The joint committee on Personal Data Protection (PDP) Bill, 2019 presented its report on 16 Dec. 2021, recommending changes to draft legislation. It has recommended to change the name of the legislation to Data Protection Bill, as it seeks to include both personal and non-personal data under a single law.

Non-personal data is the data which is with entities like e-commerce companies. They are general profiles, rather than individual personal data.

The Committee was concerned about the capacity of the government departments to protect the large volume of data they collect. It will have to establish SOPs in the ministries and departments etc. to protect the huge amount of data collected. The government will be a significant data fiduciary. It means an entity that controls the storage of data and defines the permitted ways in which it can be processed. Data protection officer must be appointed by every significant data fiduciary.

There will be one data protection authority for personal and non-personal data. Chairperson and members of data protection authority must be appointed within 3 months of the notification of the Act. Sensitive and critical personal data must be brought to country from foreign entities. It is called data localisation.

Social media platforms will be treated as publishers on certain counts. When they are not acting as intermediaries, they are liable for content they host.

These would be restrictions on cross-border data flow.

The Committee has provided a time-frame of 24 months for the implementation of the Data Protection Act.

The Committee has suggested that data fiduciaries dealing exclusively with children’s data must register themselves with data protection authority.