India\u2019s data protection bill should be modified to cover more than just personal data, and impose strict deadlines on businesses to report data breaches, a parliamentary committee recommended in a long-awaited report published on 16 December, 2021.\n\nThe Joint Committee on the Personal Data Protection Bill, 2019, has spent two years examining the proposed legislation first laid before parliament on 11 December, 2019. Given the long delay \u2014 and its view that the bill should project more than just personal information \u2014 the committee recommended that resulting legislation be renamed the Data Protection Act, 2021.\n\nThe committee\u2019s 542-page report includes 93 recommendations to legislators on the drafting of the bill, which sets out the rights of data principals (those that the data describes) and the obligations of data processors a data fiduciaries (those who hold the data).\n\nIf the bill and the committee\u2019s recommendations become law, businesses will have new obligations to fulfil, including putting a detailed privacy notice on their website, adopting a privacy by design policy, keeping various records pertaining to data processing activities, demonstrating the fairness of algorithms deployed, and conducting data protection impact assessments, among other accountability and transparency measures.\n\nSignificance\n\nThe committee recommended that businesses processing large volumes of personal data, or whose businesses, through their nature, have the potential to affect a large number of people, or that are otherwise considered risky, be labelled "significant data fiduciaries," requiring them to implement additional controls and procedures.\n\nThe consequences for those that don\u2019t respect the proposed rules would be severe, to say the least. Fines for significant offenses or non-compliance would be up to \u20b915 crores or 4% of worldwide turnover, while fines for a minor offence or non-compliance would be up to \u20b95 crores or 2% of global turnover.\n\nThe bill also creates a host of lesser offences that would attract lower fines and penalties.\n\nThe committee recommended that the scope of the bill be enlarged beyond protection of personal data to encompass the collection and storage of non-personal data since, it said, it\u2019s impossible to clearly distinguish between the two, and if privacy is a concern then all data must be protected.\n\nTo avoid the need for additional legislation, therefore, it proposed that the Data Protection Authority (DPA) charged with defending citizens personal data in the bill also be empowered to oversee non-personal data.\n\nTwo years to implement, three days to report\n\nThe bill itself provides no timeline for the implementation of its provisions, so the committee recommended that once it becomes law data fiduciaries and data processors be given about two years to make the modifications to their policies, infrastructure, and processes necessary to bring them into compliance.\n\nThe committee was less generous in its suggestion for how long businesses should have to report data breaches. It recommended that data fiduciaries should have to report every breach of personal data to the DPA within 72 hours of becoming aware of the breach, and to keep a log of all data breaches, whether personal data or not.\n\nAnother deadline proposed by the committee would come into effect when data principals reached majority. Businesses that process the data of minors should, the committee proposed, have to contact them three months before their 18th birthday to seek renewed permission.\n\nAs it stands, the bill allows data principals to receive their personal data where it has been processed automatically, but not if doing so would reveal trade secrets or is not technically feasible. The committee said that the revealing of trade secrets should not be grounds for businesses to refuse to provide data principals with their personal data.\n\nLocation, location, location\n\nThe bill includes provisions for where data may be stored or processed. Sensitive personal data may be sent outside of India for processing if the individual has given their explicit agreement and certain additional conditions have been met, it says. \n\nWhere data is sent abroad, the committee recommended that a copy be kept in India, to facilitate the eventual reshoring of data-processing activities. It also called on the government to ensure that India developed a strong AI software and services ecosystem to support the domestic processing of Indians\u2019 personal data.\n\nIt also advocated for a framework to oversee hardware companies that collect data, calling for a certification system for all digital and internet of things (IOT) devices.\n\nSwift retribution\n\nThe Committee observed that \u201cdata protection in the financial sector is a matter of genuine concern worldwide, particularly when through the SWIFT network, privacy has been compromised widely.\u201d Indian citizens, it noted, are major users of the SWIFT international payment service and so, it said, it could give a boost to the domestic economy if India were to develop its own alternative to SWIFT.\n\nBut other bodies would remain exempt from retribution for privacy violations under the committee\u2019s rules. Its report did not recommend removing a contentious clause that provides the government with authority to exempt any of its agencies from the data protection laws.\n\nIt's worth noting that the committee\u2019s recommendations aren't legally binding. The bill will next be presented to the Cabinet, which will decide whether to adopt the committee\u2019s recommendations. Only then will the bill be presented to Parliament for approval. It is expected to be introduced to parliament in the 2022 budget session.