The Joint Parliamentary Committee (JPC) report on the Personal Data Protection Bill, 2019 was tabled in both houses of Parliament on December 16, 2021. The latest version of the bill that’s appended to the report contains key provisions related to how companies functioning in India should store, process, collect, and analyse citizens’ personal as well as non-personal data. Social media platforms that deal with issues of free speech, enable communication between various people, store and process their data, and use algorithms to give them personalised content would thus be tremendously impacted by the bill.
After being tabled, the report raised concerns about privacy of users with its provision for user verification, intellectual property rights of platforms’ algorithms with its mandatory sharing clause, and more. MediaNama spoke to experts about how the bill could really impact these platforms, and separate the grain from the chaff.
JPC’s recommendations for mandatory verification of users
A recommendation in the report is to take action against platforms in case of unlawful content from unverified users. Further, platforms would have to mandatorily verify a user once an application for the same was submitted along with the necessary documents.
According to Priyadarshi Banerjee, a lawyer at Banerjee & Grewal, the clause falls in a grey area legally. “I think that clause is oppressive, a succinct legal point that arises from its attempted enforcement is that whether their rights to anonymous communication is protected under 19 (1) A (which guarantees right to freedom of speech and expression),” he told MediaNama.
1. Legal challenges, Supreme Court will have to clarify stance: The Supreme Court would thus have to clarify whether anonymous speech is protected under Article 19, Banerjee said. This was something the court had otherwise skirted around clarifying in multiple cases, he said referring to a number of petitions filed before various High Courts asking for Aadhaar-Social media account linkages.
Further, to introduce a provision like this, the State would have to pass two buckets of tests – one is reasonable restriction while the other would be the tests of sovereignty and integrity of India, the security of the State, public order, etc. as laid down under Article 19. A clause for mandatory verification would not pass these tests, according to Banerjee.
2. Strikes at the heart of how platforms work: Anonymity is a very important part of how social media platforms work for which there were special protection applicable on them, Rahul Narayan, advocate-on-record at the Supreme Court said. Instead of mandating a blanket verification of all users, he suggested that platforms could use verification to ascertain if a user was an adult after which their identity information could be deleted, or if law enforcement agencies send a request related to their investigation of an account which posts unlawful content such as spreading religious hatred, etc.
IPR-algorithm connotations from mandatory sharing provisions
The bill includes a clause mandating sharing of non-personal data by a company in response to a government request.
“The Central Government may, in consultation with the Authority, direct any data fiduciary or data processor to provide any personal data anonymised or other non-personal data to enable better targeting of delivery of services or formulation of evidence- based policies by the Central Government, in such manner as may be prescribed.” — JPC report on the DPB
According to Narayan, powers of the government to take control of such information are well established.
“But the simple fact is that at some level, when your proprietary information contains something of great national interest, then you will have to be – like a compulsory license thing for medicines. If somebody finds a medicine for tuberculosis, which is like very cheap or something, or somebody decides to find a formula to convert water into petrol, then naturally, I mean, you can’t expect to make the hundreds of billions of it, the government will step in” he said, illustrating the point that the government’s could lay a claim on proprietary information.
Need for compulsory licensing: This could have an impact on the intellectual property-related rights of platforms and inventors, according to Narayan. He suggested that a system of compulsory licensing, which calculates compensation for such information in a fair manner, could solve the problem.
Impact of data localisation on platforms’ operations
The bill lays down significant obligations for data localisation on companies collecting, processing, or storing data of Indian citizens. Under this, fiduciaries have to store sensitive and critical personal data of citizens only in India, transfer it only upon the government’s approval, keep a mirror copy of sensitive and critical personal data which is already in possession of the foreign entities, and so on.
1. No argument against information requests: Platforms could no longer argue that certain data is not stored in their jurisdiction when arguing against compliance with court orders as the data would have to be stored in India, Narayan said.
2. Revision of company policies and business: Companies operating in multiple countries have to revise their policies and business to see how they could stay in compliance with local laws while being able to deliver their services, Narayan said. Thus, according to him, the place where data is collected and stored is of an enormous amount of significance for all the companies.
Would platforms have to ensure the quality of third-party data as well?
Under the Data Protection Bill 2021, data fiduciaries or entities that store data have to ensure the quality and accuracy of the data that they handle.
Provisions problematic, will need to see how it plays out in court: This requirement could extend to a social media platform even in relation to content posted on it by a user and could be problematic as it would require harmonisation with existing laws, Banerjee said. However, he added, there would be more clarity on the provision once the law comes into force and it is known whether there is an executive intent to enforce the provision even with regard to third-party data, or is it only going to be restricted to data which is directly collected by intermediary platforms.
According to Banerjee if the clause extends to a platform’s handling of user-generated content it would have to deal with two types of data:
“One, with regard to the data that it is directly collecting from its users, which of course they will have details of the age, name, address, email address, IP address, a number of other details which may be there with an intermediary as a user uses their platform. And on the other hand, there may be a second source of data or something to the effect of, say, a newspaper article saying Priyadarshi Banerjee is a crook, that newspaper article has a hyperlink and that hyperlink is floating through the social media platform. This is the second category of data really to be dealt with.”
Obligations on platforms dealing with children’s data
The bill also lays down provisions which could require fiduciaries to verify the age of their users or age-gate their services. As per the bill’s provisions, fiduciaries have to process the data of children (and protect their rights) only after getting consent from their parents or guardians and verifying their age in line with regulations that are to be formulated by the government at a later stage.
1. Much of it depends on regulations: While the provision could levy a significant regulatory burden on such platforms, there would be more clarity on the provision once the Data Protection Authority is set up and courts also begin interpreting the Act, according to Narayan. Banerjee concurred and said that there would be more clarity on how the provision would apply once regulations were made by the government on how to verify the age of the children, get their parents’ consent, and so on.
2. Interpretation of ‘children’s rights’ in court will be interesting: The interpretation of ‘ protecting the rights of children’ in the latest iteration of the bill would be interesting to see interpreted in court, according to Narayan. The previous version of the bill used ‘best interests’ which was less ambiguous, he opined.
“I think that to one extent it seems like a good thing because the rights are more important than kind of best interest which somebody else has to evaluate. But the best interest language also is typically the language in international human rights law as well as Indian law for the protection of children. The courts look at their best interests, for example, the custody battle between parents or whatever. So there is some level of it will be interesting to see how that plays out,” Narayan said.
Definition for social media platforms in the new bill
Under the new bill, social media intermediaries have been renamed to social media platforms which are defined as:
“A platform which primarily or solely enables online interaction between two or more users and allows them to create, upload, share, disseminate, modify or access information using its services.” — JPC report on the DPB, 2021
The earlier draft had referred to them as ‘Social Media Intermediaries’, in line with the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 but the JPC said that this term was not very appropriate in its report.
“The Committee feel(s) that presently most of the social media intermediaries are actually working as internet based intermediaries as well as platforms where people communicate through various socializing applications and websites.” – JPC report on the DPB, 2021
Courts would have to harmonise the two definitions: While it initially strikes as an attempt to create a new nomenclature of social media, in practice, it could translate into having to undertake a harmonisation exercise between the two definitions, according to Banerjee. “I can’t tell you how it will be harmonised in a vacuum right now. It will depend on the facts of the case which provisions are called into play,” he said.
Ability to challenge law enforcements’ requests for information retained
Under the Information Technology (IT) Rules passed in February 2021, social media platforms have to comply with requests from law enforcement agencies for information in connection to any investigation undertaken by them. The Data Protection Bill 2021 similarly carves out provisions for the government to access data through Sections 35 and Section 12 which are on:
- Section 35: Allowing the government to exempt an agency from all or any provisions of the bill
- Section 12: Allowing the government to carry out non-consensual collection and processing of data for a State function, for an emergency, or in compliance with an order by a court, tribunal, quasi-judicial authority, etc.
1. One more clause to pass and challenge requests: According to Banerjee, this is yet another clause under which law enforcement agencies can send such a request and platforms can, in turn, challenge them.
“Previously it was under CrPc (Code of Criminal Procedure) , then it became CrPC and IT Act or IT Rules, and now it will become CrPC, IT Rules and the DPA (Data Protection Act),” he said.
Section 12 is not a clause that is for an independent source of power under it, agencies can only access data non-consensually when it is for a function backed by law, Banerjee revealed. He also said that Section 35 would not apply to social media companies’ disclosure of information.
2. Puttaswamy test to apply: Government agencies’ requests to access information would continue to be governed by the tests of legality, necessity, and proportionality as laid down in the 2017 Puttaswamy judgement of the Supreme Court, Banerjee added.
This post is released under a CC-BY-SA 4.0 license. Please feel free to republish on your site, with attribution and a link. Adaptation and rewriting, though allowed, should be true to the original.
[gravityform id=”1″ title=”true” description=”true”]
- Deep Dive: How India’s Data Protection Bill will impact online advertising
- Data Protection Bill 2021: What are the obligations of data fiduciaries?
- A complete guide to the Data Protection Bill, 2021
- Data Protection Bill: Issues around cross-border data transfer approval, data localisation
Have something to add? Post your comment and gift someone a MediaNama subscription.