India: Joint Parliamentary Committee tables report on personal data protection bill in Parliament
Lok Sabha, the lower House of Parliament, published, on 16 December 2021, the revised list of business for the same date, in which it confirmed that Shri P.P. Chaudhary and Shri Manish Tewari had presented the Joint Parliamentary Committee ('JPC') report on the Personal Data Protection Bill, 2019 ('the Bill'). Separately, Rajya Sabha, the upper House of Parliament, also published, on the same date, its revised list of business, confirming that Shri Jairam Ramesh and Dr. Vinay P. Sahasrabuddhe had also tabled the report. In particular, the report had been adopted by the JPC in November 2021, but its presentation in Parliament had been delayed at the beginning of December 2021.
In this regard, Part 1 of the report summarises the data protection landscape in India and highlights factors that necessitate regulation in the field. Part 1.15, in particular, provides an overview of the Bill itself, as well as key recommendations from the JPC including, but not limited to, the following:
- that the Bill should be renamed to 'the Data Protection Act, 2021';
- that the Bill should have overriding effect, applying irrespective of any other law governing the contractual relations between a data fiduciary and a data principal;
- that the Bill should not be limited to personal data and should govern non-personal data;
- that organisations should be provided with a 24-month transitional period for implementing the requirements of the Bill;
- that the obligations regarding data breach notification should be enhanced;
- that the rules concerning the processing of children's data should be amended to, among other things, clarify age thresholds and the requirement of data fiduciaries that process such data to register with the Data Protection Authority;
- that a mechanism for regulating social media platforms and intermediaries should be devised; and
- that the Government should maintain strong enforcement of data localisation requirements and prepare an extensive policy on the same together with sector-specific regulators.
Finally, Part 2 of the report provides a clause-by-clause examination of the Bill with additional recommendations and amendments to the Bill, while the Annexure of the report sets out a consolidated and revised version of the Bill as reported by the JPC.
UPDATE (21 December 2021)
DSCI publishes summary of JPC's report on personal data protection bill
The Data Security Council of India ('DSCI') published, on 20 December 2021, its summary and primer on the JPC's report and the newly proposed Data Protection Bill, 2021. In particular, the DSCI noted that the report highlights India's digital priorities and the need to balance the need for data-driven innovation while catering to national security demands. Furthermore, the DSCI stated the report defines various data assets and illustrates how they may be poised as instruments of economic advancement, while also acknowledging that data protection is a universal concern and that meaningful legislation is imperative for India to function in the global market. As such, the DSCI highlighted that the JPC recognises the importance of cross-border compatibility in data protection legislation, particularly through the lens of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'). Finally, the DSCI provided a summary of the key recommendations put forward by the JPC.
You can read the summary here.