BackPanel favours widening data legislation’s scope
The committee recommended setting up a statutory authority for regulating social media platforms on the lines of the Press Council of India
PremiumA joint parliamentary committee (JPC) on data protection suggested widening the scope of the law to cover non-personal data, mandatory mirroring of sensitive data locally, regulation of content on social media platforms and treating platforms that are not intermediaries as publishers.
The panel’s report, which was tabled in Parliament on Thursday, recommended a staggered implementation and a two-year transition period for compliance with the new law.
The committee recommended setting up a statutory authority for regulating social media platforms on the lines of the Press Council of India. It also suggested levying penalties in cases of violation of rules while keeping startups and smaller entities out of the purview.
Panel chairperson P.P. Chaudhary said while the committee has suggested “enough safeguards" to protect individual privacy, it cannot override national security.
“When there is a conflict between national security and individual privacy, then there is a stated policy of our country as per Constitution that nation comes first and individual privacy comes second," he said, adding in such an instance, the government can order its agencies to process data of any individual without permission.
According to the recommendations, the central government will have full power to direct data protection authority (DPA) on all issues. It can also exempt any government agency from the purview of the Act, subject to just, fair, reasonable and proportionate procedure.
The move to keep government agencies outside the purview has been opposed by lawmakers from opposition parties who filed their dissent notes.
In its 542-page report, the panel suggested regulating content on social media platforms and making platforms that are not intermediaries accountable for the content they publish, including from unverified accounts. In addition, only social media platforms that set up offices locally will be allowed to operate in India.
The bill once brought into effect as law would supersede all other laws related to data protection in India. “The point that I’m excited about is that the draft has made it into a data protection law and not a personal data protection law," said N.S. Nappinai, a Supreme Court lawyer and cyberlaw expert.
The committee suggested that all data related issues would be dealt with by DPA as the single administrative and regulatory body to avert contradiction, confusion, and mismanagement.
Keeping data security in mind for all devices, including IoT devices, the panel suggested regulation of hardware manufacturers by DPA, proper certification of players with proper testing lab facilities. In addition, the data protection bill puts obligations on data fiduciaries that process the personal data of children. The JPC has deleted provisions of ‘guardian data fiduciaries’ in the draft bill, terming it superfluous while keeping the age of consent for data use by fiduciaries at 18 years.
Nappinai added that it is good that JPC has mandated an absolute embargo on companies profiling children instead of limiting it only to “guardian data fiduciaries", as the draft personal data protection bill did in 2019.
The committee suggested a staggered approach to levying penalties, depending on the severity of the violation and the size of the entity. If an entity does not take prompt action in case of a data breach, does not register with DPA, does not undertake impact assessment, conduct a data audit or appoint a data protection officer or DPO, it can be fined a maximum of ₹5 crore or 2% of its global revenue, whichever is higher.
For severe cases of contravention, the penalty will be a maximum of ₹15 crore or 4% of global revenue, whichever is higher. “Startups and smaller data fiduciaries engaged in innovation and R&D need to be considered separately," the panel noted.
The committee suggested that all social media platforms that do not act as intermediaries be treated as publishers and be held accountable for the data they host. Further, a mechanism should be devised where social media platforms, which do not act as intermediaries, be held responsible for the content from unverified accounts on their platforms. “Once an application for verification is submitted with necessary documents, the social media intermediaries must mandatorily verify the account," said the report.
Unlock a world of Benefits! From insightful newsletters to real-time stock tracking, breaking news and a personalized newsfeed – it's all here, just a click away! Login Now!
