An interesting phase in the history of data protection law in India has started with the presentation of the new version of PDPB2021 by the JPC to the Speaker. It will become public once the bill is formally presented. Until then we need to work on the comments appearing in the press.
Some of the reports appearing in the press are here
The report suggests that one of the members namely Mr Manish Tiwari has dissented the bill in its entirety and said that it is “Ultra vires the fundamental right to privacy as laid down by the 9 judge bench of the Supreme Court of India in Puttaswamy (2017) judgement”.
The TMC members Derek O’Brien and Mahua Moitra have said that the Bill does not provide adequate safeguards to protect the right to privacy and gives an overboard exemption to the Government under Clause 35″.
Another Congress member Mr Gaurav Gogoi said that the bill pays little attention to “harms arising from surveillance”
According to one of the reports,
- The proposed change to delete the turn over based penalty structure appears to have been dropped.
- The data breach notification would be required both for Personal and Non Personal data within 72 hours
- Companies need to ensure fairness of algorithm or method used for processing personal data
- The DPO needs to be from senior management
- Companies will need to mandatorily disclose to data principals if their information is passed to third party.
- If the Government agency has to pass on the information for the purposes of state use, there is no need for mandatory disclosure
- Government departments to carry out in-house inquiry to fix blame in case of breach instead of head of department being responsible
- Government should quality penalties for companies violating provisions of law.
- The law will be implemented in a phased manner over a period of 2 years.
It appears that the recommendation that Social media companies should mandatorily verify users to keep their status as intermediaries (Ed: i.e. to claim exemption from liability from Section 79 of ITA 2000), will be retained.
The JPC appears to have also indicated that copies of sensitive and critical personal data that has already been with foreign entities and stored abroad has to be brought into India in a time bound manner.
The copy of the report and the dissent statements are already with select media houses. They are likely to be in public space after 29th November 2021 when the Bill will be formally tabled in the Parliament.
We look forward to the copy of the bill to understand the changes.
The big relief is that an important step towards the passing of the Act has been taken. From the dissent notes it is clear that once the bill is passed, there will be a challenge mounted in the Supreme Court and the battle will go on.