The Joint Parliamentary Committee (‘JPC’) to which the draft Personal Data Protection Bill, 2019 was referred to in December 2019, has submitted their report and proposed changes to the Bill on December 16, 2021. The name of the Bill has been changed to the Data Protection Bill, 2021 (‘DPB’) and some of the key changes that have been proposed are set out below:
i. Non-personal data (defined as all data other than personal data and includes anonymised data) has been brought within the ambit of the DPB;
ii. The concept of consent managers, who will be the registered data fiduciaries that provide interoperable platforms for data principals to give, review or withdraw their consent to other data fiduciaries, has been introduced;
iii. Processing of any personal data which is not sensitive personal data without consent or where necessary / can be reasonably expected by the data principal in the case of employment related scenarios, has been provided and also the scope for processing of personal data without consent in certain cases has been expanded;
iv. Legitimate interest of the data fiduciary has been included as a consideration for notification of reasonable purposes for processing, which are to be notified by the authority; and
v. A classification of ‘social media platforms’ as significant data fiduciaries by the authority has been provided, with separate classes based on (a) users above a certain threshold; and (b) whose actions are likely to have a significant impact on India’s sovereignty, integrity, electoral democracy, security or public order.
The DPB allows for notifications of different sections in parts and the JPC has recommended that the DPB be implemented in a phased manner over a period of 24 months.