The report of the joint parliamentary committee studying the proposed data protection law was tabled in both houses of parliament on Thursday, after almost two years of deliberations, but continued to cause concern among civil society members and opposition leaders that the proposals will be inadequate in protecting individual privacy and give the state far-reaching powers.
The report carries several suggestions that in effect give the government a wider berth on obligations and private companies a stricter guardrail to follow, as reported by HT on November 23, while also suggesting new mechanisms to regulate social media companies.
Among some of the new proposals is a plan to “age-gate” content and access to digital services for children, requiring companies to appoint guardians of data and needing those that deal primarily with services for children to to register themselves with the government.
The report will likely be slotted for a discussion, following which the government will re-introduce the bill — the recommendations are not binding.
The JPC was set up in 2019 after parliamentarians were divided over several provisions of the personal data protection bill, which was meant to put a legal shape to the Right to Privacy that was made a fundamental right by the Supreme Court in 2017. The law will cover the rights people will have over their data and obligations for those that deal with such data, which will impact the industry at large.
Seven of the 30 members in the committee submitted dissent notes, saying the proposals give “unbridled power” to the government while creating a differentiating in the obligations of private and government entities.
According to an industry expert who asked not to be named, the recommendation around age-gating will only act as a deterrent. “Children use social media platforms for a lot of different, including to access educational material,” the person said. “This has been a concern that has been highlighted to the committee.”
Experts said the committee did not address the significant concerns that arose with the bill that was introduced in 2019.
“The committee has not done enough to tighten restrictions on the government. The committee has added “reasonable and necessary” to Clause 35, but it is no safeguard and can be easily circumvented. The committee should have recommended the deletion of this clause in entirety,” said Raman Jit Singh Chima, Asia-Pacific policy director at Access Now, a global tech policy think tank.
“The exemptions provided are exemplary as compared to data laws internationally. There seems to also be a degree to which industry lobbying has worked, they have diluted the penalty, which is remarkable since even the Competition Commission of India says a percentage of the global turnover has to be paid. Even the [European Union law] GDPR has such provisions,” he added.
Chima also said the panel’s proposal to treat social media companies as publishers and determine their liability “is a first for any data protection law”.