(Vikram Jeet Singh and Kalindhi Bhatia)
Indian data privacy laws are in the process of being overhauled following the Indian Supreme Court’s 2017 ruling holding that informational privacy is a fundamental right. The first iteration of the proposed law was released in 2018; subsequently, a second iteration called the Personal Data Protection Bill, 2019 (“PDP Bill”) was introduced in 2019 with some changes. Following its release in December, 2019, the Bill was referred to a Joint Parliamentary Committee of the Indian Parliament (“JPC”) for their review and recommendations.
After nearly two (2) years of discussions, the JPC placed its Report before the Parliament on December 16, 2021.
The Report can be viewed here.
This Report contains a detailed account of the regulatory intentions behind the new data privacy bill and deserves to be read in its entirety. We have set out below a few key ‘recommendations’ proposed by the JPC:
Inclusion of Non-Personal Data in Scope: To avoid multiple legislations and constitution of separate data protection authorities, the Report proposes including regulation of non-personal data within the provisions of the PDP Bill. A single Data Protection Authority (“DPA”) will govern both fields, of non-personal data and personal data.
Data localisation proposed: Where existing personal data is held by entities out of India, requiring storing a copy of sensitive and critical data within India is mooted. It is reiterated that government surveillance over such data will be subject to strict application of the principle of necessity.
Data Protection Officers (“DPO”): In addition to the existing requirement of being a resident of India, the DPO should be a ‘key managerial personnel’ of the data collector and possess requisite domain expertise.
Clear consent needed: Language of the draft provision pertaining to consent should be modified to clarify that the data subject’s consent is to be obtained based on context and conduct of collection, without any kind of implicit inferences.
Data collection through hardware products: Formulation of a certification mechanism for emerging technologies (which are used to train systems based on artificial intelligence), digital, and IoT devices that collect personal data. Lab/testing mechanisms to be set up across India that provide this facility and devices/technologies not meeting criteria set out by the DPA to be denied certification.
Social media platforms: All social media platforms that do not act as intermediaries, but exercise control on the visibility and target audience of content hosted on their platforms, to be treated as “publishers” and be held accountable for such content. Additionally, no social media platform to be permitted to operate in India unless the parent company of such platform has set up a physical office in India.
Phased implementation: The Report recommends providing subject entities a period of two (2) years from the date of enforcement of the law to undertake necessary changes to comply with the provisions of the PDP Bill.
Data of Children: Data collectors exclusively dealing with children’s data to register themselves with the DPA.
Do note that this version of the Report and recommendations may influence the final law passed by the Parliament. As a next step, expect a fresh data privacy bill to be tabled for discussion in the near future.