Read Time: 07 minutes

The Joint Parliamentary Committee (JPC) Report on the Personal Data Protection (PDP) Bill, 2019 was tabled in both Houses of Parliament on Thursday. The Joint Parliamentary Committee headed by BJP MP PP Chaudhary, tabled the report in the Lok Sabha. The Committee tabled the report after 2 years of its constitution.

The report is 542 pages long and discusses 81 changes. Following are some of them:

Dropping ‘personal’ from ‘Personal Data Protection Law’

First and foremost, the report suggested dropping ‘personal’ from the title ‘Personal Data Protection Bill’ stating that the law would protect both personal and non-personal data, i.e. personal data that has been anonymised. Chaudhury noted that confining the law only to personal law is detrimental to the cause.

Social Media

The report said that the social media intermediaries may be working as publishers of the content in many situations, because they have the ability to select the receiver of the content and also exercise control over the access to any such content hosted by them. Hence, there is a need to regulate the same.

The panel recommended that all social media platforms, which do not act as intermediaries, be treated as “publishers” and be held accountable for the content they host.

A mechanism should be devised where social media platforms, which do not act as intermediaries, will be held responsible for the content from unverified accounts on their platforms.

It has also suggested classifying social media platforms as significant data fiduciary. The Committee suggested that no social media platform should be allowed to operate in India unless the parent company sets up a local office.

Statutory Regulatory Body

The Report has also recommended setting up of ‘statutory media regulatory authority’ on the lines of Press Council of India, for the regulation of the contents on all such media platforms irrespective of the platform where their content is published, whether online, print or otherwise.

Power of Government

According to the recommendations, the central government will have full power to direct the Data Protection Authority (DPA) on all issues. It can also exempt any government agency from the purview of the Act, subject to just, fair, reasonable and proportionate procedure.

Penalty

Depending on the severity of the violation and the size of the entity, penalty would be imposed. If an entity does not take prompt action in case of a data breach, does not register with DPA, does not undertake impact assessment, conduct a data audit or appoint a data protection officer or DPO, it can be fined a maximum of ₹5 crore or 2% of its global revenue, whichever is higher.

For severe cases of contravention, the penalty will be a maximum of ₹15 crore or 4% of global revenue, whichever is higher.

“Startups and smaller data fiduciaries engaged in innovation and R & D need to be considered separately," the panel noted.

Transfer of Data outside India

Data will not be shared with foreign entities without approval of central government.

The penalty for violating this condition would be Rs 15 crore, or 4 per cent of the violating entity’s total worldwide turnover of the preceding financial year, “whichever is higher.”

Data Breach

Any affected company or state entity would be required to inform the Data Protection Authority “within 72 hours of becoming aware of such breach.”

The committee also recommends that where applicable, companies or any entity processing personal data (referred to as ‘data fiduciary’) be required by regulations to show their “fairness of algorithm or method used for processing of personal data”.