In Parliament: Panel bats for social media regulation in data protection law
Retains clause to exempt govt agencies from the provisions of law
Widening the scope of the law to include both personal and non-personal data, greater accountability for social media platforms by treating them as publishers, inclusion of hardware also into the ambit of regulation and bringing back a mirror copy of the sensitive and critical personal data already in possession of foreign entities are some of the key recommendations of the Joint Committee of Parliament on the Personal Data Protection Bill, 2019. The report of the JCP was tabled in both the Houses of Parliament on Thursday.
The Bill was originally introduced in the Lok Sabha in December 2019, after which it was referred to the JCP, chaired by BJP MP, PP Chaudhary. The draft Bill was prepared on the recommendations of Justice BN Srikrishna-led committee in 2018.
The JCP has, however, retained the clause in the original Bill drafted by the government which provides exemption to any agency under the Union government from all or any of the provisions of the law. This has been done under the pretext of “public order”, “sovereignty”, “friendly relations with foreign states” and “security of the state”. This particular exemption has invited dissent notes by some Opposition members in the panel and is being objected by some legal experts.
On the rationale behind bringing personal and non-personal data under a single law, the committee has said that defining or restricting the new legislation only to personal data protection or to name it as Personal Data Protection Bill is detrimental to privacy. “The committee, therefore, recommend that since the DPA (Data Protection Authority) will handle both personal and non-personal data, any further policy/legal framework on non-personal data may be made a part of the same enactment instead of any separate legislation,” it said. As soon as the provisions to regulate non-personal data are finalised, there may be a separate regulation on non-personal data in the Data Protection Act to be regulated by the Data Protection Authority, it has said.
Non-personal data is the data which is with entities like e-commerce companies. They are general profiles rather than individual personal data.
On the need to regulate social media intermediaries, the committee has recommended that the designated intermediaries may be working as publishers of the content in many situations, owing to the fact that they have the ability to select the receiver of the content and also exercise control over the access to any such content hosted by them. Accordingly, it has recommended that all social media platforms, which do not act as intermediaries, be treated as publishers and be held accountable for the content they host.
The committee felt that one of the biggest issues surrounding social media today is the prevalence of fake accounts. The saga of fake accounts prevails on almost all platforms, including Instagram, Facebook and Linkedin. Since Facebook and Gmail are often used to authenticate on several sites, these fake accounts lead to multiple fake identities across the web. According to the committee’s report, these ‘bots’ and fake accounts can push a certain agenda, carry malicious campaigns, promote digital scams and even conduct organised phishing and blackmailing.
The committee has also suggested that a statutory media regulatory authority, on the lines of Press Council of India, maybe set up for the regulation of the contents on all such media platforms, irrespective of the platform where their content is published, whether online, print or otherwise. A mechanism should be devised where social media platforms, which do not act as intermediaries, will be held responsible for the content from unverified accounts on their platforms.
“Once application for verification is submitted with necessary documents, the social media intermediaries must mandatorily verify the account,” the report said. The panel has also suggested that no social media platform should be allowed to operate in India unless the parent company handling the technology sets up an office in the country.
The panel has also favoured a framework to regulate hardware manufacturers, who also collect data along with the software. It has favoured a mechanism for certification of all digital and Internet of Things (IoT) devices.
The committee has said that though there are provisions in the Bill for cross-border transfer of data, some concrete steps must be taken by the central government to ensure that a mirror copy of the sensitive and critical personal data which is already in possession of the foreign entities be mandatorily brought to India in a time-bound manner.