Joint Parliamentary Committee on the Personal Data Protection Bill, 2019

Personal Data Protection Bill, 2019 provides for the protection of personal data of individuals and establishes a Data Protection Authority (DPA). The Bill was introduced in Lok Sabha on December 11, 2019 and referred to standing committee. The committee submitted its report on December 16, 2021.

Key Observations and Recommendations of the Committee

Provision

• Scope of the Bill
• Definition of ‘harm’
• Data Breaches
• Exemption to state agencies
• Data portability
• Right to be forgotten
• Selection committee for DPA
• Timeline for implementation

Personal Data Protection Bill, 2019

• It only defines personal data.
• It provides for compensation against harmful processing of personal data. Harm has been defined in the form of (i) bodily or mental injury, (ii) financial loss, (iii) denial of service/benefit, (iv) identity theft, (v) discrimination, and (vi) unreasonable surveillance.
• It requires a data fiduciary to notify the DPA about any breach of personal data where such a breach is likely to cause harm to the data principal.
• It empowers the central government to exempt the processing of personal data by a government agency from the application of any or all provisions of the Bill if it is: (i) necessary or expedient, and (ii) in the interests of specified grounds including national security and public order. The exemption order must prescribe procedures, safeguards, and oversight mechanisms to be followed by the agency.
• Under the Bill, a data principal has a right to receive his personal data where data has been processed through automated means. This right will not be enforceable where such compliance would: (i) reveal a trade secret of the data fiduciary, or (ii) not be technically feasible.
• The Bill provides that a data principal has the right to restrict continuing disclosure of personal data which is no longer necessary for the purpose it was collected or if the consent is withdrawn.
• The Bill sets up a selection committee to recommend appointments to DPA. It comprises: (i) Cabinet Secretary (Chair), (ii) Secretary of Legal Affairs, and (iii) Secretary of Electronics and Information Technology.

Recommendations of the Committee

• It is impossible to clearly distinguish between personal and non-personal data. Hence, the Bill should provide for the protection of all kinds of data. DPA should be empowered to also regulate non-personal data.
• The scope of the term ‘harm’ is wide, and technological innovations may lead to new interpretations of the term. So its definition should include ‘psychological manipulation which impairs the autonomy of the individual’, and the government may prescribe other harms.
• The phrase ‘likely to cause harm’ is presumptive and leads to ambiguity. So a data fiduciary should be mandated to report every personal data breach to DPA without any discretion, within 72 hours of it becoming aware of the breach. Also, DPA should be empowered to regulate any breach of non-personal data.
• The Bill should specify that the procedure to be followed should be ‘fair, just, reasonable, and proportionate’ as there are chances of misuse.
• Reveal of trade secrets should not be a ground for denial. Any denial on the ground of technical non-feasibility should be determined as per prescribed regulations.
• The Right to be forgotten should allow restriction on both disclosure and processing of personal data of that data principal by data fiduciary.
• However, this right should not override the right of the data fiduciary to retain, use, and process such data as per the Bill.
• The members of the selection committee should also include: (i) Attorney General of India, (ii) an independent expert from fields such as data protection, information technology, or cyber laws, and (iii) Directors of an IIT and an IIM.
• The Bill must specify a timeline for implementation of the Act. All provisions of the Act should come into effect within 24 months. DPA should commence its activities within six months from the notification of the Act and registration of data fiduciaries should start within nine months.