The Joint Committee Report on Personal Data Protection Bill, 2019, was presented in the Parliament on Thursday. The main highlights of the report included social media regulations, national security, and protection of employee data, among other points.
“The Committee, considering the immediate need to regulate social media intermediaries, has expressed a strong view that these designated intermediaries may be working as publishers of the content in many situations, owing to the fact that they have the ability to select the receiver of the content and also exercise control over the access to any such content hosted by them. Therefore, a mechanism must be devised for their regulation,” read the report prepared by the joint committee headed by Lok Sabha member P.P. Chaudhary.
“The Committee has, therefore, recommended that all social media platforms, which do not act as intermediaries, should be treated as publishers and be held accountable for the content they host,” the statement read, adding that a mechanism may be devised under which social media platforms, which do not act as intermediaries, will be held responsible for the content from unverified accounts on their platforms.
Once application for verification is submitted with necessary documents, the social media intermediaries must mandatorily verify the account, it added.
Moreover, the Committee has also recommended that no social media platform should be allowed to operate in India unless the parent company handling the technology sets up an office in India.
Further, the Committee has recommended that a statutory media regulatory authority, on the lines of Press Council of India (PCI), may be set up for the regulation of content on all such media platforms, irrespective of the platform where their content is published, whether online, print or otherwise.
As the Bill will deal with various kinds of data at different levels of security, a single administration and regulatory body will be set up to deal with both personal and non-personal data so as to avoid any kind of confusion, contradiction and mis-management.
“In the Committee’s view, all data has to be dealt with by one Data Protection Authority (DPA),” the report stated.
Also, a mechanism will be followed for processing personal data when a child attains the age of majority, i.e., 18 years.
“Data fiduciaries dealing exclusively with children’s data must register themselves with the Data Protection Authority. With respect to any contract that may exist between a data fiduciary or data processor and a data principal who is a child, the provisions of the majority act may apply when he or she attains the age of 18 years,” the report mentioned.
“Three months before a child attains the age of majority, the data fiduciary should inform the child for providing consent again on the date of attaining the age of majority; and whatever services the person was getting will continue unless and until the person is either opting out of that or giving a fresh consent so that there is no discontinuity in the services being offered,” it added.
The committee also stressed upon the government that it should set up a dedicated lab and testing facility, with branches spread throughout India that will provide certification of integrity and security to all digital devices.
Stating that national security is of paramount importance and India cannot compromise it on the ground of promotion of businesses, the report said that concrete steps must be taken by the Central government to ensure that a mirror copy of the sensitive and critical personal data, which is already in possession of the foreign entities, be mandatorily brought to India in a time-bound manner.
The committee observed that the employer cannot be given complete freedom to process the personal data of an employee without his or her consent for the sake of employment purposes. Therefore, it holds the view that the relation between the employee and employer is very sensitive and should be dealt with utmost care so that no harm is caused to either of them.
“As the employer collects all the data of the employee, there is a trust relation between them which the Committee thinks should be respected. Therefore, there should be equilibrium in processing of data of employee by the employer and its use or misuse by the employer. The employee must also be given the opportunity to ensure that his or her personal data is not being processed for unreasonable purposes,” it added.
To avoid creating uncertainty for the concerned stakeholders, the committee also recommended that an approximate period of 24 months may be provided for implementation of any and all the provisions of the Act so that the data fiduciaries and data processors have enough time to make the necessary changes to their policies, infrastructure, processes etc.