India’s Joint Parliamentary Committee on Thursday released its report on the Personal Data Protection Bill 2019 (PDP) in both Houses of Parliament. The report is a clause-by-clause review of proposed law with more than 80 recommendations and 150 editorial changes to enable MPs to debate and vote on the country’s first data protection law.
The report recommends changing the scope of the bill to include non-personal data, after noting that it is impossible to clearly distinguish between personal and non-personal data. Several parts of the bill already deal with various types of data requiring different levels of security. The non-personal data subset will also include anonymized personal data.
Another key recommendation is an amendment to the consent requirements under clause 11 (4), stating that data users cannot refuse goods or services based on the data provider’s refusal to consent to data processing. personal information not required for this purpose.
The Committee retained the controversial exemption powers granted to the central government under section 35. This exception allows the government to exempt any of its agencies from data protection regulations. The Committee attempted to temper the provision with a clause requiring the central government or its agency to follow a “fair, equitable, reasonable and proportionate procedure”, drawing on the exceptions to the right to privacy set out in Puttaswamy v Indian Union (2017). Committee members dissatisfied with this approach, including senior parliamentarians Jairam Ramesh, Derek O’Brien and Manish Tewari, filed dissenting notes with the presidents of both houses.
Industry bodies are also concerned that a higher level of compliance mandating localization of data, certification of digital and IoT devices, accountability of social media platforms, etc. does not dampen the country’s start-up and innovation culture.