The joint parliamentary committee (JPC) has finalised its report on reviewing the proposed data protection law, suggesting stricter compliance requirements for companies while adding or modifying clauses that will provide moderate responsibility on government agencies.
It also recommended that the State have a greater say in the legal mechanism that will be set up to safeguard personal and non-personal data.
The panel has proposed new provisions that will build in additional compliances. Companies will need to report a data breach within 72 hours, mandatorily disclose if information relating to a data principal, person or entity, that owns the data, is passed on to someone else, and appoint senior management personnel as data protection officers who will be ultimately held responsible for lapses or violations.
The committee has, however, listened to the demands of stakeholders on some points, such as the removal of a blanket provision treating social media companies as publishers, and in implementing the legislation in a phased manner over a period of two years.
The panel urged a change in a particularly contentious portion of the law Clause 35, which deals with conditions under which the government can access personal data without consent. It has recommended that the procedure by which this exemption is claimed to be “just, fair, reasonable and proportionate” and is debatable because it allows the government to claim the exemption if it is satisfied then it is “necessary or expedient” to do so in the interest of purposes such as national security.
Discussion about this post