Riskpro - Important takeaways from the JPC report on the India PDP bill 2019


The report of the Joint Parliamentary Committee on the Personal Data Protection Bill, 2019 (Chair: Mr. P. P. Chaudhary) was tabled in Parliament on December 16, 2021. The Bill was introduced in Lok Sabha on December 11, 2019. It provides for the protection of the personal data of individuals and establishes a Data Protection Authority (DPA).
The report contains two parts. Part-I consists of General descriptions and 12 recommendations on Data Protection and Privacy in connection with provisions made in the Bill. Part-II relates to the clause-by-clause examination of the Bill and contains 81 recommendations making modifications and more than 150 Drafting corrections and improvements in various Clauses of the Bill.
Key observations and recommendations of the Committee include:
Scope of the Bill:
  • The scope of the law is recommended to broaden to include personal as well as non-personal data both. A single DPA is recommended to be empowered to regulate personal and nonpersonal data.
  • The Committee observed that to define and restrict the legislation only to personal data protection is detrimental to privacy. The Committee stated that it is impossible to clearly distinguish between personal data and non-personal data, as data is collected or transported in a massive volume. Hence the Committee opined that the Bill should provide protection to all types of data personal as well as non-personal data.
  • The committee also recommended a single administration and regulatory body (Data Protection Authority) to avert contradiction, confusion, and mismanagement. The DPA should be empowered to regulate personal and nonpersonal data.
  • The Committee further suggested that once the provisions to regulate non-personal data are finalized, there may be a separate regulation on non-personal data in the Data Protection Act.
Title of the Bill:
  • The short title of the Bill is recommended to be changed to the ‘Data Protection Bill, 2021’ and the Act to be called as “Data Protection Act, 2021”.
Implementation of Data Protection Act
  • The Committee recommended a period of 24 months to be provided for implementation of the provisions of the Act from the date of notification to the organizations.
  • The Committee suggested that the phased implementation of the provisions of the Act be undertaken. As per Committee recommendations –
  1. Chairperson and Members of DPA to be appointed within 3 months from the date of notification of the Act
  2. The DPA to commence its activities within six months from the date of notification of the Act
  3. The registration of data fiduciaries to start not later than 9 months from the date of notification of the Act
  4. Adjudicators and appellate tribunal to commence their work not later than twelve months from the date of notification of the Act
Guiding Principles to handle Data Breach
The Committee recommendations include:
  1. The data breach now includes a breach of personal and non-personal data.
  2. The data fiduciaries should maintain a log of all data breaches (both personal and non-personal data breaches).
  3. The DPA may review the log of all data breaches periodically.
  4. The DPA to ensure that the privacy of the data principals is protected when posting the details of the personal data breach.
  5. The data fiduciary should be held responsible for the harm suffered by a data principal on account of delay in reporting of any personal data breach
  6. The data fiduciary should report the data breach within 72 hours of becoming aware of the breach.
  7. The DPA after taking into account the personal data breach and the severity of harm that may be caused to the data principal should direct the data fiduciary to report the data principal about the data breach and to take appropriate remedial measures.
Processing of personal data when the child attains the age of majority (i.e. 18 Years)
  • The Committee has desired that the following provisions may be incorporated in the rules:-
  1. Data fiduciaries dealing exclusively with children’s data are required to register themselves, with the DPA.
  2. The data fiduciary should inform the child for providing consent again on the date of attaining the age of majority, three months before the child attains the age of majority (i.e. 18 years).
  3. The data fiduciary to ensure that whatever services the child was getting to continue unless and until the child is either opting out of the services or giving fresh consent.
Social Media Platforms to be treated as Publishers
  • No social media platform to be allowed to operate in India unless the parent company handling the technology sets up an office in India.
  • The Committee recommends that:
  1. All social media platforms, which do not act as intermediaries, should be treated as publishers and be held accountable for the content they host.
  2. A mechanism to be devised in which social media platforms, which do not act as intermediaries, will be held responsible for the content from unverified accounts on their platforms.
  3. Once an application for verification is submitted with necessary documents, the social media intermediaries must mandatorily verify the account.
  4. A statutory media regulatory authority may be set up for the regulation of the contents on all such media platforms irrespective of the platform where their content is published, whether online, print or otherwise
Indigenous Alternative Financial System to be developed in India
  • The Committee is of the view that an alternative to the SWIFT payment system should be developed in India to ensure privacy, as well as boost the domestic economy
A Mechanism for certification of all Digital & IoT devices
  • The Committee has desired to enable the DPA for framing the regulations to regulate hardware manufacturers and related entities that collect data through the devices.
  • The Committee has recommended:
  1. To establish a mechanism for the formal certification process for all digital and IoT devices to ensure the integrity of all such devices with respect to data security.
  2. Emerging technologies, that have the potential to train AI systems through the use of personal data of individuals, should be certified in a manner that ensures their compliance with the provisions of the Act
Localization of Sensitive & Critical Data
  • Central Government to ensure that a mirror copy of the sensitive and critical personal data which is already in possession of the foreign entities be mandatorily brought to India in a time-bound manner.
  • The Committee has specifically recommended that the Central Government, in consultation with all the sectoral regulators, must prepare and pronounce an extensive policy on data localization
Processing the data by the employer
  • The Committee recommended that the processing of the data by an employer can be done if such processing is necessary or can reasonably be expected by the data principal (employee).
Removal of Guardian Data Fiduciary Class
  • In Committee’s view, the mention of guardian fiduciary will be altogether a new class of data fiduciary and there will be no advantage in creating such a separate class of data fiduciary considering the right to consent is exercised by the guardian on behalf of the child. Hence, the creation of a separate class of guardian data fiduciary on behalf of a child was removed.
Qualification of Data Protection Officer
  • A significant data fiduciary should appoint a Data Protection Officer, holding a key position in the management of the Company or other entities, and must have adequate technical knowledge in the field of Data Privacy.
  • The Committee has explained the expression key managerial professionals as – the Chief Executive Officer or the Managing Director or the Manager; the Company Secretary; the whole-time Director; the Chief Financial Officer; or such other person.
Cross Border of Transfer Data
  • The DPA should approve a contract or intragroup scheme which allows the cross-border transfer of data, in consultation with the Central Government. Such contract or intra-group scheme may not be approved if the transfer of data is against public policy.
Need of Statutory Body for media regulation pleaded
  • The Committee has recommended the establishment of a statutory body for media regulation. The Committee has suggested empowering any statutory media regulator that the Government may create in the future and until such time the Government may also issue rules in this regard.
Definition of ‘Harm’
  • Harm has been defined in Bill. It includes: (i) bodily or mental injury, (ii) financial loss, (iii) denial of service/benefit, (iv) identity theft, (v) discrimination, and (vi) unreasonable surveillance
  • The Committee recommended that the definition of harm should be expanded to include ‘psychological manipulation which impairs the autonomy of the individual, and the government may prescribe other harms.
Exemption to State Agencies
  • The Bill empowers the central government to exempt the processing of personal data by a government agency from the application of any or all provisions of the Bill. The exemption order must prescribe procedures, safeguards, and oversight mechanisms to be followed by the agency.
  • The Committee recommended that the Bill should specify that the procedure to be followed should be ‘fair, just, reasonable, and proportionate.
Data Portability
  • Under the Bill, a data principal’s right to data portability will not be enforceable where such compliance would: (i) reveal a trade secret of the data fiduciary, or (ii) not be technically feasible.
  • The Committee recommended that the reveal of trade secrets should not be a ground for denial, as the data fiduciaries may conceal their actions by denying data portability on these two grounds. Any denial on the ground of technical non-feasibility should be determined as per prescribed regulations.
Right to be forgotten
  • The Committee observed that even after exercising of the right to be forgotten by a data principal, a data fiduciary may continue to process personal data of that data principal. Hence, the Committee recommended that this right should also allow restriction on any processing. The Committee further recommended that this right should not override the right of the data fiduciary to retain, use, and process the data.
DISCLAIMER: This newsletter is being furnished to you for your information. The information contained herein is of a general nature and is not intended to address the circumstances of any particular individual or entity. . Riskpro makes every effort to use reliable and comprehensive information, however, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate thereafter.
Riskpro India Ventures Private Limited (“Riskpro India”) is a specialized Risk Management consulting company in India. It is managed by experienced professionals with experiences across various industries. Hence since 2011, Riskpro has been actively involved in providing effective risk management services. We are a growing organization with well qualified professionals and a pool of talented resources.
With office and clients in Mumbai and people and clients in Delhi, Bangalore, Chennai, Pune, Hyderabad and Kolkata, we are one of the fastest growing risk consulting firms in India. We also have client presence in UAE/ USA/ Singapore/ Australia/ UK/ Europe etc. We are since  11+ years in business, serviced 600+ clients in 7 cities, with 45 cities associate representation, 75 team members and with 10 Strategic partners.
Riskpro Service Offerings 
Riskpro can help identify and quantify risks and provide solutions to manage them. Riskpro will assist you accomplish your objectives by employing best practices in the Risk Management arena. We create and implement customized solutions that make clients happier, not dissatisfied. Our solutions extend beyond traditional risk management offerings and are categorized in four groups: Advisory & Assurance, Technology, GRC Trainings and Risk Resources.
For more details, please visit www.riskpro.in or email info@riskpro.in