More lenient provisions of penalties in the current draft was a result of lobbying by Big Tech, Lok Sabha MP Manish Tewari suggested in his dissent note carried in the Joint Parliamentary Committee’s report on the PDP Bill, 2019. Big tech companies such as Facebook, Twitter, and Amazon had appeared before the committee for depositions, according to the report.
Last-minute dilution (of penalties)..are strongly suggestive of last-minute panic lobbying by Big Tech Companies for these provisions that were part of the Original PDP Bill referred to committee by the House. They remained unamended from the date of commencement of the deliberations to the tabling of the penultimate & final draft of the bill. No reasonable or rational justification has been provided for this change — Manish Tewari
The JPC report along with the Data Protection Bill, 2021 was tabled in both houses of the Parliament on December 16, after two years of deliberations. The dissent notes from committee members give a view of what the current draft of the bill fails to take into account.
Amendments to penalties provision will make India a ‘laughing stock’
Tewari said that in the 2019 draft of the Bill, the penalty for a data fiduciary for (committing) a particular offense was either Rs 5 crore or 2% of the company’s total worldwide turnover of the preceding financial year (whichever was higher). “This has been now amended to read “as may be prescribed” in the final draft,” Tewari pointed out.
Similarly on Clause 57(2), Tewari said that in the 2019 draft, the penalty was prescribed at Rs 15 crore or 4% of the company’s total worldwide turnover of the preceding financial. This also has been amended to read as prescribed in the final draft, he added.
“These amendments will make India a laughing stock in the world and should not be a part of the proposed bill being sent up to the parliament. The original Section 57(1), (2) & (3) including all the definitions & provisos contained in it must be retained in their original form as proposed in the Bill referred by the House to the Joint Committee for Consideration.” — Manish Tewari
Jail for social media intermediaries who fail to verify identity of subscribers
In the current draft, Clause 28, refers to the maintenance of records and subsection 3 says that the social media platforms notified as a significant data fiduciary, has to enable Indian users to voluntarily verify their accounts.
However, Tewari was not satisfied with the provision. This is what he recommended instead:
- Penalties and imprisonment: “Any Social Media Intermediary that fails to comply with the above mentioned stipulation (to voluntarily verify) would be liable for a fine that shall not be less than 3 percent and not exceed 5 percent of its total global turnover and shall be punishable with an imprisonment for a term not exceeding five years,” the Tewari added.
- Users will have the right to file complaint under CrPC: Tewari recommended that users whose identity does not get verified can file a complaint under relevant provisions of the Code of Criminal Procedure against a social media intermediary.
“Every Social Media Intermediary will complete the process of identification mentioned above within 24 months of the first notification bringing this Law into force,” he recommended. (emphasis added)
- Mandatory visible mark of verification: Tewari recommended doing away with the caveat of providing visible mark of verification “in such manner as may be prescribed” and replace that with a more mandatory guideline of demonstrating mark of verification “at every and all times”.
Draft legitimises ‘intrusive surveillance’ on an employee by an employer
Tewari pointed out that Clause 13(2) of the draft which refers to processing personal data for purposes related to employment, was problematic and that it needs to be deleted.
Currently, the provision says that an employer can process any data other sensitive personal data, where the consent of the data principal “would involve a disproportionate effort on the part of the data fiduciary due to the nature of processing…”
Why should an employer if he is a data fiduciary do something behind the back of a data principal? What does “involve a disproportionate effort on the part of the data fiduciary due to the nature of processing under this section” really mean? Does this not legitimize intrusive surveillance on an employee by an employer? — Manish Tewari
Definiton of ‘personal data’ should expand on the term ‘inference’
In the current draft, definition of personal data, which can be found in Clause 3(33), reads, “..data about or relating to a natural person who is directly or indirectly identifiable, having regard to any characteristic, trait, attribute or any other feature of the identity of such natural person, whether online or offline, or any combination of such features with any other information, and shall include any inference drawn from such data for the purpose of profiling.”
Recommendation: Tewari said that an explanation should be added defining the term reference. He said that it should state: “Inference means a conclusion reached on the basis of evidence or known facts and the logical reasoning that may flow from such evidence or fact.”
Tewari’s recommendations regarding children’s data and other provisions
- Children’s access should be defined according to their ages: Tewari said that the definition of a child should be different for accessing different categories of content or data. “For example, for children’s learning website, on-line school curriculum, children’s entertainment games websites, cartoons and news websites etc, that are certified as child friendly, no age stipulation should be necessary. For other content similarly the age stipulation should be defined by the DPA (Data Protection Authority) through regulations or directions,” he said.
- Non-personal data needs to be defined precisely: Tewari said that non-personal data needed to be defined precisely in the act. He said that current definition was open ended and it “leaves the entire field open to myriad interpretations of what constitutes Non-Personal Data.”
- Definition of ‘harm’ should reflect exemptions to government: ‘Harm’ in the draft refers to the harm caused by “restriction placed or suffered directly or indirectly on speech, movement or any other restriction” arising out of surveillance. Tewari said that the particular definition which is contained in Clause 3 (23) (IX) should be amended to reflect that surveillance by law enforcement agencies subjected to permissions would not be constituted as harm. Tewari also wanted an amendment to to be made to Clause 3 (23) (X) which reads, “Any observation or surveillance that is not reasonably expected by data principal.” “The term “reasonably expected” in clause 23(X) is onerous. It will lend itself to serious transgressions into privacy of individuals. It therefore needs to be narrowly defined or deleted,” he said.
- Requirement of notice by data fiduciary to data principal for processing data is not implementation friendly: The provision for requirement of notice for collection or processing of personal data which can be found in Clause 7 (1) says that a data fiduciary has to give a notice to a data principal. It also defines the specifics which the notice has to contain. Tewari recommended easing that provision which would enable the data fiduciary to include an intimation regarding where to find the various parameters or specifics, rather than include all of it in the notice. He said, the notice will contain “intimation that the information with regard to the parameters mentioned below are available on their website and can be accessed at the given Uniform Resource Locator (URL)”.
- Ease provisions on quality of personal data processed: Tewari proposed easing the contents of the provision which governs the quality of personal data processed. The draft currently states that the data fiduciary will have to take steps to ensure that personal data is complete, accurate, not misleading, and updated. Tewari recommended that the words “as far as practicable” be added to the clause.
- Consent notice must be easily communicated: Currently, Clause 13(3)(a) of the draft refers to how a consent necessary for processing personal data should be conveyed. It says that sensitive personal data should be obtained after informing the person the “purpose of, operation in, processing which is likely to cause significant harm to the data principal’. Tewari recommended that the consent must be conveyed in a language and form that is easily comprehensible.
- Why is valid reason necessary for withdrawing consent?: Currently, this particular clause says that the if a data principal withdraws his or her consent from processing of personal data ‘without any valid reason’, he/she has to bear the consequences. Tewari said, “Clause 11(6) should be deleted as it puts an onerous burden on the Data Principal that is neither reasonable nor fair. It militates against the Doctrine of Faimess. Why should a valid reason even be necessary?”
- Personal data should not be processed for credit scoring: Tewari recommended that the provisions for processing personal data for credit scoring and for “prevention and detection of any unlawful activity including fraud” be deleted from the draft.
- Adjudicating Officer should not be responsible for granting Right to be Forgotten: Currently in the draft, a right to be forgotten application of a data principal can only be processed through the order of an adjudicating officer (Clause 20(2) and(3)). “The provision to Clause 20(2) should be deleted and Clause 20(3) should also be deleted for they circumscribe the application of the judicial mind by an adjudicating officer.”
- Reporting of data breach within 48 hours: Clause 25(5) which pertains to reporting of data breach, in the current draft, mentions no time period for communicating the breach. Tewari recommended that it be amended to include that the breach has to be reported to the Data Protection Authority,data principals impacted within 48 hours of a breach being discovered.
- Qualification of Data Protection officer needs to be defined: Tewari said that similar to a Data Auditor whose qualifications were defined in the draft, the same needs to be done for Data Protection Officers.
- Add definition for Critical Personal Data: Tewari recommended that the definition of critical personal data be added to the definitions clause in Sec 3. The definition should be “Critical Personal Data means that data whose public revelation would cause irrevocable personal harm to the Data Principal. What is critical should be left to the discretion of the Data Principal to be indicated at the time of giving assent under Clause 11(1) and not to the government as provided for in Explanation to Clause 33(2).”
- There should be legal architecture protecting foreign data principals: Tewari criticised Clause 37 which grants powers to the Union government to exempt certain data processors. It exempts Indian companies who only process personal data of foreign citizens on the basis of a contract with a foreign data controller. Tewari said that the current provision would be incompatible with domestic legislations of many countries. “It will act as a disincentive for data to flow into India. It should be deleted. There must be a legal architecture protecting the data of Foreign Data Principals,” he added.
- Chairperson of a DPA should be retired judge of a High Court: He recommended that it be included in the draft that the chairperson of the DPA be a retired judge of the High Court. As of now, no such specifics have been mentioned in the draft. The Vice President of the country, Chief Justice of India and a nominee of President of India be in the selection committee for the appointment of members of the DPA. The retirement age of DPA members be increased from 65 to 70, Tewari proposed.
What Tewari broadly had to say about the Bill
Inherent design flaw: Tewari said that the bill does not capture the essence of the Puttaswamy judgement. “My Fundamental Objection to this bill is that there is an inherent design flaw in its very construction. This bill has unfortunately been conceived by its ‘distinguished’ authors with a pre Re: Puttuswamy (9 Judge Privacy Judgement delivered by the Supreme Court in 2017) mindset…” he said.
The bill as it stands creates two parallel universes – one for the private sector where it would apply with full rigor and one for government where it is riddled with exemptions, carve outs & escape clauses — Manish Tewari
Bill is ultra vires to Fundamental Right to Privacy: Tewari said that since the bill sought to provide blanket exemptions either in perpetuity or even for a limited period to the government and its agencies, was in his opinion ultra vires to Fundamental Right to Privacy.
Billl will not stand the test of the law: “I do not think that this bill in its present form especially most of it’s exception and exemption clauses including various carve outs for Governments both centre and state that exempt these behemoths from the ambit of this legislation would therefore stand the test of ‘vires in a Constitutional Court of Law as and when it would be so tested,” the Lok Sabha MP added.
Exemptions to government should be subjected to due process
As privacy has been held to be a fundamental right in Re. Justice K.S. Puttuswami, it therefore is subject to the rigors of Article 21 of Constitution of India (Col) also called the Due Process Clause — Manish Tewari
He recommended that a explanation be appended to Clause 35 which would say that a government agency will not be granted any time till it is judicially determined by Appellate Tribunal as mentioned in Clause 68.
“Any person shall have the right to access the Appellate Tribunal by filing an appropriate application delineating the reasons why such an exemption should or should not be granted. The said exemption must be vide a reasoned order and duly notified so as to ensure that the remedy available under Clause 76 can be exercised by the concerned,” Tewari added.
Clause 35 allows any agency under the Centre exemption from all or any provisions of the law in the name of “sovereignty”, “friendly relations with foreign states”’ and “security of the state”.
Get our white paper on the Data Protection Bill 2021 in your inboxWe may also reach out occasionally with our coverage of the Data Protection Bill and more.
Subscribe to MediaNama to get access to our ongoing coverage of the bill. Here is everything we have planned around the report: