Following two years of scrutiny, the Joint Parliamentary Committee is finally set to adopt its report on the Personal Data Protection Bill 2019, drawing dissent notes from multiple opposition party members of parliament.
The report has suggested that all social media platforms (or intermediaries) should be classified as publishers, and thus held accountable for the content posted by users on their platforms. It also suggested the mandatory verification of the users on the platform, for those who provide the necessary documents for verification. The JCP has further called for the establishment of an independent body intended to regulate social media platforms.
According to the report, a period of 24 months will be provided for the implementation of the act, following its passing in the parliament, "so that the data fiduciaries and data processors have enough time to make the necessary changes to their policies, infrastructure, processes etc."
Chaired by Bharatiya Janata Party MP P P Chaudhary, the JCP met on Monday to adopt recommendations on the Bil, which is to be tabled in the upcoming Winter Session of the Parliament. The bill is expected to have major consequences on India's growing digital landscape.
State Excluded From Act
Several opposition members of parliament, including Congress MPs Jairam Ramesh, Manish Tewari and Gaurav Gogoi, Trinamool Congress MP Derek O'Brien, and Biju Janata Dal's Amar Patnaik have either filed in dissent notes, or are expected to follow suit ahead of the parliamentary sessions.
The dissent notes highlighted how Section 35 and 12 of the bill gave "unbridled" exceptions to the state, and provided it with sweeping powers to break privacy.
Ramesh further tweeted out the dissent note, stating that he was compelled to file it, while highlighting the "democratic manner in which the Committee has functioned".
While contesting the powers and exemptions given to the state under Section 35, Ramesh noted, "Governments and government agencies are treated as a separate privileged class whose operations and activities are always in the public interest and individual privacy considerations are secondary."
"Section 35 gives almost unbridled powers to the Central Government to exempt any government agency from the entire Act itself," he said, while stating that he had suggested the approval of a parliamentary committee for each case of such exemption to the government. "Even then, the Government must always comply with the Bill's requirement of fair and reasonable processing and implementing the necessary security safeguards."
Reining In On Social Media
The suggestions made by the report on the functioning of social media companies in the country will have major ramifications for non-Indian social media platforms like Facebook, Twitter and WhatsApp.
While stressing on the need to regulate social media, the report said, "The committee, Considering the immediate need to regulate social media intermediaries, have a strong view that these designated intermediaries may be working as publishers of the content in many situations, owing to the fact that they have the ability to select the receiver of the content and also exercise control over the access to any such content hosted by them."
The JCP also recommended that no social media "no social media platform should be allowed to operate in India unless the parent company handling the technology sets up an office in India".
Yet another key recommendation was storing Indian user data locally. "In the Committee's view, India may no more leave its data to be governed by any other country," the report read. It added, "The Central Government to ensure that a mirror copy of the sensitive and critical personal data which is already in possession of the foreign entities be mandatorily brought to India in a time bound manner."
Public policy expert Prasanto K Roy told the Economic Times that classifying intermediaries as publishers will be detrimental to the functioning of social media platforms in the country.
"Without safe harbour, the social media platforms are open to hundreds of frivolous, sometimes dangerous, lawsuits. So, they can't operate without safe harbour protection as intermediaries, or accept "accountability for content" as they would need to shut down," Roy told ET.
Personal And Non Personal Data
The report also intends to widen the ambit of legislations by including not just personal data, but non-personal data as well. Non-personal data is any form of data that does not contain personally identifiable information.
It includes data on demographics, such as age and gender, but excludes information like name, contact number or user IDs. Under the proposed changes, non-personal data will also include anonymised personal data along with industrial databases.
While the bill was first introduced as a 'privacy bill', the inclusion of non-personal data will change the very nature of the bill. For this very reason, the JCP has suggested that the title of the bill be changed from 'Personal Data Protection Bill', to simply 'Data Protection Bill'.
However, experts believe that that inclusion of 'non-personal' data will receive pushback from the tech industry, which recommends separate legislation for such data.