Update: India’s incoming data laws need our urgent attention

Tl;dr

The report of the Joint Parliamentary Committee on the Personal Data Protection Bill, 2019 is to be submitted next week. Here, we look at the possible ways forward for the Bill, highlight some of the issues that may emerge, and provide recommendations for addressing them.

Background

Last year, several media reports indicated that the Joint Parliamentary Committee (JPC) on the Personal Data Protection Bill, 2019 would submit its report to the Parliament during the Budget session. However, as we know, that did not happen. In fact, on March 25, 2021 a motion was moved to extend the time for the presentation of the report and was adopted the very same day. Thus, the report of the Committee is now scheduled to be presented in the first week of the upcoming Monsoon Session i.e. the week starting 19th July. The speaker of the Lok Sabha has also explicitly stated that no further extension will be granted to the committee.

In recent time, we have written extensively on the Personal Data Protection Bill, 2019 through:

  • Our #StartFromScratch series, which was a short introduction to the Bill which included some historical and legislative context, a summary of the Bill, an overview of the issues with the Bill, and possible alternative paradigms for data protection.
  • Next, through our #DataProtectionTop10 series, wherein we analysed the top 10 issues with the Bill in detail.
  • Currently, through our #PrivacyOfThePeople series which is looking at how the Bill will impact our daily lives by focusing on its impact on different sections of society

However, now that Session is almost here, we thought it would be helpful to look at the potential ways forward for the JPC, and indeed answer the question: what will happen to the Personal Data Protection Bill, 2019 now?

The Report of the Committee

Once the Committee submits its report under Rule 77 of the Rules of Procedure and Conduct of Business in Lok Sabha (‘Lok Sabha Rules’), there are several options available for moving forward:

  1. The Bill along with the  modifications proposed by the JPC can be taken up for consideration.
  2. The Bill can once again be given back to the JPC (this could be the same committee or even a newly constituted committee).
  3. The Bill can be circulated amongst the members of the Lok Sabha to elicit further opinion thereon.

If option 1 is chosen i.e. if the modified Bill is taken up for consideration, then Members of Parliament retain the option of moving a motion asking for the Bill to be sent back to the JPC or that it be circulated among MPs for deliberation.

In the case of the Personal Data Protection Bill, 2019, it is likely that option 1 will be taken, as discussions on the Bill have been going on since 2018 and MPs will be hesitant to send the Bill back to the JPC again. Thus, it would seem that everything is now done and dusted: the report will be tabled, the Government will introduce a new version of the Bill, and, given the numbers, the Bill will most probably pass.

Potential Issues

However, the picture isn’t over yet. For starters, Rule 331D of the Lok Sabha Rules clearly states that a Minister cannot be appointed as a member of the Committee. Now, during the recent cabinet reshuffle, 5 members of the Committee - Meenakshi Lekhi, Ajay Bhatt, Rajeev Chandrasekhar, Bhupender Yadav, and Ashwini Vaishnaw - were appointed as Ministers. This means that, immediately, there are now 5 vacancies in the JPC. In fact, MP Meenakshi Lekhi was the chairperson of the JPC, so as of now the JPC is also sans chairperson!

Another is that, as multiple sources have suggested, the report may substantially expand the scope of the Bill to include non-personal data. Currently, clause 91 of the Personal Data Protection Bill, 2019 allows the government to frame policies for regulating non-personal data. The Committee of Experts on Non-Personal Data Governance Framework had released the second draft of its report for the proposed governance framework on December 16th, 2020. However, the framework proposed by the committee may be unconstitutional. Four major concerns emerge form the framework:

  • Overbroad definitions: The report provides an extremely broad definition of non-personal data by defining it in opposition to personal data as defined in the Personal Data Protection Bill, 2019. Issues arise in the context of both implementation and jurisprudence when trying to ascertain whether a given piece of data is ‘personal’ or ‘non-personal’. The proposed relationship between the Bill and the framework may also not adequately address concerns about privacy and data security.
  • Risk of de-anonymisation: As the report itself has noted, the threat of de-anonymization is a grave one against which adequate barriers must be maintained. Given that a large portion of non-personal data will consist of anonymised personal data, it is vital that such issues be dealt with. The relative ease of de-anonymization has already been highlighted in various contexts (see here and here), while the situation in India is worsened by the lack of adequate data protection legislation.
  • Over-extraction of data and a race to the bottom: The proposed version of the governance framework may enable data maximisation, wherein there is overreach in data collection by various entities. Besides the natural issues related to consent, the economic rationale given to bolster the claim that a profusion of data generation and conclusion may not hold up, and may instead lead to the exploitation of citizens. Any engagement with data monopolies and market failure in the realm of data has been cursory at best and here domains of competition law remain underutilized in India.

Should such provisions for regulating non-personal data be included within the Bill, then these would constitute a significant change in the ambit of the Bill, and so, under the pre legislative consultation policy, require a further round of consultation.

Lastly, in a democratic country, the government must be held accountable. Currently, it is possible that the Government accepts the report of the Committee and then proceeds to wholly disregard its suggestions. This may not be in accordance with a democratic ethos, and so it is imperative that when the government finally presents the modified Bill, it also provides its rationale for either accepting or rejecting each of the recommendations of the JPC.

Suggestions

In light of these issues, we have the following suggestions;

  1. Fill vacancies: It is within the power of the Speaker of the Lok Sabha to appoint a chairperson, given the urgency of the matter. This must happen immediately, so that the process is not held up due to administrative difficulties.
  2. Fresh round of consultation if substantial changes are present: The non-personal data governance framework proposed by the government has several issues. If such a framework is to be enshrined through the Personal Data Protection Bill, 2019, this is a grave worry, and so conducting new consultations would be essential.
  3. Provide rationale for decision: A democratic government must be accountable for its actions, and so it is of paramount importance that, before presenting the final version of the Bill, the government provides its reasons for accepting or rejecting each suggestion of the JPC.

Important Documents

  1. The Personal Data Protection Bill, 2019 as introduced by the Minister for Electronics and Information Technology, Mr. Ravi Shankar Prasad (link)
  2. IFF's Public Brief and Analysis of the Personal Data Protection Bill, 2019 (link)
  3. Rules of Procedure and Conduct of Business in Lok Sabha (link)