India’s Joint Parliamentary Committee Thursday published its report on the 2019 Personal Data Protection (PDP) Bill in both houses of Parliament. The report is a clause-by-clause examination of the proposed law with more than 80 recommendations and 150 drafting changes to allow Members of Parliament to debate and vote on the country’s first data protection law.
The report recommends changing the scope of the bill to include non-personal data, after noting that it is impossible to clearly demarcate between personal and non-personal data. Several portions of the bill already deal with various kinds of data requiring different levels of security. The subset of non-personal data will also include anonymised personal data.
Another key recommendation is an amendment to consent requirements under Clause 11(4), stating that data users cannot deny goods or services based on the data provider’s refusal to consent for processing any personal data not necessary for such purpose.
The Committee has retained the controversial powers of exemption granted to the Central Government under Clause 35. This exception allows the government to exempt any of its agencies from data protection regulations. The Committee attempted to temper the provision through a clause requiring the Central Government or its agency to follow “just, fair, reasonable and proportionate procedure,” taking inspiration from the right to privacy exceptions laid down in Puttaswamy v Union of India (2017). Committee members unsatisfied with this approach, including senior parliamentarians Jairam Ramesh, Derek O’Brien and Manish Tewari, have filed dissent notes with the presiding officers of both houses.
Industry bodies are also concerned that a higher level of compliance mandating data localisation, certification of digital and IoT devices, accountability of social media platforms etc. will dampen the country’s startup and innovation culture.