Naavi.org

An interesting phase in the history of data protection law in India has started with the presentation of the new version of PDPB2021 by the JPC to the Speaker. It will become public once the bill is formally presented. Until then we need to work on the comments  appearing in the press.

Some of the reports appearing in the press are here

1.JPC retains exemption clasue, adopts personal data bill: thehindu.com

2.Data Protection Bill: Panel calls for strict rules for firms, leeways for Government

3. Explained: The Joint Parliamentary Committee’s suggestion on Data Protection Bill

The report suggests that one of the members namely Mr Manish Tiwari has dissented the bill in its entirety and said that it is “Ultra vires the fundamental right to privacy as laid down by the 9 judge bench of the Supreme Court of India in Puttaswamy (2017) judgement”.

The TMC members Derek O’Brien and Mahua Moitra  have said that the Bill does not provide adequate safeguards to protect the  right to privacy and gives an overboard exemption to the Government under Clause 35″.

Another Congress member Mr Gaurav Gogoi said that the bill pays little attention to “harms arising from surveillance”

According to one of the reports,

1. The proposed change  to delete the turn over based penalty structure appears to have been dropped.
2. The data breach notification  would be required both for Personal and Non Personal data within 72 hours
3. Companies need to ensure fairness of algorithm or method used for processing personal data
4. The DPO needs to be from senior management
5. Companies will need to mandatorily disclose to data principals if their information is passed to third party.
6. If the Government agency has to pass on the information for the purposes of state use, there is no need for mandatory disclosure
7. Government departments to carry out in-house inquiry to fix blame in case of breach instead of head of department being responsible
8. Government should quality penalties for companies violating provisions of law.
9. The law will be implemented in a phased manner over a period of 2 years.

It appears that the recommendation that Social media companies should mandatorily verify users to keep their status as intermediaries (Ed: i.e. to claim exemption from liability from Section 79 of ITA 2000), will be retained.

The JPC appears to have also indicated that copies of sensitive and critical personal data that has already been  with foreign entities and stored abroad has to be brought into India in a time bound manner.

The copy of the report and the dissent statements are already with select media houses. They are likely to be in public space after 29th November 2021 when the Bill will be formally tabled in the Parliament.

We look forward to the copy of the bill to understand the changes.

The big relief is that an important step towards the passing of the  Act has been taken. From the dissent  notes it is clear that once the bill is passed, there will be a challenge mounted in the Supreme Court and the battle will go on.

Naavi

Reference

Congress MP Jairam Ramesh submits dissent note-Indian Express

Congress MPs file Dissent notes over JPC Report-Wire.com

As per the reports in press, the JPC has finalized the next draft of the PDPB in a meeting today. The draft would be submitted to the speaker of Loksabha and would be presented to the Parliament during the next session.

It is also reported that Mr Jairam Ramesh of Congress has submitted a dissenting note basically on Section 35 which is about the powers of the Government to exempt some of the provisions of the Act to Government agencies.

The exact nature of changes that have been made would be available only after the draft becomes public. Until then there is no need to speculate.

However, it appears that the possibility of the bill being passed in the current session itself is very high.

Naavi

Day 1 : Bated Breath

Day 2: Zooming in

Day3:Winding Down

x

The biggest event on Data Protection in India namely the Indian Data Protection Summit 2021 (IDPS 2021) got off to a flying start on November 17, 2021, as a virtual conference. Six hours of deliberations occurred between 2.30 pm IST to 8.30 pm IST with 3 panel discussions and 2 keynote sessions during the day.

The proceedings started with an introduction from Dr S P Arya, the honorary President of the National Governance Council of FDPPI. he introduced FDPPI, and its objectives.

It was followed by a key note address from Naavi, the Chairman of FDPPI presented his views on the challenges to be negotiated by the Law makers in finalizing the PDPB 2019. He specifically discussed the expected changes reported to be under consideration of the new JPC to the current version of PDPB. The revised version is expected to be presented on November 18th 2021 to the JPC once again for discussion. In his address Naavi discussed the pros and cons of adding Non personal Data protection issues into the PDPB 2019, the different approach taken by DEPA in developing a Consent architecture, the demands of certain institutions from exemption, etc. He highlighted that the conference would discuss issues such as new compliance framework and need for Data Valuation methodology to be developed etc.

This session was followed by two Panel Discussions.  Panel 1 discussed the new career opportunities that are developing in the area of Data Protection such as the Data Protection Officers and the Data auditors.

Mr Manish Sehgal, partner of Deloitte lead the discussions and was supported by  Neena Pahuja, Tripti Kumar, Anupama Mohan and Sameer Mathur, all of them from the industry.

The second panel discussion  discussed the issues of Privacy in Big Data and Digital Marketing industries and was lead by Ms Annie Mathew and supported by Kamal Karnatak, Bhimesh Karadi and Mahesh Balakrishnan from different segments of the industry.

This session was followed by a Keynote from Justice B N Srikrishna, who lucidly traced the development  of  the  concept  of  privacy from ancient India  to  the  current  days. He also discussed  the  current  status  of  the  PDPB  and  how it  may  shape  up  in  the  days  to  come.

He highlighted the concepts of Data Fiduciary and Consent Manager adopted in the Indian PDPB and how it is different from the concepts of GDPR.

Following this session, FDPPI announced its annual award for “Data Protection Champion” . The award is conferred for the sustained commitment towards Privacy demonstrated by the professional as determined by a search committee of FDPPI. It has no financial incentive and is not based on nominations.

Mr Srinivas is a well known Privacy professional with over 11 years of experience in implementing various privacy initiatives in Infosys and has a rare commitment towards Privacy unmatched even by privacy activists.

After the award ceremony, the third panel of the day discussed the Past, Present and Future of Data Protection law in India.

The panel was lead by Ms Meenalall of the Tata Steel and was supported by Advocate                        M G Kodandaram, Wg Cdr S K Prakash of CISCO, Manoj Kern of Prudent Insurance brokers and advocate Dr Mahendra Limaye.

The group had an extensive  discussion  of the legal aspects of Information Technology Act, the PDPB as well as many  sectoral regulations.

We now look forward to an equally engaging second day on November 18th.

Naavi