A parliamentary committee on Thursday recommended widening the scope of proposed data protection legislation to include both personal and non-personal data and sought greater accountability for social media platforms by treating them as publishers.
The Joint Committee on Personal Data Protection Bill, 2019, headed by BJP MP PP Chaudhary, tabled its report in both the Houses on Thursday.
The key highlights of the report include widening the scope of the draft legislation to also cover non-personal data, tighter regulation for social media platforms and the establishment of a statutory media regulatory authority, according to a release by the Lok Sabha Secretariat.
The panel has also favoured a framework to regulate hardware manufacturers, who also collect data along with the software. It has favoured a mechanism for certification of all digital and Internet of Things (IoT) devices.
“The committee, considering the immediate need to regulate social media intermediaries, have expressed a strong view that these designated intermediaries may be working as publishers of the content in many situations, owing to the fact that they have the ability to select the receiver of the content and also exercise control over the access to any such content hosted by them,” the report said, asserting that a mechanism must be devised for their regulation.
The panel recommended that all social media platforms, which do not act as intermediaries, be treated as “publishers” and be held accountable for the content they host.
“Further, the Committee have recommended that a statutory media regulatory authority, on the lines of Press Council of India, maybe set up for the regulation of the contents on all such media platforms, irrespective of the platform where their content is published, whether online, print or otherwise,” it said.
A mechanism should be devised where social media platforms, which do not act as intermediaries, will be held responsible for the content from unverified accounts on their platforms.
“Once application for verification is submitted with necessary documents, the social media intermediaries must mandatorily verify the account,” said the report.
The panel has suggested that no social media platform should be allowed to operate in India unless the parent company handling the technology sets up an office in India.
It has also sought to widen the sphere of data protection legislation by including personal and non-personal data, saying defining or restricting the new legislation only to personal data protection or to name it as Personal Data Protection Bill is “detrimental to privacy”.
“The committee, therefore, recommend that since the DPA (Data Protection Authority) will handle both personal and non-personal data, any further policy / legal framework on non-personal data may be made a part of the same enactment instead of any separate legislation,” it said.
As soon as the provisions to regulate non-personal data are finalised, there may be a separate regulation on non-personal data in the Data Protection Act to be regulated by the Data Protection Authority, it mooted.
The Joint Committee of Parliament, had, last month, adopted the report on the Personal Data Protection Bill. The data protection Bill seeks to provide the government with powers to give exemptions to its probe agencies from the provisions of the Act, a move that has been strongly opposed by the opposition MPs who filed their dissent notes.
The suggestions made by the panel are not binding.
The parliamentary committee has further recommended that an approximate period of 24 months be given for the implementation of any and all the provisions of the Act.
Other recommendations include fixed guiding principles to handle a data breach, mechanism to be followed/decided for processing of personal data when the child attains the age of majority, alternative financial system to be developed in India.
The committee, in its report, said that though there are provisions (in the Bill) for cross-border transfer of data, “some concrete steps must be taken by the Central Government to ensure that a mirror copy of the sensitive and critical personal data which is already in possession of the foreign entities be mandatorily brought to India in a time-bound manner”.
A 72-hour timeline for reporting a breach of personal data has been suggested.
The panel has also favoured that penalty provisions for ‘data fiduciaries’ (those determining the purpose and means of the processing of personal data) be kept flexible, saying “flexibility in the imposition of penalty is required as digital technology is rapidly evolving and the quantum of penalty needed to be imposed would need to be decided taking into account these factors”.
The committee noted that at present there is no single unified agency that regulates the various forms of media, specifically news media, in the country.
“In the Committee’s view, the existing media regulators such as the Press Council of India are not appropriately equipped to regulate journalism sector that seeks to use modern methods of communication such as social media platforms or the internet at large,” it said.