The JPC Report and the Data Protection Bill, 2021: Who Does it Really Protect?

The Joint Parliamentary Committee on the Personal Data Protection Bill, 2019 (“JPC“) was constituted on December 11, 2019,1 for the study and consideration of the Personal Data Protection Bill, 2019 (“2019 Bill“). The JPC was initially expected to present its report to Parliament during the Budget Session of 2020, however, after being granted an extension of 2 years, the JPC tabled its report (“JPC Report“) in both houses of Parliament on December 16, 2021.2 The JPC Report, amongst other features, contains a list of policy recommendations on the matter, an analysis of various Sections of the 2019 Bill, and contains a draft bill titled the Data Protection Bill, 2021 (“2021 Bill“). The JPC Report’s focus was centred on answering questions and clarifying issues relating to public policy concerns on data protection in India and providing recommendations for the same, while taking into consideration the judgement of the Honourable Supreme Court in Justice K.S. Puttaswamy (Retd.) v. Union of India,3 and the recommendations of the Justice B.N. Srikrishna Committee.4 While the JPC Report has evolved from the 2019 Bill, addressing issues relating to the looming threat of data breaches and other concerns relating to data protection, privacy and preservation concerning, amongst other things, the treatment of personal data upon the death of the data principal, the treatment of  personal data for employment purposes, and the importance of establishing a regime to govern non-personal data as well as personal data. However, the JPC Report has also received criticism for being more focused on the protection of state interests rather than being designed for the protection of data and privacy of data principals.

The JPC recommended that the preamble of the 2019 Bill be amended by adding the word ‘digital’ before ‘privacy of individuals,’ limiting the scope of the 2021 Bill to digital privacy and not the holistic data privacy of individuals. Further, it recommended that “digital privacy must be circumscribed and limited by nation’s sovereignty, integrity and state interest and security,” and thus recommended that the phrase “to ensure the interest and security of the State” be added to the preamble.5 These recommendations have been incorporated in the preamble of the 2021 Bill, limiting the purview of the 2021 Bill to the protection of digital privacy of individuals, thereby contextualising the 2021 Bill in terms of maintaining the interest and security of the state.

The 2019 Bill directed data fiduciaries to only retain the personal data of the data principal  for such time as is required to carry out the purpose for which such personal data was collected, and directed data fiduciaries to delete this personal data once it has been processed.6 The JPC was of the opinion that this provision is very restrictive and may prove to be a hurdle to agencies who process such data multiple times in order to provide welfare schemes. As such, the JPC recommended that the word ‘processing’ be replaced with the words ‘such period’,7 an amendment reflected in the same Section of the 2021 Bill. This Section removes the temporal and purposive qualification of personal data retention, which may result in uncertainty regarding the treatment of such personal data.

Section 12 of the 2021 Bill provides for the processing of personal data without the consent of the data principal for the performance of any function of the state authorised by law, including for the reasons enumerated thereunder. The 2021 Bill explicitly adds the word ‘including’ to the purposes outlined under the 2019 Bill, making the list of functions of the state illustrative rather than exhaustive. This unqualified state power has attracted criticism from several MPs within the JPC itself, in their respective dissent notes, who have raised alarms for the implications this Section may have. This Section further adds that personal data may be processed without consent when necessary for compliance with any law or any judgement or order of any court, quasi-judicial authority or tribunal in India.

The JPC Report further recommends that government departments be exempt from the provisions of the 2021 Bill by way of inserting a non-obstante clause in Section 35 whereby, if the Central Government is satisfied that it is necessary or expedient to do so for the purpose of, amongst others, maintaining the interest of sovereignty and integrity of India, security of state, public order and for the prevention of incitement to commit any cognizable offence, it is empowered to order that any agency of the government be exempt for from any and all provisions of the 2021 Bill.8 Notably, the JPC recommends that an explanation to Clause 35 be inserted, which states that this power must be used in accordance with “just, fair, reasonable and proportionate procedure.”9

Criticism for the 2021 Bill, most notably, comes from within the JPC itself. Eight members of the JPC filed dissent notes vide the 2021 Bill, including Mr. Jairam Ramesh, Mr. Manish Tewari, Mr. Derek O’Brien and Ms. Mahua Moitra. Mr. Tewari, in his dissent note, goes so far as to reject the 2021 Bill in its entirety, stating that it suffers from an inherent design flaw and criticised the 2021 Bill for providing blanket exemptions, either in perpetuity or for limited periods of time, to the state and its instrumentalities.10 He further disagreed with the JPC’s position that the 2021 Bill should only cover digital personal data, and maintained that the 2021 Bill should cover personal data in all forms.11 Next, in their combined dissent note, Mr. O’Brien and Ms. Moitra state that the 2021 Bill provides the Government with overbroad exemptions, without ensuring that proper safeguards are in place.12 They further posit that Section 35 of the 2021 Bill empowers the Central Government with more unqualified powers, and that the purview of the 2021 Bill should be extended to the protection of all personal data, not just the personal data that exists in the digital realm.13 Finally, in his dissent note, Mr. Ramesh stated that Section 35 of the 2021 Bill provides the Central Government with almost unbridled powers to exempt any government agency from the purview of the 2021 Bill.14 He recommends that the ‘public order’ grounds for exemption be removed from the text, to ensure narrow tailoring of the exemption, thereby limiting its scope given its susceptibility for misuse.15 Notably, criticism for Section 35 is not limited to its form in the 2021 Bill. Justice (Retd.) B.N. Srikrishna, who lead the committee whose recommendations the JPC heavily relied on and drafted the Personal Data Protection Bill, criticised the same section of the 2019 Bill as was presented before Parliament. In an interview, he posited that the JPC has removed the safeguards from the 2019 Bill, enabling the government, or any government agency, to access private data at any time on the grounds of public order and sovereignty, stating that this has dangerous implications and that, “it will weaken the bill and turn India into an Orwellian State,” maintaining that there should be judicial oversight on government access.16

While the JPC Report and the 2021 Bill make progress and address several issues that plague individuals in today’s digital world, it has been equally been met with criticism. Critics of the 2021 Bill argue that the 2021 Bill, in its present form, is liable to be misapplied in a manner that may compromise the fundamental rights of individuals by the state. In a digital age, privacy and the protection of data assume primacy and must be accorded a similar level of protection. The manner in which the powers envisaged by the 2021 Bill are used shall determine whether these powers are necessary for state functioning, or whether they leave digital data rights unprotected and dilute the intention of the code.

1 Committee Information on the Joint Committee on the Personal Data Protection Bill, 2019, Lok Sabha. Available at http://loksabhaph.nic.in/Committee/CommitteeInformation.aspx?comm_code=73&tab=1.

2 Report of the Joint Committee on the Personal Data Protection Bill, 2019. Available at

3 AIR 2017 SC 4161.

4 Committee of Experts under the Chairmanship of Justice B.N. Srikrishna, A Free and Fair Digital Economy: Protecting Privacy, Empowering Indians. Available at https://www.meity.gov.in/writereaddata/files/Data_Protection_Committee_Report.pdf.

5 Recommendation No. 14 of the JPC Report.

6 Clause 9 (1) of the 2019 Bill.

7 Recommendation No. 32 of the JPC Report.

8 Recommendation No. 56 of the JPC Report.

9 ibid.

10 Page 210 of the JPC Report.

11 Page 218 of the JPC Report.

12 Page 219 of the JPC Report.

13 Page 220 of the JPC Report.

14 Page 237 of the JPC Report.

15 Page 240 of the JPC Report.

16 Mandavia, Megha, Personal Data Protection Bill can turn India into ‘Orwellian State’: Justice BN Srikrishna, The Economic Times, December 12, 2019. Available at https://economictimes.indiatimes.com/news/economy/policy/personal-data-protection-bill-can-turn-india-into-orwellian-state-justice-bn-srikrishna/articleshow/72483355.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst