Guest post by Pallavi Mohan
What is the Data Protection Bill, 2021?
In December 2019, the Personal Data Protection Bill was first introduced in the Lok Sabha. Two years later, on 16th December 2021, the Joint Parliamentary Committee (JPC) looking into the 2019 Bill, tabled a report in both houses of the Parliament providing its recommendations. As per the report, the 2019 Bill has been renamed the Data Protection Bill, 2021.
Why was the ambit of the bill expanded to include non-personal data?
One of the major changes recommended in the JPC’s report is the inclusion of non-personal data within the ambit of the Bill. This is because distinguishing between personal and non-personal data, especially when mass data is collected or transported, is difficult. So, to better protect data privacy, there should be a single regulator overseeing all kinds of data collected from a person.
What are ‘Personal Data’ and ‘Non-Personal Data’?
Any data that contains personally identifiable information which could be used to identify a particular person is ‘personal data’. For example, name, address, photos, Aadhar number, PAN card number, etc.
On the other hand, data that does not contain personally identifiable information is called ‘non-personal data’. Examples include data collected by government agencies during a census, data identifiers about a set of people who have the same geographic location, religion, job, or other common social interests.
What has the JPC recommended for regulating social media?
Regarding social media platforms, the JPC report observes that while the Information Technology Act of 2000 (IT Act) categorises such platforms as “intermediaries”, it does not have mechanisms robust enough to make them accountable for the content published on them.
It recommends that all social media platforms, which do not act as intermediaries, should be designated as “publishers of content”. This would allow them to select the receiver of the content and control the access of any content posted on the platform. This will help increase their accountability for the content they publish, like print and electronic media.
What does the JPC report recommend for data localisation?
The JPC observes that India must not permit the data of its citizens to be governed by other countries. It strongly recommends that the Central Government take steps to ensure that a mirror copy of sensitive and critical personal data, already in the possession of foreign entities, is mandatorily brought back to India promptly. This is important for national security, which cannot be compromised on grounds of promotion of business.
When will the Act (based on the Bill) be implemented?
The JPC estimates that approximately 24 months’ time to implement the Act. This would be sufficient time for data processors and data fiduciaries to change their policies, infrastructure, and processes. However, it also cautions the Government to consider the legitimate interests of businesses, while implementing the Act.