While the Joint Parliamentary Committee (JPC) giving its approval for the Personal Data Protection Bill is a key milestone in the country’s journey towards the data economy, there are still several areas of ambiguity and concern that need to be addressed before it becomes a law. At present, there are no laws in the country on the use of personal data and preventing its misuse, although the Supreme Court upheld privacy as a fundamental right in 2017. The draft legislation was referred to the JPC nearly two years ago for a closer study and the Bill is now expected to be tabled in the ongoing winter session of Parliament. A key area of concern is a provision that gives sweeping powers to government agencies to collect and process personal data of citizens. It is problematic that the JPC has chosen to invoke the ‘national security’ plank to allow the Central government to exempt its agencies from complying with the provisions of the Data Protection Act if it is convinced that such exemption is “necessary or expedient”. These terms are very vague and could provide a potential carte blanche to the government to unilaterally exempt agencies from complying with the Act. Terms like ‘sovereignty and integrity of India’, ‘security of the State’ and ‘public order’ are wide enough to be all-encompassing and imprecise, effectively diluting any check on such exemption. Another contentious area pertains to the provision that treats the social media platforms as publishers and makes them responsible for the content posted on their sites. The reports suggest that the JPC has recommended legal and criminal proceedings against independent directors and non-executive directors on board of top social media, internet or electronics hardware for wilful offences for data management violations in cases of complicity and negligence.
The proposal to classify social media platforms as publishers is bound to face legal challenges as it places the onus for user-generated content on internet companies and will impact a host of global majors including Facebook, YouTube, Twitter and WhatsApp, all of whom stand to lose the safe harbour or immunity currently provided by the Information Technology Act, 2000. There is a need to build a consensus on such issues by accommodating the suggestions from all stakeholders, including industry bodies, before a robust data protection legislation is put in place. Clauses such as the inclusion of non-personal data in the privacy law as well as provisions for certifying hardware devices and the demand that sensitive personal data and critical personal data be stored locally have also fuelled concerns. Another important decision by the JPC has been to retain Section 12 of the 2019 Bill intact, which allows for the processing of individuals’ personal data without their consent if it is necessary for any function of Parliament or State Legislature.
Now you can get handpicked stories from Telangana Today on Telegram everyday. Click the link to subscribe.