After dragging its feet for two years, the Joint Parliamentary Committee (JPC) has come out with a considerably modified version of the Data Protection Bill, with the change of title itself saying quite a lot — the Personal Data Protection Bill , 2019, is now the Data Protection Bill (DPB), 2021. This incorporates 150 corrections and surprisingly clubs personal and non-personal data. But first, the positives. The JPC is clear that the individual is the subject of protection against breaches of their fundamental right to privacy by companies for profit and by the State on grounds of security. With regard to harnessing private data by companies, the regulations in Clause 26 of DPB, 2021 seek to hold at least major social media platforms accountable, by terming them “significant data fiduciary”, to be defined by a threshold limit of user numbers as notified by the Data Protection Authority (DPA). This marks a vast improvement over the free-for-all that prevails now, often ravaging individual dignity. These entities would be subject to regulatory compliance such as data impact assessment, registration, appointment of data protection officer and enhanced power of oversight by the DPA. However, it is hard to justify why 24 months are needed to implement the law. Nor is there clarity on the status of data collected so far, or till the two year period till this Bill becomes law. Misuse of such data in the fast-growing fintech space is already becoming a matter of grave concern, to take an example. The prospective application of the law is not in consonance with the approach taken by the EU’s General Data Protection Regulation.

The Bill has attracted criticism for according wide exemptions to the State on grounds of security and vaguely worded “public order”. Privacy being a fundamental right a la KS Puttaswamy-versus-Union of India, it is principally defined as a counterpoint to the State. Therefore, exemptions to the Government and its agencies under Clause 35 on grounds of “public order” as also Clause 12(a)(i) seem excessive. The same goes for Clause 42(2) and its sub-clause suggesting involvement of the Centre in the appointment of chairperson and members of the Data Protection Authority. The DPA should be a multi-stakeholder panel.

The enthusiastic characterisation of citizen’s data as the “new oil” seems discordant in a law whose concerns should revolve around the repercussions of mining such data. There is no apparent basis to clubbing personal and non-personal data either, in contrast with global practices. The concerns are disparate. Non-personal data, for example, could pertain to preserving business confidentiality for artificial intelligence or machine learning models. The JPC proposes a regulatory regime for non-personal data which is not innovation-friendly to tech businesses. Non-personal data should be treated under a separate law. The JPC should have heeded the industry as well as the Srikrishna report which had wisely left the question of non-personal data to the “wisdom of a future committee...”