Personal Data Protection Bill: Key Changes and Implications

Background: PDP Bill

Supreme Court of India declared the right to privacy as a fundamental right in 2017 in the landmark case of KS Puttaswamy v. Union of India. Further, to protect the rights of individuals and the interests of the state simultaneously, the Court recommended the Union draft a data protection framework in India. Consequently, the Union appointed an expert committee headed by former Supreme Court judge Justice B.N. Srikrishna to draft a personal data protection bill ('PDP bill’).The committee submitted its report in 2018.

This was later reviewed by a Joint Parliamentary Committee ('JPC’) and thus later known as Personal Data Protection Bill, 2019. On 16 December 2021, the report by the JPC was submitted. The report has 93 recommendations in total and the bill is now likely to be passed by the parliament in its next session starting February 2022.

Key Changes Suggested By JPC

The first major change done by JPC is to engulf all types of data i.e. both personal and non-personal data by renaming the bill as Data Protection Bill 2021. Clause 2 of the bill says itapplies to all acts involving personal and non-personal data (including anonymized data). The second change is the timeline by which the bill must be implemented in a phased manner set as 2 years by JPC. This will allow the smaller companies to learn about the nitty-gritty of the data protection mechanisms and become used to the provisions. The third important aspect is that report the report also considersUnder the new PDP bill, JPC has defined a child as someone below 18 years of age; which is 13 years in the USA. Now, all the data fiduciaries are expected to again ask for the child's consent at least 3 months before he turns major.

People Also Read This: What Does The Law Say About Data Protection?

Further, Clause 26(1)(g) of the bill empowers the Data Protection Authority (‘DPA’) to categorize certain data fiduciaries that deals exclusively in processing data relating to children as ‘significant data fiduciary’.  The fourth change made by JPC is to include the provisionto protect the rights of the data principals, ie, the individual whose personal data is collected and processed. This is done by upholding their right to be forgotten, right to erasure, right to access and right to data portability, thus all data fiduciaries must adhere to these obligations. PDP bill deals with the requirement to obtain the consent of a data principal before processing their personal and non-personal data and Clauses 12 and 13 speaks of the exemptions. In Clause 12, JPC has now suggested the exemption for consent in collecting data in compliance with the orders of courts, tribunals etc. In Clause 13, JPC has suggested the exemption for consent collection for purposes relating to employment. The fifth major change has been made concerning Algorithm disclosure as envisaged in Clause 23(1). As per this provision of the PDP bill, the data fiduciaries must ensure the fairness and transparency of the algorithms or the methods used in processing the data.The sixth change is regarding the penalties stated in the new PDP bill. These penalties are imposed on the acts of re-identification, financial penalties for non-compliance and other privacy violations of the users. The penalties are either a limit or a percent of the annual turnover of the company which is progressive and will ensure compliance. The seventh change made by JPC is in Clause 25 to include both personal and non-personal data in data breaches and specific ways to report a breach. The timeline to report a breach has been stated as within 72 hours of becoming aware of the breach. The eighth change made by JPC is in Clause 26,specifying that the social media intermediaries will be treated as publishers of the content hosted on their platforms. However, this is inconsistent with the decision of the Shreya Singhal case where it emphasized the principles of intermediary liability. This also runs contrary to the IT Act which mentions the safe harbour option, wherein protection is given to the intermediaries to be immune from the liability regarding the user-generated content given the absence of actual knowledge of its illegality. However, JPC had this reasoning that since the social media intermediaries have control over the access to the content hosted on their site, they should be treated like publishers.

Implications

The move to include both personal and non-personal data within the ambit of the PDP bill is welcome. The data fiduciaries (companies who collect data) are now expected to regulate both kinds of data. One major criticism has been the provision of anonymized data being included since such data with no personally identifiable information is often being used by advertising companies on social media platforms like Facebook to better their services. The time of 2 years will allow the Data Protection Authority to lay down the codes and regulations, start cooperating with the different stakeholders and industries, and avoid any regulatory clashes by signing the Memorandum of Understanding with other sectoral regulators. One major ambiguity is that the JPC report did not specify how data portability will be implemented i.e. if the data fiduciaries are required to obtain the DPA’s permission every time a request for data portability is being made. The changes made in Clauses 12 and 13 are a bit broad and an overview is required since these broad and ambiguous terms might allow the executive to exempt itself from the collection of consent. The Algorithm disclosure provision enables the users to understand the reasons behind the decision, thus preventing data fiduciaries' discriminatory or otherwise legally non-compliant decisions. The penalties imposed on these big unicorn companies will safeguard the rights of the users whose personal data is being exploited for the benefit of the business of these data fiduciaries. But on the flip side, these penalties and criminal liability will prove harmful to the Small and Medium Enterprises (SMEs) since this will limit their innovation given the harsh penalties.

People Also Read This: Elements and Types of Non-Disclosure Agreements

The PDP bill is much needed given the ever-increasing digital internet users in India and the urgent need to regulate the users' data. This bill needs a lot of clarifications and modifications and when properly implemented has the potential to completely transform the data protection scenario in India.