The sixth sitting of the Joint Parliamentary Committee on the Personal Data Protection Bill held on Monday (August 10) saw key issues brought to the fore by law firm Luthra and Luthra and Foundation of Data Protection Professionals in India, who were invited to air their views.
The meeting on Monday discussed the crucial issue of children’s privacy rights and how anonymisation can preserve privacy rights, reported Medianama.
Law firm Luthra and Luthra Law and Foundation proposed that a rigid age of consent for children was not a fail-safe way to decide on children’s consent. They proposed creating a graded approach to children’s age of consent depending on the services in questions. Currently, the Bill defines a child as someone under 18 years of age.
At the meeting, Luthra and Luthra argued that broad definitions widen the scope of the Bill, limiting the freedom of business tasks, reported Indian Express.
Citing an example, Luthra and Luthra are learned to have argued that without sufficient guidelines, denial of credit or loan to an applicant based on credit scoring may be considered a ‘harm’ under the PDP bill. It also raised concerns regarding the definition of sensitive personal data, stating that words such as “behavioural characteristics” and “facial images” could put actions such as targeted advertisements and CCTV footage under the gamut of the bill, leading to an increase in compliance burden.
Meanwhile, another presentation from the Foundation of Data Protection Professionals in India stated that the bill yielded to the pressure of the industry and can lead to abuse of powers by the government, reported Medianama. It also said expressed concerns about the independence of the Data Protection Authority, pointing out that it would be appointed by a committee of Cabinet Secretary and Ministry Secretaries and not the Chief Justice.
On Tuesday (August 11), the Associated Chambers of Commerce and Industry of India (ASSOCHAM) is to make a presentation before the committee. Facebook was initially scheduled to depose before the JPC but the schedule was revised to replace it with FDPPI instead. The reasons for it are currently unclear.
Data Protection Authority
The PDP Bill also proposes the establishment of a Data Protection Authority to monitor violations of norms and keeping an eye on incidents of data theft, privacy breaches, among others.
The bill also mandates various penalties for violations of norms and incidents of data theft and illegal processing. For violation of certain proposed norms, the bill mandates a penalty of INR 5 Cr or 2% of global turnover, whichever is higher, while for data leakage or illegal processing, it stipulates the highest penalty of INR 15 Cr or 4% of the turnover.
Moreover, for serious incidents of data breaches or privacy violations, the bill even proposes arrest and jail terms for senior officials from the top management of the violating company which might extend up to three years.