit of a data protection law.
The new recommendations by the JPC report appear to go a bit further, saying that significant social media intermediaries that do not mandatorily require user verification, should lose their status as 'intermediaries', which would make them liable for content posted by users.
This could see platforms like Twitter held legally responsible for posts by 'unverified' accounts, which means they will be forced to disallow anonymous accounts (which despite certain drawbacks allow for privacy and protection for those who would be at risk if their identity were known).
It is clear that regulation of content on social media and digital media is a key concern for this government – the controversial new IT Rules in 2021 also seek to do this – but there is still no rationale to include this in a data protection law.
Obviously, certain personal data would need to be processed to allow for a verification process and hence needs protection, but this would have been covered under existing aspects of the law anyway.
The fact that the JPC wants to make this verification process mandatory and impose consequences for failing to do so raises serious concerns about its approach to reviewing the draft law.
Is the Data Protection Authority Going To Be Rendered Toothless?
When the 2019 Bill came out, there were already question marks over whether attempts were being made to dilute its ability to take on the government.
This is because the 2019 Bill made a major change from the Srikrishna Committee draft when it came to the appointment of the Data Protection Authority (DPA).
In the Srikrishna Committee draft, the DPA was to be appointed by the Union government on the basis of recommendations made by a selection committee comprising of:
The Chief Justice of India or a Supreme Court judge nominated by the CJI. This 'Judicial Member' would have been the chairperson of the selection committee.
The Cabinet Secretary.
A person of repute nominated by the other two members.
However, in the government's 2019 Bill, the requirement for a judicial member on the selection committee disappeared, as did the inclusion of a 'person of repute', meaning the DPA members would solely be appointed from among the Union government's bureaucrats.
Not only does the JPC report fail to make any suggestions to rectify the composition of the selection committee, it also wants the DPA to be required to fall in line with all directions of the government.
As Mahua Moitra and Derek O'Brien pointed out, this would "affect the independent functioning of the DPA."
An authority which is appointed solely by the government and which follows its instructions is hardly likely to ever be able to take a strong line against the government for any possible violations of the law.
While it may retain the ability to enforce the law when it comes to private entities, there are therefore legitimate concerns that the DPA being rendered toothless qua the government.
(At The Quint, we are answerable only to our audience. Play an active role in shaping our journalism by becoming a member. Because the truth is worth it.)