Hold social media platforms accountable for content they host, suggests JPC report on Data Protection Bill

The Joint Parliamentary Committee, in its yet to be submitted report on the Personal Data Protection Bill 2019, has suggested that all social media platforms should be treated as publishers and be held accountable for the content they host, according to sources. The Committee, therefore, recommended replacing ‘social media intermediary’ by ‘social media platform’.

The report is likely to be tabled in Parliament on December 16, 2021. It is likely to include the final recommendations and dissent notes by several members from Opposition parties. Chaired by PP Chaudhary, the JPC has 30 members including Jairam Ramesh, Manish Tewari, Vivek Tankha, and Gaurav Gogoi from the Congress; Dayanidhi Maran from DMK; and Derek O'Brien and Mahua Moitra from the Trinamool Congress.

The Joint Parliamentary Committee (JPC) began looking into the Personal Data Protection Bill 2019 in December 2019. It was referred to the Committee soon after it was introduced in the Rajya Sabha by the then Union Minister of Electronics and Information Technology, Ravi Shankar Prasad, on December 11, 2019. The changes recommended by the committee will reflect in the Bill once it is accepted by the ministry.

Sources said that the Committee took note of the absence of a code of ethics for such social media platforms and the inadequacies of self-regulation. The members were of the opinion that social media platforms should be made accountable for the content that they host on their platforms.

The Committee has reportedly recommended that a statutory media regulatory authority, on the lines of Press Council of India, be setup for the regulation of the contents on all such media platforms irrespective of the platform where their content is published, whether online, print or otherwise.

The JPC report suggested that a mechanism should be devised in which social media intermediaries would be held responsible for the unverified content on their platforms. Once application for verification is submitted with necessary documents, the social media intermediaries must mandatorily verify the account and they would be held accountable for the content dissemination by unverified accounts.

Reportedly, the Committee was of the view that the Bill should put a regulatory architecture to deal with social media platforms in order to protect the privacy of individuals and the interest of the nation. It added that social media platforms must allow users to identify themselves and voluntary verification must be made mandatory.

The report suggested that a Data Protection Authority (DPA), which would be set up under this Act, should take into account the interests of the Government with regard to the obligations that it has to discharge, while framing its policies. This is even though although the individual’s liberty and right to privacy is of primary concern. Sources said, the JPC was of the view that all data should be dealt with one DPA and the policy on non-personal data should be a part of the same legislation.

The JPC is believed to have rightly pointed out that the existing Bill on data protection has no provision to keep a check on hardware manufacturers that collect the data through digital devices. The Committee, reportedly stated, it has become essential to regulate hardware manufacturers who are now collecting data along with the software.

The Committee has reportedly strongly recommended that the government make efforts to establish a mechanism for the formal certification process for all digital and IoT devices that will ensure the integrity of all such devices with respect to data security. IoT (Internet of Things) devices are physical objects connected to the internet such as home security systems, sensors, alarms and voice-controlled devices.

Sources said that the Committee was of the view that India may no more leave its data to be governed by any other country. This means that the Committee recommended that concrete action must be taken by the union government to ensure that a mirror copy of the sensitive and critical personal data which is already in possession of the foreign entities be mandatorily brought to India in a time bound manner.

The committee is known to have suggested that any contract or intra-group scheme allowing cross-border transfer of data, even after the consent of the data principal, may not be approved if it is against public policy or state policy or has a tendency to harm the interest of the state or its citizens.

After consulting all stakeholders, the Committee reportedly suggested that the government should prepare and pronounce an extensive policy on data localisation encompassing broadly the aspects like development of adequate infrastructure for the safe storage of data of Indians. The Committee believed this will provide this would, in all likelihood, generate employment for Indians. It wasn't made clear in the report how this was possible.

The JPC is believed to have observed that the title of the Bill, “The Personal Data Protection Bill, 2019” be changed as “The Data Protection Bill, 2021” due to the impossibility of a clear cut demarcation of personal and non-personal data and to cover the protection of all kinds of data. Additionally, the Committee wanted the preamble of the Bill to include the term ‘digital privacy’, instead of only ‘privacy’ as it is now.

The Committee reportedly felt that the definition of “harm”, which may result from personal data processing, needs to be widened in order to incorporate such harms as psychological manipulation which impairs the autonomy of the person.

In case of a data breach, the data fiduciary should report to the authority within 72 hours of finding it. The Authority will decide if the data principal should be informed. The Committee observed that the data fiduciary should be held responsible for the harm suffered by the data principal on account of delay of reporting of personal data breach.

A data fiduciary is an entity or individual who decides the means and purpose of processing personal data and a data principal is the person to whom the personal data belongs to.

Also, the JPC noted that the Authority should ask the data fiduciaries to maintain a log of all data breached. Additionally, data fiduciaries dealing exclusively with children’s data, must register themselves, with the Data Protection Authority.

The Committee recommended that approximately 24 months may be provided for implementation of any and all the provisions of the Act so that the data fiduciaries and data processors have enough time to make the necessary changes.

It was suggested by the Committee that phased implementation may be undertaken in order to ensure that within three months, the Chairperson and members of the DPA were appointed; the DPA commenced its activities within six months from the date of notification of the Act and the registration of data fiduciaries should start not later than nine months.

The Committee is said to have noted in the report that every significant data fiduciary must appoint Data protection officers, who have to be senior management personnel of these companies.

What is worrisome in the report?

Clause 12 of the draft Bill sought to list out certain cases which provide for processing of personal data without consent. It is believed that the Committee was of the view that it was very essential to mention the purpose of processing personal data under Clause 12 as only such provision can enable the state agencies to function smoothly. No changes have been suggested by the Committee to this Clause.

This clause suggests that Government departments such as the Income Tax Department and the Unique Identification Authority of India, would be exempt from purposes of consent. This would be against the Justice KS Puttuswamy privacy judgment.

Clause 35 empowers the Central Government to exempt any agency of the Government from application of the Act, but the JPC report has not recommended any changes to it.

It was against these two clauses that several Opposition MPs including Ramesh, Tewari, Gogoi, Tankha, O’Brien and Moitra submitted dissent notes.

The JPC report also does not make any suggestions regarding the composition of the committee, which would select the DPA. This implied that the members of the authority would be appointed by the government.