Children’s privacy rights and how anonymisation can preserve privacy rights reigned supreme during the sixth sitting of the Joint Parliamentary Committee on the Personal Data Protection Bill held on Monday afternoon, sources have told MediaNama. The committee, where members heard representations from L&L Law Firm (erstwhile Luthra and Luthra Law) and Foundation of Data Protection Professionals in India (FDPPI) in a two-and-a-half hour meeting, will next convene on August 11 at noon.
Need for graded age of consent: L&L Law Firm proposed that a rigid age of consent for children was not a fruitful way of processing children’s consent in the digital age. They instead proposed creating a graded approach to children’s age of consent depending on the services in questions, three sources told us. The members discussed this issue at length. While L&L highlighted the problems with current methods of age verification online, they did not propose any specific age verification mechanisms. Currently, the Bill defines a child as someone under 18 years of age; all children’s consent is mediated through their parent’s.
How anonymisation works: FDPPI spent much of their 90 minutes discussing what anonymisation means, how it works, and potential privacy harms associated with it, five sources told us. Members of the committee asked questions about whether anonymisation was enough to protect people’s privacy, and if de-anonymisation posed a significant risk to users, two sources told us. FDPPI had proposed that the same data fiduciary that anonymises data should not be penalised for de-anonymising such data, three sources told us. According to the Bill, only re-identification of de-identified data (Section 82) is considered an offence. Re-identification of data as an offence was briefly mentioned but not discussed at length.
Despite extensive discussion of anonymisation and anonymised data, the Committee of Experts’ report on governance of non-personal data was only name-checked in that it exists, two sources told us. It was not discussed since members agreed that non-personal data did not fall within the mandate of the Personal Data Protection Bill.
Three sources also confirmed to MediaNama that the FDPPI expressed its support for exemptions granted to government agencies from the provisions of the Bill under Section 35, but the Committee paid no heed to it.
When is the next meeting?
The Committee was also scheduled to hear oral evidence from ASSOCHAM and Dr A.P.J. Abdul Kalam Centre as well, but due to paucity of time, their depositions will be heard on Tuesday (August 11). Facebook was initially scheduled to depose before the JPC but the schedule was revised to replace it with FDPPI instead. It is understood that this change was made because the Facebook representatives who were meant to depose could not reach India due to COVID-19 related restrictions. It is currently not known if Facebook will be called to depose on another day.
It is not clear how some of the members will manage to attend the meeting, since three JPC members — Tejasvi Surya, Mahua Moitra and Rajyavardhan Singh Rathore — are also members of the Standing Committee on Information Technology, headed by Dr Shashi Tharoor, which is scheduled to meet at 11 am on Tuesday.
Monday’s meeting saw participation from Lok Sabha MPs including Manish Tewari, Gaurav Gogoi, Ritesh Pandey, Tejaswi Surya, Kanimozhi Karunanidhi, Uday Pratap Singh and P.P. Chaudhary, and Rajya Sabha MPs including Jairam Ramesh and Rajeev Chandrashekhar.
***Update (August 15, 2020 1:22 pm): Updated with detail about reason for Facebook’s lack of deposition. Originally published on August 10, 2020 at 11:12 pm.