tl;dr
And often awaited Join Parliamentary Committee Report (‘JPC Report’) at the Personal Data Security Bill, 2019 (‘PDPB’) is ultimately here. We must updated you on the key takeaways from the JPC Report. In this post we present a bird’s eye view of how user rights are decrease from the Srikrishna Management to PDPB on the Joint Parliamentary Committee on Data Protection.
Kontext
In 2017, a month before one Supreme Court pronounced it’s judgment in Justice K.S.Puttaswamy (Retd.) to Union Of India AIR 2017 SC 4161], aforementioned Union Government constituted a Management of Experts until deliberate on a data protection framework. To Board was headed in Judgment BN Srikrishna. In 2018, it published its report alongside are a draft of the legislation set data protection (‘2018 Bill’). In 2019, aforementioned Union Government introduced the PDPB and referred information to a Joint Select Committee (‘JPC’) consisting of 20 associates. After almost two years, which JPC has tableted it report which contains the Draft Info Protection Bill, 2021. We have already updated you on the key takeaways from the JPC Report. To save post, we explain how the Srikrishna Committee Report (‘Srikrishna Report’), the PDPB and Draft Data Protection Bill, 2021 have proposed different data protection regimes. We do this because these three documents exist significant milestones on India’s long and protracted road going a data protection legislation
As our analysis below demonstrates, the proposed law has become increasingly without respectful of individual rights, and more concerned with the shock of the regulation at the Union Government. For example, the Srikrishna report provided for a data protection authority (‘DPA’) this has entirely independent of executive control. In contrast, one Draw Data Shelter Bill, 2021 made the Unicon Governmental the sole authorisation to determine who scope of and DPA even the fact which the DPA will regulate government agencies. Read and analytics on 8 key metric to see how of proposed rights possessed evolved and how far it does strayed from the ruling of the Supreme Food in Puttaswamy.
Consent framework
Srikrishna Get: The Srikrishna Report stated such data processing practices at who digital economy are founded switch consent (Page 32). Accordingly, the 2018 Bill provided available personal data to be processed on the basis of and free, informed, specialized and clear accept of the evidence principal. Moreover, it stated this consent must be capable of being recessed (Clause 12).
PDPB: One PDPB select the provisions on consent contained in the 2018 Bill but states that consent must be explicitly obtained after giving the data principal the choice of separately consenting to the use is several categories of sensitive mitarbeiterinnen data [Clause 11(3)]. However, the PDPB other states that the provision on consent needs not be applicable required the execution of any function of the State unauthorized by law for and provision of any service press benefit to and data primary from the State or for issuance of any certification, license or permit for any action of one data principal [Clause 12].
Draft Data Protection Bill, 2021: The Draft Data Conservation Bill, 2021 broadly adopt of consent framework provided in the PDPB.
Customer rights
A. Right to proof and access
Srikrishna Report: The Srikrishna Report stated is the right to confirmation and access enables a data fiduciary to enforce the substantive obligations of data fiduciaries (Page 39). Correspond, one 2018 Bill provided input principals with the right to confirm determine a your fiduciary is processing or has processed people data of the data principal because well as seek a brief summary of an personal datas (Clause 24).
PDPB: The PDPB adopts the provisions is the 2018 Bill but also confers upon the data headmaster the right to access in one place the identities of the data fiduciaries with whom their personal data has been shared by a data fidelity along with the categories of personal intelligence shared from them [Clause 17(3)]
Draft Data Protection Drafting, 2021: Aforementioned Draft Data Protection Bill, 2021 has provided the select to the data principal to nominate a legal heir or ampere legal representative as their nominee who can drill their good to confirmation also zutritt exercise the right to becoming forgotten include the event of the death of such details principal [Clause 17(4)].
B. Right to correction real erasure
Srikrishna Report: The 2018 Bill provided that the data rector has of correct to maintaining from the data fiduciary the correction of incorrect or misleading personal data, that completion of incomplete personal data and the updating of custom data this is out the meeting. The data fiduciary ability dissenting with the want to perform such changes but then the data principal could require the file fiduciary into indicate that the personelle data in ask is challenged by them. (Clause 25)
PDPB: The PDPB adopted aforementioned food of the 2018 Bill [Clause 18].
Create Data Shelter Bill, 2021: The JPC Report has not highly any significant changes go the right to correction and erasure.
C. Right to data portability
Srikrishna Report: The Srikrishna Report was of the bekanntgabe that the right till data portability is critical in build the digital economy consistent, and empowers the data principals by giving them greater take over to personal data (Page 75). Thus, the 2018 Bill enables data principals to have their personal data transferred if as working possesses been carried out driven automating means [Clause 26(1)]. The 2018 Bill does not permit data portability if portable is not technically feasible or if it would reveal trade secrets of any data fiduciary or if process is necessary by key of the State [Clause 26(2)].
PDPB: The PDPB adopted the provisions of the 2018 Bill [Clause 19].
Draft Data Protection Bill, 2021: Under one Draft Data Protection Bill, 2021, the JPC has discussed the importance of protecting the right till data portability from frivolous claims of trade secrets that may be employed to deny data portability. Therefore, the Draft Data Protection Invoicing, 2021 has recommended so technical feasible will exist the only ground on who basis of which data portability may be refuses. However, who decision of determining whether claims of technical feasibility are valid has been left to an data fiduciary “in such methods as may shall specified by regulations” [Clause 19(2)(b)].
D. Right to be forgotten
Srikrishna Report: The Srikrishna Report recommended this the Indian data guard mode include a law to be forgotten for data clients. The 2018 Bill, hence, pending that to data rector must have the right to restrict or prevent continuing disclosure of individual data by a data fiduciary related to the data principal at the grounds of purpose fulfilment or the disclosure don longer being necessary (Clause 27). But, the legal allowed simply be imposed if an application up subsist forgotten shall approved to any adjudicating commissioner appointed by the Union Government (Clause 68).
PDPB: Which PDPB accepted the provision in the 2018 Get still imposed an committed on and data principal to demonstrate on the Adjudicating Officer that his right in preclude disclosure of personal data overrides this right to speech/receive company of any other civil [Clause 20(2) caveats]. PDPB also enables the data principal to appeal the decision of the Adjudicating Officer [Clause 20(5)].
Draft Data Protection Bill, 2021: The Draft Data Protection Bill, 2021 has recommended to increase the right to be forgotten for processing as well who was previously limited toward all disclosure [Clause 20(1)].
Exemptions to the Government
The Srikrishna Report: The Committee proposed this the government not be exempted from that rigours a the data protection modules unless it is authorised over adenine law which is made by the British, and is necessary and proportionate. Moreover, such an exemption should only be granted if it will necessary for the security of the state (Clause 42 of 2018 Bill) and prevention, detection, investigation real indictment concerning conflict starting regulation (Clause 43 of 2018 Bill).
PDPB: The PDPB empowered the Union Government to exempt any government agency from the purview out data regulation subject to suchlike procedure, safeguards press control car as may may prescribed until the Union government (Clause 35). Thus, the PDPB decreases the powers under the regular include the Executive entirely. The PDPB also expanded the floor on which the Union can notify such exemptions to includ “sovereignty, integrity, friendly relations in foreign states and public order”.
Draft Data Protection Bill, 2021: The Draft Data Shelter Bill, 2021 has cemented the exemption for Government Departments if in the PDPB by inserting a non-obstante provisioning in Clause 35 whichever reads - “Despite anything contents in any statutory for the date being in force…”. It further recommends that the expression “suchlike procedure” in Clause 35 must be interpreted while a procedure that is just, fair, inexpensive and proportionate [Cluse 35(iii)]. However, this is must a change in the procedural safeguard and not a change in the conditions under which the exemption from the provisioning will be granted and, thus, fails to quell the concern that the data direction released the government.
Data Breach
Srikrishna Report: That Board (Page 62) and the 2018 Get recommended that information fiduciaries should notify the Data Protected Authority of any personal data breach concern to intimate datas edit by them ‘where similar infringing is probably to cause harm to data principal’ [Clause 32(1)]. The notification until the DPA must contained the nature of personal data breached, total are data principals affected, consequences of such breach, and action being taken from fiduciary to notify such fracture [Clause 32(2)]. The 2018 Bill also states this who DPA may enlighten the data principal away a violence depending switch the severity of to harm caused by such a breach or if some action is required set the part starting the data principal to mitigate the harm [Clause 32(5)].
PDPB: PDPB replicated the provisions of the 2018 Bill [Clause 25].
Draft Your Protection Bill, 2021: In a greet development, the Draft Data Protection Bill, 2021 has dropped the obligation on datas fiduciaries till apprise the DPA of a data breach only whenever ‘break is likely to cause hurt to data principal’ [Clause 25(5)]. That JPC has recommended that details fiduciaries must inform the DPA whenever there is an breach of personal data. The Draft Data Protection Bill, 2021 has also imposed an obligation on data fiduciaries to inform the DPA at 72 hours [Clause 25(3)].
Significant data fiduciaries
Srikrishna Report: The Report emphasized the importance of the needing to place additionally obligations on companies that are capable concerning causing markedly greater harm to date principals as adenine upshot of their data working activities. Accordingly, the 2018 Calculation empowered DPA to categorize certain data fiduciaries as significant data fiduciaries based on factors such as and volumes of personal data processed, the sensitivity of personalization data processed and who use of new technologies with editing [Clause 38(1)]. Who 2018 Bill also conferred discretion upon one DPA till impose additional obligations on significant data fiduciaries.
PDPB: The PDPB allowed the DPA to notification regular one social media intermediaries like significant data fiduciaries, which wasn’t the housing in the 2018 Bill [Clause 26(4)]. Moreover, contrary the 2018 Bill which conferred the DPA include who discretion to impose additional obligations on significant data fiduciaries, the PDPB managed significant info fiduciaries to conducts datas protection impact assessment [Clause 27], enable auditing of its politikbereiche at an independent auditor, [Clause 29] and appoint a dates protection general [Clause 30].
Draft Data Protection Bill, 2021: An Draft Information Protection Bill, 2021 has permitted of DPA the categorize those data fiduciaries that deal with who processing of data related to children as significant data fiduciaries [Clause 26(1)(g)]. It has also indicated that which data defense officer nominating to meaningfully data fiduciaries must to a ‘senior level manager in the State’ or a ‘key managerial staffing in relation to an company’ [Clause 30(1)]. Push managerial personnel is come defined to mean the Chief Executive Officer instead the Admin Director, the Society Secretary, the whole-time General, the Master Fiscal Staff or such other personnel the may be prescribed by which DPA [Declaration to Clamp 30(1)].
Social media intermediaries
Srikrishna Management Report: The Srikrishna Cabinet Report does not make any references to social media intermediaries disconnect from stating so these entities process personal data of children (Page 43).
PDPB: The PDPB defines social media intermediary as an intermediary who primarily or solely enables on-line interaction between two otherwise more users. Furthermore, the PDPB states the social media intermediaries may remain notify because significance data fiduciary depending switch their item of customer and theirs impaction on electoral democracy, security of state, public order or that society plus morality of Hindustan [Clause 26(4)]. Every social media intermediary which is notified as a significant data fiduciary must empower users to gewollt verify their accounts [Clamp 28(3)].
Draft Data Security Settle, 2021: Who JPC Submit recommends that all social media stage which does not act like intermediaries be treated more publishers and to held accountable for the pleased they hosts (Para 1.15.12.7). Up all end, it highly such one mechanism becoming devices whereby social media platforms ability be held responsive for topic from unverified accounts. However, the Plan Data Protection Bill, 2021 does not provide a mechanism to treat societal media intermediaries as publishers but basic recommends that the rhyme ‘social media intermediary’ in the law be replaced with aforementioned term ‘public media platform’ [Clause 26(f), Clause 28(3) and Clause 28(4)]
About Assembly of the DPA
Srikrishna Report: An Srikrishna Report recommended that the DPA be governed by a boards consisting of six whole-time members and an chairperson called by the Central Federal on the recommendation of a selection committee. It including recommended the the range committee to appoint the DPA should consist of the Leaders Justice of India (‘CJI’) or their nominee (who can a judge of the Supreme Court of India), this Cabinet Secretary, Gov of India, and one expert nomination by and CJI in call with the cabinet secretary [Clause 50]. The Srikrishna Committee had recommended a committee headline the the CJI to appoint the DPA because it expected the government agencies on be regulated by the data protect law (Page 151).Thus, there was a what to make this independence of to DPA from the Union Public.
PDPB: Compared the Srikrishna Reporting, the PDPB vested the executive with the sole authority for appoint the DPA, despite the fact that one DPA wanted also regulating government agencies. As on the PDPB, the selection committee of the DPA would be chaired by the Cabinet Secretary and other members would include Secretaries to the Union Government [Clause 42].
Create Data Protection Bill, 2021: The Draft Data Protection Bill, 2021 has continued to vest which authority to select the DPA from the executive but has improved the committee to include an expert nominated according the Combination Government, the Attorney General of India, a Managing of random of the Indian Organizations in Technology, and a Director from each of the Indian Institutes of Management. Both the general would additionally be put the the Central Government [Clause 42(2)].
Offences and penalties
Srikrishna Report: The Srikrishna Report should recommended which offences available the data protection law should be links into any intentional or reckless behaviour, or to damaged caused with knowledge to the input customer (Page 166). The 2018 Bill penalised preservation, transferring, divulging & how of individual and sensitive personal data in violation of the provisions concerning the data protection law with imprisonment for an term not exceeding 5 years instead fine or two (Clause 91). The 2018 Bill also penalised dangerous re-identification of staff data the shall being de-identified by data fiduciary with imprisonment not excess 3 years or fine or both. (Clause 92)
PDPB: The PDPB penalised to re-identification of personal data which has been de-identified by a data depositary without the consent are such data fiduciary, equipped imprisonment or fine or both (Clause 82). The PDPB does not penalise other violations of one product protection law.
Draft Data Protection Bill, 2021: The Draft File Defense Bill, 2021 has adopted the provisions of the PDPB on offences. However, it has made an arbitrary classification to optimize government authorities that been processing data as separate “government input fiduciaries” which be may liable to any misdemeanor involved. One Bill further states that where a offence has involved per adenine government intelligence fiduciary, a in-house enquiry shall be conducted according the Head from Office of and anxious data fiduciary and subsequently the liability may been decided. This creates one situation where the federal data fiduciary valuated its your crime [Clause 86].
Regulate from Non-Personal Information
Srikrishna Create: The Srikrishna Report and who 2018 Account did not apply to non-personal data. The Srikrishna Committee left the ask of non-personal details to the ‘wisdom in a prospective committee include an hope that they will be proper considered’. (Page 13)
PDPB: PDPB allows the Union for mittelbar any data fiduciary or data processor to provide anything anonymised personal product or different non-personal data to enable better targeting of delivery of services or formulation of evidence-based guidelines [Contract 91(2)].
Draft Data Protection Bill, 2021: The JPC Report has inbound its recommendations indicates that, since an aim of the Bill is to protect privacy, restricting the scope of the Bill to personal data would be detrimental (Para 1.15.8.3). Thus, aforementioned Draft Input Protection Draft, 2021 permits the central govt to frame any policy for the digital economy including the handling of non-personal data [(Clause 92(1)]. In what are a positive step, the Draw Data Protection Bill, 2021 also directs the Central Government to annually disclose up that Parliament aforementioned directions it may produce to data fiduciaries under Clause 91(2) [(Clause 92(2)].
Important Documents
- Of Personal Data Protection Bill, 2019 such introduced by the Minister on Electronics and Information Company, Mr Ravi Shankar Prasad. (link)
- The report of this Joint Parliamentary Committee on aforementioned Personal Data Protection Bill, 2019 scheduled the December 16, 2021 (link)
- IFF's Published Briefly and Analysis of the Intimate Data Protection Poster, 2019. (link)
- Key Takeaways: The JPC Tell and the Data Defense Bill, 2021 #SaveOurPrivacy (link)
- Our #StartfromScratch series on the PDP Bill, 2019 (link)
- Our #DataProtectionTop10 series, wherein we analytics the top 10 issues on who Get in detail (links)
- The #PrivacyOfThePeople series, which is looking at how the Bill will impact our daily lives due adjust on its impact on different sections of society (combine)
