top of page
Search
Dec 16, 20214 min read

Highlights of JPC recommendations on Personal Data Protection BIll -2019





Following are the highlights of the recommendation of the Joint Parliamentary Committee on Personal Data Protection Bill. These highlights are without any comment and views.


  • The JPC headed by Shri P.P. Chaudhary, MP presented the recommendations on Personal Data Protection Bill, 2019 to the Parliament on 16 December 2021.

  • The Report has two parts.

    • Part-I General descriptions consisting of 12 recommendations

    • Part-II contains 81 clause by clause recommendations and 150 Drafting corrections or improvements

  • The Objects and Reasons of the Bill was approved without any change

  • In view of difficulty in segregation of Personal Data and non-personal data, the JPC recommended common law for Data Protection with common authority supervising it as Data Protection Authority of India. As and when law is made on Non-personal data it should be subsumed in the DATA PROTECTION ACT and rule be made accordingly

  • The JPC recommended time line of approximately 24 months where DPA and other members of the DPA are appointed with 3 months. Government has been advised to keep the ease of business also in mind but complete law should come into force within 24 months.



  • Breach reporting is tightened where

    • Data fiduciary will be responsible for any delay in reporting of breach

    • DPA to order data fiduciaries to maintain records of Data breaches obf personal and non-personal data. The records should be review by the DPA periodically

    • However in case of data breach due to business rivalry or espionage, DPA should have discretion to make such breach public

    • While making any breach public the Data principal privacy should be protected.

  • Children's personal data and sensitive personal data should be more tightly controlled.

    • The age of child remains 18

    • A child must be reminded 3 months before becoming adult that the child need to give consent on becoming adult

    • There should not be any interruption of services when a child becomes adult unless the consent is withdrawn or accorded.

  • Several social media platforms have the ability to select the receiver of the content and also exercise control over the access to any such content hosted by them, requiring stricter regulation and should be treated as publishers and not simple intermediaries.

  • Verification of accounts with Social media will be necessary for any fake news prevention



  • A press council of India equivalent may be brought in for such social media platform

  • All international Social Media Platforms should have physical office and offices within the territory of India

  • Indirectly Indian controlled Crypto Currency have been recommended to overcome the privacy concerns with international financial transactions on the line of Ripple (USA), INSTEX (EU),

  • Hardware manufacturers including mobile devices and IOT devices are brought under the law.

  • Government should develop certification mechanism for hardware devices

  • The JPC recommended that not only all provisions of data localisation should be implemented strictly but also asked the government to create mirror copy of Sensitive and critical personal data of past held outside India also be created under the DPA for cross border data transfer.

  • Data fiduciaries, especially govt fiduciaries should be allowed to retain data beyond the end of the present purpose if such personal data is likely to be required again may be for different purposes.

  • Employers collecting personal data of an employee should be as necessary and reasonably expected by the employee. Original recommendations had barred the employer rights to collect sensitive personal data such as biometrics (even for resaobale purposes such as attendance or security).

  • Guardian Data fiduciary removed.

  • Provision that data breach is NOT to be reported to every data Principal directly. DPA to assess the situation and allow or deny informing data principals.

  • Data breach should be reported to DPA within 72 hrs.

  • DPO of international companies cannot be any arbitrary person. Only CEO, CFO. Company Secretary, whole-time director or as mentioned in rules can be appointed as local DPO.

  • DPA will have a single window for Data principals to interact with DPA. Original PDPB-2019 had different authorities with DPA for different activities such as DPA itself, Adjudication officer and Inquiry Officer.

  • Earlier Critical personal data could have been transferred just by the consent of the data principal and approval of DPA. The recommendation is that no cross-border sensitive personal data be transferred with the approval of the Central government too.



  • The JPC had felt the need for the establishment of a common statutory body for media regulation as the present form of self regulating authorities is ineffective.

  • The qualification of chairperson and members of Data Protection authority is tightened to the specific wording of law and relevant experience.

  • The selection committee is recommended to be expanded beyond 3 secretary ranked bureaucrats to add a subject matter expert nominated by the government, one director each from one of the IITs and IIMs.

  • Penalties have been reduced to two categories of not more than 5 Crores or 2% of worldwide turnover whichever is higher AND 15 Crores or 4% of worldwide turnover whichever is higher.

  • There will be a single window for complaints and applications for penalties and compensation.

  • Unlike the original provision, the JPC has recommended that in case of any violation of the Data Protection Law, the Head of Department will not be held accountable but HOD to conduct an inquiry to fix the responsibility of violation.

  • The most controversial Section 35 remains untouched except for a few minor tinkering.

  • Section 36 also remained as previously recommended with very superficial changes.


440 views0 comments

Comments

bottom of page
#google_responsive_slot_preview