Data Protection Bill: Three Controversial Recommendations Of The Joint Committee

Two years after it was constituted, the Joint Parliamentary Committee formed to examine the Personal Data Protection Bill, 2019 finally tabled its report before Parliament on Dec. 16, 2021. The report, accompanied with multiple dissent notes by Members of Parliament from the opposition, has predictably not asked for any significant amendments to the government’s bill.

Unlike the convention over the last three decades, where Department-Related Parliamentary Standing Committees headed by MPs from the opposition would examine bills introduced in Parliament, the PDP Bill this time was referred to a JPC set up by Parliament and chaired by MPs from the ruling party. It appears that the BJP government was not ready to risk sending the bill to the Standing Committee on Information Technology headed by Shashi Tharoor from the Indian National Congress. Given this background, the largely status quoist recommendations of the final report of the JPC are unsurprising. Three recommendations by the JPC, however, do merit further discussion because of their implications for journalism and the tech industry.

Tightening The Screws On Journalism?

Given that the JPC proceedings were taking place in the backdrop of the Pegasus scandal where the phones of multiple Indian journalists were alleged to have been hacked by the software developed by an Israeli company NSO, it was a reasonable expectation that the JPC would broach the issue in its report. Instead, the JPC has remained silent on the Pegasus scandal and has used the PDP Bill as an opportunity to tighten the screws on Indian journalism. Clause 36 of the Bill had carved out a large exception for journalists, exempting them from having to comply with the standard requirements under the Bill, provided they were in compliance with the code of ethics issued by the Press Council of India or any other self-regulatory media body. This was largely in line with the recommendations of the Justice BN Srikrishna Committee report on data protection.

Commenting on the failure of self-regulation by the Indian media, the JPC has recommended amending Clause 36(e) to require journalists to comply with “the rules and regulations made” under the PDP Bill.

Needless to say, this can be fatal to Indian journalism.

Over the last two decades, the western media has learned the hard way that privacy lawsuits can be a far bigger headache than defamation lawsuits. Take, for example, the privacy lawsuit against Gawker by Hulk Hogan which led to its bankruptcy, or the multiple privacy lawsuits against English tabloids by celebrities in the United Kingdom, ranging from Naomi Campbell to Meghan Markle.

The Indian media is yet to feel the full brunt of privacy lawsuits, but it should ask itself whether it is comfortable with the JPC’s recommendation to Parliament that the government and the DPA be given powers to decide privacy norms for journalism. Would the Indian media be able to break stories like the Radia tapes or the Panama Papers under a privacy framework drawn up by the Modi government?

A Swipe At Social Media Intermediaries

A second surprising issue taken up by the JPC in its report is the status of social media platforms as “intermediaries”. The Committee has argued that social media platforms should no longer be considered as “intermediaries” and had recommended replacing the phrase “social media intermediaries” in a particular clause of the PDP Bill with the phrase “social media platform”.

This change in terminology could have profound implications for Facebook, Twitter, etc. For decades now, social media platforms have escaped significant legal liability by arguing that they are merely intermediaries or conduits for information being published by their users and that they do not have control over the actions of their users. If they lose their status as an intermediary, they are more likely to be held liable for the acts of their users, thereby increasing their exposure to legal risk and escalating their cost of operations.

The reasoning offered by the committee for this particular change is as follows:

“…the Committee noted that today social media intermediaries act as if they are above the sovereign and they lay down boundaries which circumscribe the operation of the sovereign. Moreover, the social media intermediaries are not actually intermediaries but they are platforms that do the dual functions of an intermediary and a platform.”

The reasoning for this specific clause is complemented by the following comments made by the JPC earlier in its report:

“…the committee considering the immediate need to regulate social media intermediaries have a strong view that these designated intermediaries may be working as publishers of the content in many situations….”

“A mechanism may be devised in which social media platforms, which do not act as intermediaries, will be held responsible for the content from unverified accounts on their platforms. Once application for verification is submitted with necessary documents, the social media intermediaries must mandatorily verify the account. Moreover the Committee also recommend that no social media platform should be allowed to operate in India unless the parent company handling the technology sets up an office in India.” (para 1.15.12.7)

The above reasoning reflects a general hardening of public opinion across the world against Silicon Valley platforms for what is perceived as their partisan content moderation tactics. In India though, the ruling party had little problem with these platforms until Twitter stood up to it early this year when asked to pull down certain content. The above recommendation of the JPC is more likely a rhetorical exercise meant to scare Silicon Valley, than an actual regulatory measure that will be enforced on the ground.

On Algorithmic Transparency

One surprising and worthwhile recommendation made by the JPC is on the issue of algorithmic transparency. Currently, large data processors use all kinds of algorithms to process data for a variety of purposes. Most companies protect these algorithms as trade secrets on the grounds that the disclosure of these algorithms would compromise their efficiency. There is some merit to the argument because once an algorithm is disclosed it would be possible for certain players to game the algorithm. The obvious counterargument is that it is unfair to not disclose to consumers the manner in which businesses are making decisions that may affect prices or consumer rights. The issue is essentially a trade-off between the trade secrecy protection of businesses and the rights of consumers.

In the form that it was introduced, the PDP Bill did not impose any requirements on data fiduciaries to disclose the algorithms used for data processing. At most, Clause 23 of the PDP Bill imposes on data fiduciaries certain transparency requirements regarding the processing of data. This includes disclosing the categories of personal data collected, the purpose for which the data is to be used, the right to file a complaint against the data fiduciary, etc.

It is not clear whether this information will be disclosed only to the DPA or publicly, but in either event it has the potential to transform the manner in which the state regulates algorithms. One would have expected this potentially game-changing recommendation to be accompanied by a detailed reasoning of the JPC. Surprisingly though the JPC provides no substantive reasoning in its report.

Much of the public discussion on the JPC report is likely to center on its failure to demand more from the government on the issue of state surveillance. It would however be a mistake to ignore the three recommendations discussed in this piece, especially the JPC’s quest to hand over to the government, the power to define privacy regulations for journalists.

T Prashant Reddy is a Bengaluru-based advocate and co-author of ‘Create, Copy, Disrupt: India’s Intellectual Property Dilemmas’.

The views expressed here are those of the author, and do not necessarily represent the views of BloombergQuint or its editorial team.