Data protection Bill: Data breach to be reported in 72 hours, Joint committee report
The committee has advised the government to set a timeline for the implementation of the Act once it has been notified. The JPC recommended a 24-month period after the notification of the Act for the appointment of the chairperson and members of the DPA.
FollowThe Joint Parliamentary Committee (JPC) report on the Personal Data Protection (PDP) Bill, 2019 which recommends wide ranging changes, including widening the scope of the Bill to include non-personal data and pitches for all social media platforms to be declared 'publishers' - was tabled in both Houses of Parliament on Thursday.
“A mechanism may be devised in which social media platforms, which do not act as intermediaries, will be held responsible for the content from unverified accounts on their platforms. Once application for verification is submitted with necessary documents, the social media intermediaries must mandatorily verify the account,” the committee said.
The committee’s recommendation, however, has left stakeholders seeking more clarity. Some are of the view the provision takes away the protection to social media intermediaries if they moderate content in any way. Some others believe it needs to be clarified either by the government or through judicial interpretation that social media platforms have been kept out of the purview of intermediaries.
The committee has advised the government to set a timeline for the implementation of the Act once it has been notified. The JPC recommended a 24-month period after the notification of the Act for the appointment of the chairperson and members of the DPA.
In the final report, the committee also brought back the penalty clause of the higher of Rs 5 crore, or 2% of global turnover, for certain provisions, including failure to take prompt and appropriate action in response to a data security breach; failure to register with the proposed data protection authority; failure to undertake a data protection impact assessment or conduct a data audit; and failure to appoint a data protection officer.
The top penalty of the higher of Rs 15 crore, or 4% of global turnover, comes for violations in processing of personal data of users and children; failure to adhere to security safeguards; and violations in transfer of personal data outside India.
Across jurisdictions, it is a well-established principle that states are entitled to exemptions from data protection and privacy laws to discharge certain functions, especially those related to law enforcement. However, what remains contentious is the scope of activities that are exempted, the extent of provisions from which the state functions are exempted and the safeguards that should accompany these exemptions.
The Bill was introduced two years back in the Lok Sabha by former Union Minister Ravi Shankar Prasad on December 11, 2019, and immediately referred to the standing committee on December 16. The committee’s report was presented in the Lok Sabha by its chairperson PP Chaudhary and laid in the Rajya Sabha by Congress MP Jairam Ramesh.
