On Monday, after nearly two years of deliberation and review, Parliament’s Joint Committee on the 2019 Personal Data Protection Bill finalized its recommendations, which will likely be presented in the next winter session of Parliament. . The bill seeks to inaugurate a data governance architecture in India that fills an existing gap in the institutional framework. It seeks to put in place safeguards to protect personal data, guarantee confidentiality and ensure transparency and accountability in data management. However, several MPs from political parties such as Congress, Trinamool Congress and the BJD submitted dissenting notes, opposing specific provisions. These concerns, along with the committee’s recommendations, need to be fully explored.
Of particular concern are Articles 35 and 12 of the bill. Under section 35, the Center may exempt from the application of all provisions of the law any government agency when it is deemed to be in the national and public interest. Equally concerning is section 12 (a) (i) which creates space to exempt the government from consent provisions, allowing it to collect personal data without individual approval. Opposition members rightly opposed the granting of general exemptions, especially without the creation of a monitoring mechanism. As some have suggested, seeking parliamentary approval may be a more cautious approach. At the very least, given the far-reaching ramifications of such sweeping exemptions, these provisions need to be considered in more detail. Adequate safeguards must be in place to protect the right to privacy and prevent the misuse of personal information.
In its recommendations, the committee came out in favor of broadening the scope of the draft law on the protection of personal data, by including non-personal data in its scope. As privacy concerns revolve around personal data, if the data is non-personal and anonymized, should a similar regulatory architecture be adopted for non-personal data as well? Moreover, while the committee is also in favor of the introduction of data collection by electronic equipment within the framework of this law, why should a specific distinction be made between hardware and software? Then there are suggestions to bring all social media intermediaries into the scope by redesigning them as social media platforms. Although the committee suggested that all social media platforms (which do not act as intermediaries) be treated as publishers, what about the IT rule provisions? According to reports, there also appears to be a concerted push towards data localization, although it is not clear whether this will be implemented gradually, depending on the sensitivity of the data. Parliament needs to examine these issues in more detail, strengthen the framework and act quickly to usher in a data protection architecture in India.