Personal Data Protection Bill
GS 2: Governance
GS 3: Security
- Recently, the Joint Committee of Parliament (JCP) after almost two years of scrutiny gave final set of recommendations regarding the Personal Data Protection Bill.
- Widening the ambit of the Bill to include non-personal data and data collection by electronic hardware, and treating all social media as social media platform, are among key suggestions.
- The proposed Data Protection Authority (DPA), it believes, should be a larger umbrella to handle non-personal data as well.
- Further policy/legal framework on non-personal data in future should be made part of this legislation, and not a separate legislation. Apart from other industrial databases, the non-personal data will also include anonymised personal data under the proposed changes.
- Apart from the digital/software companies, the JCP is believed to have favoured bringing data collection by electronic hardware (telecom gears, IoT etc) under the ambit of this law itself.
- The legislation, as introduced, does not have any provision to keep a check on hardware manufacturers that collect data through digital devices.
- Given this backdrop, the JCP is believed to be in favour of suggesting incorporation of new clauses in the legislation that will allow DPA to frame regulations towards data handling by hardware manufacturers and related entities.
- This, in a way, will allow DPA (A government authority tasked with protecting individuals’ data and executing this Act through codes of practice, inquiries, audits and more) to create a framework providing for monitoring, testing and certification to ensure integrity of hardware equipment to guard against any seeding that may lead to breach of personal data.
- It brings all social media intermediaries (governed by IT Rules) tightly under its ambit by redesignating them as social media platforms.
- Likewise, it is believed to have favoured that all social media platforms (which do not act as intermediaries) be treated as publishers and be held accountable for the content they host.
- For them, a statutory media regulatory authority may be set up for regulation of content on such platforms.
- The committee, however, is learnt to have favoured granting exceptions to smaller firms about the principle of privacy by design envisaged in the legislation.
- For this purpose, the DPA may be vested with some avenue to make regulations to grant exceptions to data fiduciaries (The entity that collects and/or processes a data principal’s data) below a certain threshold with a purpose to not hamper the growth of firms that can be classified under MSMEs.
- It is believed that the JCP has considered recommending an approximate period of 24 months be provided to data fiduciaries and data processors (The entity that a fiduciary might give the data for processing, a third-party entity) towards transition of their policies, infrastructure and processes for the implementation of the provisions of this law after its notification.
- During this period, a phased implementation is proposed with set deadlines for instituting DPA, registration of data fiduciaries, adjudicators (Officers in the DPA with the power to call people forward for an inquiry into fiduciaries, assess compliance, and determine penalties on the fiduciary or compensation to the principal) and appellate tribunals etc.
- The JCP is also believed to have favoured a specific timeline for the data fiduciaries to report data breach with 72 hours being considered a realistic and finite timeframe.
- The committee, however, was believed to be against informing every odd and sundry data breach to the data principal by the data fiduciary.
- Instead, it was considering the recommendation that the DPA must first of all take into account the personal data breach and the severity of harm before directing a data fiduciary to inform data breach to individuals.
- The committee is believed to have favoured a more exhaustive definition of a consent manager and recommended that the definition of harm should include psychological manipulation which impairs autonomy of a person.
Data can be classified into three:
- Personal data – Name, address, the identity details of a person
- Sensitive personal data (SPD) – Finances, Health, Caste, Religion, Belief, sexual orientation, etc.
- Critical personal data – National or Military security information