Why is there a need for a data protection Bill?
Earlier this week, a Joint Committee of Parliament (JCP) adopted the final report on the Data Protection Bill, marking a milestone for India, the largest open internet market in the world that has been trying to frame a privacy Bill for over a decade. India has nearly 800 million internet users and is the biggest market for many Big Tech firms, including Google, Meta (formerly Facebook) and WhatsApp. The country’s laws have, however, not been able to catch up with massive strides in technology and its umbrella Information Technology Act, 2000 does not even contain the words internet or smartphone. Data protection, ensuring individual privacy and clearly spelling out the state’s surveillance powers are sorely needed, and the Bill’s finalisation is a big step in that direction.
Has the name of the legislation changed?
It was earlier called the Personal Data Protection Bill, 2019, but as it will now contain provisions on non-personal data, the JCP has recommended a name change. It will be called the Data Protection Bill, 2021 and, once passed, the Data Protection Act, 2021.
What is non-personal data?
Any data that has not been defined as personal is considered non-personal data. It can be an anonymous, de-personalised data set held by the government, a not-for-profit or a large corporation – for instance, a data set by Google on how many people take a particular form of public transport on a given route at a specific time each day, or how many people in a locality order what kind of food during the weekends. These are data sets that are stripped of personal identifiers.
Why is there criticism over the inclusion of non-personal data?
The Committee has given the government the right to frame legislation around non-personal data and has allowed it to ask for any non-personal data from any data fiduciary. It has said that a single Data Protection Authority will regulate both personal as well as non-personal data. Experts feel personal and non-personal data should have been kept separate. The government may also get overarching powers by including non-personal data in the Bill.
How soon will the new legislation be implemented?
The committee has spelt out a clear timeline for various stages of implementation. It has recommended a 24-month window for implementation of the provisions of the Act. This is to ensure that the “data fiduciaries and data processors have enough time to make the necessary changes to their policies, infrastructure, processes etc.” It also says the chairperson and members of the DPA will be appointed within three months, that the DPA will commence its activities within six months from the date of notification of the Act, the registration of data fiduciaries should start not later than nine months, and adjudicators and the appellate tribunal begin work not later than 12 months.
What does it contain on regulation of social media?
The report has clearly stated that the IT Act has not been able to regulate social media platforms adequately. It has recognized the immediate need to regulate social media intermediaries. It says all social media platforms that do not act as intermediaries should be treated as publishers and be held accountable for the content they host. It has also said no social media platform should be allowed to operate in India unless the parent company sets up an office in the country, and that a body on the lines of the Press Council of India should be set up to regulate them.
Why has it recommended an alternative to the current SWIFT system of cross-border payments?
The JCP feels data protection in the financial sector is a matter of genuine concern. Since Indian citizens are engaged in significant cross-border payments, the committee has recommended a homegrown alternative to the SWIFT payment system. This will not only ensure privacy, but also boost the domestic economy, it says.
Why does the JCP want certain kinds of data to be brought back to India?
The committee has said that India should no longer leave its data to be governed by any other country since national security is of paramount importance. It has asked the government to ensure that a mirror copy of sensitive and critical personal data, which may be already stored by foreign entities outside the country, should mandatorily be brought back within a specified time frame. It has also asked for data localization provisions to be followed “in letter and spirit” and sought a gradual move towards data localisation.