Last Thursday, after just over two full years of deliberations, the Joint Parliamentary Committee (JPC) on the Personal Data Protection Bill submitted its report along with a revised draft. With this, India has taken a further, albeit extremely slow, step in the direction of a full-fledged privacy law.
Many of the changes suggested by CPM are welcome. The 2019 draft required that children’s personal data be processed in a way that was “in the best interests of the child”. Since decisions about what constitutes the best interests of the child are best left to parents and natural guardians, the new language proposed by the JPC which stipulates that children’s personal data must be treated in a way that protects them. children’s rights, is welcome. Likewise, the introduction of a new Article 62, under which the main data controllers can lodge a complaint with the Protection Authority, if it is not satisfied with the way its grievance has been handled by the data trustee, carefully ties together one of the last remaining points of the bill’s grievance mechanism.
Other recommendations are somewhat innocuous, if a little flawed. For example, the new definitions of “data trustee” and “data processor” now specifically include a reference to non-governmental organizations in the definition even though the existing language, which includes “businesses and any legal entity”, would have expanded. anyway.
Other changes, while seemingly insignificant, could have a substantial impact on how the law is implemented. While much of the public’s attention has focused on section 35, the effect of changes throughout the bill on section 36 exemptions is perhaps more insidious. . The latter draft exempts in its entirety the applicability of Chapters II to VII for, inter alia, law enforcement purposes. Although similar language has been part of the draft since 2018, these exemptions have always been qualified – in the 2018 draft by an obligation to treat personal data in a fair and reasonable manner that respects the privacy of the data principal and in the 2019 draft by an obligation to process personal data only for specific, clear and lawful purposes. The current project removes all these reservations on the processing of personal data.
Likewise, the scope of Article 12, which permitted the processing of personal data without consent for the exercise of state functions on only two grounds – (i) the provision of services or benefits and (ii) the issuance of certifications, licenses or permits – has been innocently broadened by the insertion of the word “including”, to now suggest that these two categories are only one illustration of the many other reasons why the state could collect data without consent.
But what is perhaps of most concern are the concepts that were introduced into this project for the very first time. Take, for example, the recommendation that a framework be established for the monitoring, testing, and certification of hardware devices. As far as I know, this type of provision is unprecedented in the world, and while it makes sense to worry about the risk to privacy posed by the proliferation of hardware devices, aren’t these concerns already addressed? more than adequately in the principles of confidentiality that serve as the basis of the law?
The obligation to appoint data protection officers has always been imposed on important data trustees, but the new draft specifies that these delegates must belong to the general management of the company. Although the objective behind this stipulation appears to be to ensure that companies do not appoint a low level official to fulfill their obligations, when applied in the context of global internet companies providing services to clients in India, it seems to suggest that only the chief a general manager, CFO or full time director of the foreign company providing the service can be appointed as data protection officer for India.
But perhaps the most extraordinary change, by far, is its extension of the scope of the law to also include non-personal data. The JPC went so far as to change the very title of the bill to reflect this thought of the personal data protection bill into a simple data protection bill, replacing references to “personal data” in various sections by the term “data”. In my opinion, these amendments are both unwarranted and misguided. Non-personal data has no impact on confidentiality, unless some of this data becomes personally identifiable. Personal data, by its very definition, refers to directly or indirectly identifiable data concerning or relating to a natural person, which suggests that as soon as non-personal data becomes identifiable, it will automatically be covered by the provisions of the law. This should sufficiently take into account any risk to privacy posed by non-personal data.
I have long argued that data trustees should be encouraged to anonymize and anonymize personal data, so that in the unfortunate event of a data breach, the resulting damage to privacy is minimized. One way to achieve this would be to exclude non-personnel from the scope of this law. Now that anonymized data is included within the scope of the proposed law, this powerful incentive will no longer exist.
The regulation of non-personal data should aim to unlock the value inherent in data. Including it in a data protection regime will have the opposite effect.
Rahul Matthan is a partner at Trilegal and also has a podcast called Ex Machina. His Twitter handle is @matthan
Never miss a story! Stay connected and informed with Mint. Download our app now !!