First, some background 

• In 2017, the Supreme Court recognised the right to privacy as a fundamental constitutional right—and directed the government to create a framework to protect citizens’ data. 
• In 2019, the government introduced the Personal Data Protection Bill that set the basic ground rules for how personal data should be collected and stored. 
• It also proposed the creation of a new regulatory agency, the Data Protection Authority (DPA) —which will monitor the implementation of the law. 
• A Joint Parliamentary Committee was set up to study the provisions of the bill and give its recommendations—and it submitted its report yesterday.

The bill: requires companies to do the following:

• Tell you about their data collection practices and seek your consent—and store evidence of such consent.
• Create a system that allows you to withdraw your consent.
• Give you the right to access, correct, and erase your data.
• Make changes to protect your data better—and in a manner where privacy is a key consideration in how the business is organized.
• Ensure all “sensitive personal data” is stored in India and that “critical personal data” is not transferred out of India. 

Point to note: The bill imposes hefty penalties for violations: Rs 150 million (15 crore) or 4% of the annual turnover of the company that controls the storage of your data. Also: A fine of Rs 50 million (5 crore) or 2% of the annual turnover if the company fails to conduct a data audit.

Ok, so what did the report say?

The report did not challenge the crux of the bill but recommended adding new provisions. Let’s start with the rules for social media companies. The government recently implemented new rules to more closely control social media platforms (explained here). The JPC report recommends a slew of new restrictions. 

One: Social media companies—which do not act as ‘intermediaries’—should be held responsible for content shared on their platform, and for content from unverified accounts.The key word is ‘intermediaries’—because IT laws grant a ‘safe harbour’ exemption to the likes of Twitter and Facebook so they are not held responsible for what users say or do on their platforms. But this signals that the government is moving toward yanking that protection—or at least making it easier to do so.

Point to note: The government already gave itself the power to require social media platforms to take down content it does not like—and cancel their ‘intermediary’ status if they fail to comply. So this new provision just tightens that screw.

Two: No social media platform should be allowed to operate unless the parent company handling the technology sets up an India office. Again, this will essentially force all platforms to comply with the strict IT rules for news, streaming and social media companies with offices here—including the creation of a three-tier grievance system.

Three: A new media regulatory authority should be set up to regulate content on all platforms—be it online, print or otherwise. The new IT rules envisioned the creation of an industry-wide organisation headed “by a retired judge of the Supreme Court, a High Court or independent eminent person and have not more than six members.” The JPC report goes one step further.

What about protection from government snooping?

Ah, that’s where the phrase ‘data protection’ becomes meaningless—and it is the reason why a number of Opposition party members have submitted dissenting notes. Here are their main objections to the JPC recommendations.

One: All those protections to your right to privacy only apply to private companies. The government and its agencies are treated like “a separate privileged class.” Clause 35 gives the union government the power to exempt itself from any or all provisions of the law—in the name of “sovereignty and integrity of India, security of the state, friendly relations with foreign countries and public order.” Opposition members argue that the government should be required to get judicial or parliamentary approval for any such exemption granted to an agency—and submit in writing the reasons for seeking such an exemption.

Two: Congress leader Jairam Ramesh also pointed to section 12(a)(1) of the bill—which essentially takes away an individual’s right to consent when the state provides “any service or benefit” to the individual. Point to note: In India—where many are dependent on government benefits—most citizens would lose control over how the government uses their data.

Three: Companies will be required to tell you if they share your information with a third party—but not if that third party is the government, and such data is necessary to offer benefits, maintain law and order, or to comply with a court order.

Four: Also a problem: The Data Protection Authority (DPA)—which is the regulatory authority to monitor the implementation of the law. While it is supposed to be independent, Trinamool leaders point out that the government will pick its members and chairman—which will inevitably rob it of independence.  

Quote to note: Ramesh wrote in his dissenting note:

“The bill assumes that the constitutional right to privacy arises only where operations and activities of private companies are concerned. Governments and government agencies are treated as a separate privileged class whose operations and activities are always in the public interest and individual privacy considerations are secondary. The idea that the August 2017 Puttaswamy judgment of the Supreme Court is relevant only for a very, very, very tiny section of the Indian population is deeply flawed and troubling and is one that I totally reject.”

The bottomline: Given the BJP’s clear majority, it is unlikely that the Opposition will be able to block the bill in Parliament. The real challenges will be filed in the Supreme Court—which will decide whether the government has the power to arbitrarily take away a citizen’s fundamental right to privacy.

Reading list

Carnegie India and Internet Freedom Foundation offer the clearest explainers on the Personal Data Protection Bill—and their critique of its provisions. The Internet Freedom Foundation also explains why we need such laws. The Hindu lays out the key provisions of the JPC report. The Telegraph has the most on the dissent from opposition leaders. You can read the full text of the bill here.