JPC report on data protection bill has flaws and bad news for social media companies

text size:
a-
A+

an Preliminary reading of the report of the Joint Parliamentary Committee (JPC) on the Personal Data Protection Bill, 2019 presented last week It shows That the industry will have to contend with a more fragmented and influential regulatory framework than proposed in the previous Data Protection Bill (PDP Bill). The report is an important step as India aims to have a dedicated data protection law, which has been around four years in the making.

For the Narendra Modi government, data security is a high priority area and report good Recommends that it bring back mirror copies of sensitive and important data from abroad. It also maintains the PDP Bill’s focus on data localization, and stresses the need for the government to formulate a comprehensive policy on the same.

The need to regulate and hold social media middlemen more accountable is another major theme in the report. It suggests treating such platforms as publishers of content and also recommends setting up of a statutory media regulatory authority on the lines of the Press Council of India (PCI). Media The recommendation was widely reported and upset many companies.

Thankfully, this did not translate into an amendment to the bill as the JPC rightly said that the current law is about regulation of personal data and not social media.

Read also: The report of the Parliamentary Committee on the PDP Bill is not sufficient. Social media responsibility needs to be improved

JPC’s recommendations for social media companies

However, there are enough reasons for companies to be vigilant. Currently, social media companies that primarily enable online interactions between users are regulated as “social media intermediaries” by information technology (Intermediary Guidelines and Digital Media Code of Conduct). rules 2021, which has been prepared under the Information Technology Act 2000. The use of the term “intermediary” is significant because, under the IT Act, such entities are not liable for user-generated content, provided they satisfy certain conditions under the law. The JPC report sought to replace the word “middlemen” with “platform” to indicate that such entities could be treated as publishers and be liable for the content they host. can. However, as we have told earlierSubstantial recommendations on the liability of social media platforms are out of place in data protection legislation, the primary objective of which is to protect the rights of individuals over their data. A more appropriate way of addressing concerns over the liability of social media companies might be to contribute to the ongoing discussions on reforming the IT Act. Further, if the report’s recommendation to treat social media companies as “platforms” instead of “intermediaries” is upheld, it could lead to conflict in the interpretation of their liability under the IT Act.

The amended bill gives more power to the central government to take important decisions on several aspects. For example, one of its provisions gives broad powers to the Center to exempt any of its agencies from the application of the Bill on grounds such as the sovereignty and integrity of India, the security of the state, public order, and others. Congress leaders Jairam Ramesh and Manish Tewari, who were members of the JPC, expressed his dissent against this clause. The bill also gives the central government considerable power over cross-border transfer of certain categories of personal data.

Read also: Non-personal data, social media – what the new ‘data protection bill’ could look like

Protectionist Lens of the Amended Bill

The amended bill also has a protectionist approach at some places, which is evident from the provisions relating to cross-border transfers. The Bill requires the Data Protection Authority (DPA) to consult the central government before approving any such transfer, which was not the case under the PDP Bill 2019. DPA will now be bound In the exercise of its functions by direction of the Central Government in all matters and not only on questions of policy. Such provisions can have a significant executive effect on business decisions and increase friction in the data flow due to uncertainty. In some places, the JPC has attempted to address concerns of excessive executive power. For example, it has recommended the appointment of independent members such as domain experts and directors from the Indian Institute of Technology and the Indian Institute of Management for the selection committee of DPAs. While this is an improvement from the PDP Bill 2019, which requires only bureaucrats to be on the committee, even these independent members will be nominated by the central government.

Implementation of the Bill could affect commercial operations as it creates tension between secrecy and competition. The data portability clause allows consumers to port predictable data from one online service provider to another. These findings are very important to businesses and can include companies’ analysis of people’s behavior, interests, or characteristics. The bill also raises concerns of intellectual property (IP) rights, as it bars companies from objecting to such transfers by claiming protection of trade secrets. On the other hand, the Personal Data Protection Act of Singapore Not included Personal data received by an organization. The Company has the option not to transmit Personal Data if it discloses confidential commercial information that could harm the competitive position of the Organization. Even the EU data protection law, GDPR, leaves out Contains estimated data and only data that is provided by consumers. Other types of business complications may arise as the Bill also calls for algorithmic transparency in some cases. This can promote trustworthiness but will be a difficult provision to navigate because algorithmic transparency can interfere with IP rights.

Read also: How the Personal Data Protection Bill treats children’s data privacy and age of consent

Other reasons for concern

Other areas of the Bill also cause concern, as they deviate from international practices and have significant implications for service providers and users alike. One of them relates to the processing of personal data of children. Many countries have adopted a graded approach Recognizing Different maturity levels in children. The United States only requires parental consent under the age of 13, while the European Union suggests an age range of 13-16 years. In contrast, the amended Bill retains the approach adopted under the PDP Bill 2019 and requires parental consent for anyone below the age of 18. Several stakeholders have argued for the need for a more nuanced approach to the age of consent. JPC’s approach could pose significant impediments to the development of innovative online services.

The second issue pertains to non-personal data under the Data Protection Bill. The JPC has recommended regulating both personal and non-personal data under one law to protect privacy, streamline regulation and ensure simplicity. No other data protection law in the world regulates these two types of data under the same framework. In addition, any framework on non-personal data must address aspects such as the interplay between personal and non-personal data, the risks associated with non-personal data, and clarifying obligations to businesses. However, the JPC report did not elaborate much.

The JPC report comes at a time when India is considering a new governance framework for the flow of information on social media. The digital landscape is full of tension and companies are waiting for regulatory clarity to structure their businesses. In this volatile situation, the JPC report only creates more confusion rather than clarity.

The author works at Con Advisory Group, a technology policy consulting firm. Thoughts are personal.

This article is part of ThePrint-Coan advisory series that analyzes emerging policies, laws and regulations in India’s technology sector. read all articles Here,

(Edited by Srinjoy Dey)

subscribe our channel youtube And Wire