Non-Personal Information, Social Media – What New ‘Data Protection Bill’ Could Look Like

Non-Personal Information, Social Media – What New ‘Data Protection Bill’ Could Look Like

Changing the name of the data protection bill, regulating non-personal information, corrective social media platforms as publishers, and consisting of data collection by electronic types of equipment – these are some of the changes the Joint Committee of Parliament (JCP) on the Personal Data Protection Bill 2019 has reportedly advised.

As per the information in The India Express, The Economic Times, among various media outlets, the group is expected to submit the report in prior weeks of the current winter session of Parliament, right after getting the sixth such extension on Wednesday.

The session ended on December 23rd. The committee’s suggestions are not conclusive. The report will be mentioned for the discussion, after which the bill will be reintroduced in the House.

The 2019 bill was initially introduced in the Rajya Sabha by the Union Minister of Electronics and Information Technology. Ravi Shankar Prasad, on 11 December 2019. It was referred to a joint parliamentary committee on the same day. The Precedence media reports also exist on the recommendations the panel has arrived at.     

What is Personal, Non-Personal Data?

According to reports, the panel is in favor of developing the extent of the legislation to include not just personal data, but non-personal data as well, and allow the Data Protection Authority (DPA) — an independent public authority to be created by the law, which would monitor its implementation — to handle both categories of data.

Non-personal data is expected to include industrial databases and anonymized personal data as well. Now, the 2019 bill defines ‘personal data as any data that may contain any characteristics or traits of a person and can be used to identify them. It also defined ‘sensitive personal data, which includes financial data, health data, data on sexual orientation and activity, biometric data, genetic data, data on transgender status, intersex status, caste or tribe, and religious or political belief or affiliation.

Non-Personal-Information-Social-Media–What-New-Data-Protection-Bill-Could-Look-Like-image3

‘Non-personal data’ is usually any set of data that does not contain personally identifiable information. It also includes data that used to be personal data, but which has been ‘anonymized’, to remove information in a way that the person to whom the data relates cannot be identified. Usually, any data that does not come under the definition of personal data is non-personal data.

This would require to be done in consultation with the DPA, to “permit better targeting of delivery of services or formulation of clue-based policies by the Central government.” The user or an individual to whom the information in question relates is the information principal. Data fiduciary is the aspect that controls the storage of this data, as well as defines the purpose and the ways in which the information is gathered by a data fiduciary.

So, for instance, when you use any mobile app, you are the data principal, the app is the data fiduciary and any advertiser processing your data from the app would be the data processor. This isn’t the first time that regulation of non-personal data is being looked into. In September 2019, the Ministry of Electronics and Information Technology (MeitY) had appointed a committee of experts chaired by Infosys co-founder Kris Gopalakrishnan to recommend a framework to regulate non-personal data in India.

This committee has since submitted two reports, one in July 2020 and another in December 2020. The second report had also favored an amendment in provisions of the 2019 bill that mention non-personal data, “in order to ensure that the two frameworks are mutually exclusive yet work harmoniously”.

But now, since the JCP has recommended the inclusion of non-personal data as well in the 2019 bill, it has recommended that the legislation now be called the ‘Data Protection Bill 2021’.

Is More Culpability for Social Media Platforms?

In the case of Social Media Intermediaries currently governed by the Information Technology Rules, the India Report recommends that the personal anticipate redesignating social media intermediaries as social media intermediaries as social media platforms, and treating such platforms as publishers to hold them accountable for the content they published.

Under the advance IT Rules 2021, the social media intermediaries consist of telecom service providers, web-hosting service providers, and search engines like Google, online transaction sites, online-auction sites, e-commerce platforms such as Amazon, and Flipkart, and platforms like Facebook, Twitter, Blogspot, and WordPress.

At Present, Section 79 of the Information Technology Act (IT Act) facilitates intermediaries, consisting of social media intermediaries, protection against liability for content posted on their websites by third parties which include users. it codifies the ‘safe harbour’ regime, providing them the protection from legal liability for anything illegal that its users do, as long as these intermediaries go through certain due diligence directions such as adhering to the government’s content takedown requests.

Meanwhile, actual publishers, like newspapers, are responsible for the content they host. The idea is that publishers have direct control over the content that they host. So for instance, in a defamation case, if the allegedly defamatory content is a newspaper article, then the newspaper itself, along with the author of the article, can be held liable for it.

Non-Personal-Information-Social-Media–What-New-Data-Protection-Bill-Could-Look-Like-image1

However, if it is a case of an allegedly defamatory Facebook post or a tweet, then it is usually just the user who can be held guilty for it, as long as the social media intermediary can show the court that it was merely acting as a facilitator and played no role in initiating or modifying the content and that it adhered to the due diligence requirements. At first glance, the committee’s recommendations now seem to be pushing for more liability for social media platforms. The committee has recommended the formation of a separate statutory media regulatory authority for the regulation of content on such platforms.        

The 2021 IT Rules tried to do a similar thing by saying that if any intermediary fails to comply with the guidelines, the provisions of Section 79(1) of the Information Technology Act 2000 shall not apply to such an intermediary, making them liable for punishment under any law in India, including criminal prosecution under provisions of the IT Act and the Indian Penal Code.

However, the Rules are under challenge in at least 17 petitions filed across the country in the high courts of Delhi, Karnataka, Madras, Calcutta, and Bombay, challenging various provisions of these rules.

How do you know if there’s a data hijack?

The committee also requires the DPA to frame rules for information collection by electronic hardware, including telecom gear, Internet of Things (IoT), etc. Anything that can connect to the internet is an IoT device. So it includes smartphones, laptops, tablets, fitness watches, cybersecurity scanners, smart home devices, air quality sensors, smart traffic lights, and a host of various such devices that gathered large volumes of personal data.

Further, the committee has favored a 72-hour time frame for data fiduciaries to report the data breach. It has also been recommended that the definition of ‘harm’ should include psychological manipulation that impairs the autonomy of a person.

The 2019 bill required data fiduciaries to inform the DPA of any breach of personal data only where such a breach is likely to cause harm to the data principal. The bill detailed ‘harm’ to consist financial loss, loss of reputation, or withdrawal of a service.  

What is Privacy by design?

Additionally, the committee has favored granting exceptions to smaller firms from the principle of ‘privacy by design’ which is a set of good strategies based on some ‘foundational principles’. The DPA could permit such dispensation to data fiduciaries below some beginning, so as to not hamper the growth of firms that can be classified under MSMEs.

Non-Personal-Information-Social-Media–What-New-Data-Protection-Bill-Could-Look-Like-image2

The 2019 bill required every data fiduciary to prepare a privacy-by-design policy, declaring the systems that the financial person has put in place to evade harm to users, its obligations, and the technology it uses to process personal information and the security of privacy at every stage, from collection to deletion of personal data. This policy was need to be approved by the DPA and posted on the website of the data fiduciary as well as the DPA.

What are the Unorthodoxy notes?

With the Information, around half a dozen MPs from the Congress, the Trinamool Congress, and the Biju Janata Dal (BJD) have given dissent notes to the committee.

The advantage of these MPs has complain to Section 35 of the bill, which allows the central government to exempt any government agency from the provisions of the bill, in the interest of national security and the prevention of incitement to any cognizable offense. He has also suggested some updates to Section 12(a)-i, which permits “non-consensual processing” of personal data by government if it is for any legal function that the government is supposed to perform. For example, in case of issuance of any certificate, license, or permit, or in compliance with any order or judgment of a court or a judiciary, or in case of a medical crisis for the data principal.  

Leave a Reply