As per news reports, (see here, here), the Joint Parliamentary Committee (JPC) on the Personal Data Protection (PDP Bill) has adopted a final report on the PDP Bill. Several members of the JPC have also filed dissent notes on the report (see here, here).
The report and the dissent notes (there are at least seven) are not yet publicly available. However, news updates on these developments offer us some insight into JPC’s recommendations that have ostensibly been included in the report.
The report may recommend that the Central Govt. prepare a data localization policy (see here). There is no clarity on how this is accounted for the international data transfers rules currently found in the 2019 version of the Bill.
The report may also recommend that the Govt. take “concrete steps” to ensure that a mirror copy of Indians’ data that is already in the possession of foreign companies be “mandatorily brought back to the country in a time-bound manner” (see here). Is such an exercise even legally tenable or technically feasible?
The report may also recommend the creation of indigenous architecture. An example appears to be an Indian alternative to the SWIFT payment system (see here). All of this suggests a strong cross-sectoral stance on data localization is on the cards.
Social media companies
The report may recommend that social media companies be regulated as publishers and not intermediaries (see here, here). In general, we are apprehensive of efforts to rework the exemption from liability available to intermediaries for third-party information. That apart, this is also clearly a matter beyond the scope of a personal data protection law and should be taken up, if at all, under a separate consultation process.
Processing by the State (clause 12)
The Bill may set out all government departments “which are governed by law such as the Income Tax Department and the Unique Identification Authority of India, will be exempt from purposes of consent” (see here, here). Any such blanket exemption would disturb the horizontal applicability of the law. It may also compromise an assessment of India’s privacy regime in future data adequacy exercises.
Exemption for state agencies
The JPC may recommend that the exemption for government agencies under clause 35 only be exercised in “exceptional cases”. Exempted agencies will have to follow a “just, fair, reasonable and proportionate procedure”. While this suggests a step forward from the 2019 version of the Bill, the dissent notes from several members suggest that the safeguards suggested by the JPC may still be inadequate.
The Bill may now include provisions on non-personal data. However, the extent of changes in this regard is unclear. The 2019 version of the Bill did already include scope for the Govt. to require data fiduciaries to submit non-personal data to it for the purposes of policymaking or efficient service delivery. Is this being expanded upon?
The JPC may suggest a staggered approach to implementing the Bill to afford start-ups and businesses adequate transition time. We welcome this suggestion. This is in line with the approach taken to operationalise the GDPR.
What happens now?
It is important to note that the recommendations of the JPC are not binding on the Govt. MEITY is free to adopt the recommendations as it sees fit.
At this stage, the next steps are not immediately clear. The JPC could present the report and the dissent notes in the Lok Sabha. This could lead to the version of the Bill that has been prepared by the JPC being discussed further.
It is also possible that the JPC shares the report to the Government after which it remains confidential till presented to the House.
Another possibility is that MEITY reviews the JPC’s version of the Bill, and after modifying it, table a revised version of their own in the Houses for consideration and passing.