top of page
  • Anubhuti Awasthi

Recent JPC Report Introduces Further Challenges to Data Privacy in India


It is not surprising to know that there are 4.88 billion users of the internet today which makes it nearly 60 percent of the global population. Concerning India, it has 540 million active internet users so far, still, the country lacks data protection legislation. It is governed by the Information Technology Act, 2000, Telegraph Act, SDPI rules, and the new IT Rules, 2021 for data breaches and privacy concerns.

Tracing back the history of data protection in India, an Expert Committee on privacy was first headed by Justice A.P. Shah who presented a report in 2012, which serves as an influential document for setting up privacy standards. The landmark judgment of K.S. Puttaswamy vs. Union of India in 2017, which recognized privacy as a fundamental right, raised the need for data protection law. Following this, both the report (Expert Committee chaired by Justice BN Srikrishna) and the Personal Data Protection legislation Bill was laid down in 2018.

 Later the bill was sent to the Joint Parliamentary Committee (JPC), which laid down the report before the Parliament after reviewing the 2019 legislation on 16th December 2021. The report has been laid down along with the Data Protection Bill, 2021 by the JPC. The most challenging vocal critics of the 2021 Bill come from within the JPC itself. Eight members of the JPC filed dissenting notes in response to the 2021 Bill. JPC report has raised concerns about the financial transactions done through the SWIFT network and suggested the development of alternative systems similar to Ripple (USA) and INSTEX (EU), to be developed in India. Further, the JPC recommends an alternate payment system to be developed in India to wipe out privacy concerns as well as give a boost to the domestic economy as well.

Major Recommendations Introduced By JPC

The key recommendations introduced by the JPC are changes in the name from the Personal Data Protection Bill, 2019 to Data Protection Bill (DPB), 2021. This change was done to make the bill inclusive of all types of data as the bill now recognizes both personal and non-personal data. The committee has requested to the government to ensure that a mirror copy of sensitive and personal data, which may already be maintained by foreign organisations outside the nation, is brought back within a set time frame. It has also requested that the laws for data localization be fulfilled to the letter and spirit of the legislation. It directed the government to establish a formal certification process for all digital and IoT (Internet of Things) devices, which would also ensure the integrity of all such devices in terms of data security. These recommendations also laid down an extensive policy to develop an alternate payment system, and the inclusion of a system that supports both local businesses as well as start-ups in the future. These key provisions could be fruitful in the long run.

Is Regulation of Social Media Required?

The Social Media Regulation is also included by the JPC committee which has provisions similar to the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 (“IT Rules, 2021”). Sub-Rule 1 and 3 of Rule 9 have been stayed by the high courts of Bombay and Madras, as they snatch the independence of the media due to excessive control by the government. The IT Rules, 2021 regulate “social media intermediaries” and the term “intermediaries” is important because, under the IT Act, such businesses are exempt from liability under section 79 of the IT Act, 2000 for user-generated content if they meet certain legal requirements. The JPC report attempted to replace the term “intermediaries” with “platforms,” indicating that such organizations can be recognized as publishers and held accountable for the information they host. These provisions were much needed but the issue is that this bill is about data protection and not social media regulation which is presently being covered under the IT Rules, 2021. This will, in turn, bring two regulatory laws addressing the same issue differently, adding to the already existing burgeoning task of regulating social media companies.

Consent: The Cause of Concern

Consent is pivotal for privacy protection all around the world. Processing of data without the express consent of individuals is a serious violation of privacy. Although, it can be done in exceptional circumstances by the backing of a legitimate law in place. Clause 12 includes grounds where consent may not be required of individuals for processing their data such as for providing any service or benefit [under Clause 12(a)(1)] or for issuance of any license or certificate [under Clause 12(a)(2)] or [under Clause 12(c)] where the processing of data is necessary under the order of the tribunal. (which is an administrative authority and not a judicial authority). For example, if the activity in question is the non-consensual collection and processing of demographic data of citizens to build state resident hubs that will aid in the provision of welfare services such as healthcare, housing, all that may be required is that the welfare functions be permitted by law. This example highlights the serious concern of the non-consensual processing of data of the individuals.

Certain aspects of data portability should be also clearly laid out in the final version of the Data Protection Bill, such as intellectual property ownership of the data transferred and whether data generated includes derivative data which could be a dilemma for the online businesses sharing analytical data and other practical issues including format of the data. This in turn backfires the privacy test laid down by Supreme Court in Puttaswamy’s judgment. The privacy test is subjected to reasonable restrictions namely, the existence of a law in place, proportionality, and necessity. This principle of necessity will be evaluated as per the convenience of government as it has established itself contrary to the maxim Nemo judex in causa sua (to be a decisive authority in one’s case).

Overarching State Powers

The bone of contention that subsisted in the form of clause 35 of the Personal Data Protection Bill, 2019 (which allowed sweeping powers to the central government and exempted certain agencies under the bill) has been retained by the committee in the new DPB, 2021. The JPC gave the rationale that this clause was for “certain legitimate purposes” and also said there was precedent in the form of the reasonable restrictions as enshrined under Article 19  of the Constitution to curtail the liberty of individuals in the national interest and that the same was under the landmark Puttaswamy Judgement as well.[1]

The central government had been given wide powers with regard to the appointment of the Data Protection Authority (DPA), in the Personal Data Protection Bill, 2019. Further changes made by the JPC also add to the powers of the executive as it employs the Attorney General, an independent expert, a director of an IIT, and a director of an IIM to appoint the DPA. The problem subsists as their appointment is also done by the will of the executive. Although it has the brightest minds of the country, the independent functioning of these authorities is still in question as it is difficult for them to defy the authority appointing them.

Employee Data Protection:

Generally, the employer stands in an advantageous position in an employer-employee relationship.  The activity of gig workers is closely monitored by their employers allowing them to further extract a large amount of the data of their online activity and subject them to be at the mercy of their employers. For example, Zomato has terms in their partner delivery contracts in which they have the right to access, analyze, process, and store the data of their employees. However, the committee has laid down that unnecessary processing of non-consensual data of the employees by the employers should not be done, which is indeed a welcoming step. However, Social Security Code, 2020, recognizes Gig workers as employees but the code has overlapping definitions which add to the complexity of its implementation. For example, Gig work which is performed by a large percentage of people who are engaged through platforms like Urban Company are working as independent contractors. They do not fall under the definition of employees. Independent contractors cannot avail social security scheme benefits under Section 2(78). As a result, both the legislation will fail to provide the rights to Gig workers.

Is The Data of the Children Safe?

A child has been defined under the Bill as anyone under the age of 18. They require parental consent for the use of a technology or service, the DPB denies teenagers of their autonomy and privacy, impeding their growth and self-expression on the internet. Furthermore, requiring children to obtain parental consent is not always practical, particularly for teenagers who may not receive parental support or whose parents are unfamiliar with the digital realm.

The JPC has suggested the removal of a key principle that is “in the best interest of the child” which has its roots in Article 3 (1) of the International Conventions on the Rights of the Child, 1989. India is a signatory to this convention as well. The committee explained its decision stating it was done to avoid any reconsideration that may be sought under the garb of the best interest of the child by the platforms. Every data controller’s action must be guided by the best interests of the child, and there must be a level of protection beyond which no user, particularly a child user, falls. The Data Protection Commission of Ireland has laid stress on the principle of the best interest of the child to regulate their data, through a public consultation report which is in line with the GDPR. These suggestions need reconsideration as the best interest of the child is the very basic legal principle that JPC seeks to remove.

Do We Have The Right To Be Forgotten In India?

Right to be forgotten under clause 18 of the DPB, 2021, includes delinking of the personal data or relevant information related to the data principal accessible through search, websites, social media platforms or any public platform to be removed. In short, it allows individuals to delete their personal data from the internet. It is well known that the adaptation of this right in India has been inspired by the General Data Protection Regulation of the EU. The recent case of Jorawar Singh Mundy vs. Union of India has also given a nod, from the end of the judiciary, that the right to be forgotten is under the ambit of the right to privacy which is a fundamental right.

The misuse of this provision haunts as the question that next comes up is who gets to decide what can be removed and what information is in the public interest? For India, the right to be forgotten in Clause 18 is limited by the data fiduciary’s obligation to respond to these rights. It may even decline a request for such removal which can be misused by censoring relevant information in the public domain. Whereas, the Court of Justice of the European Union provides autonomy to platforms to accept or decline such requests. In a recent case, it backed Google and held that a search engine’s “right to be forgotten” did not require it to remove search results from all of its domains.


The committee has been silent on how that data processing will be affected by its enactment and what measures should be taken to bring such processing, following the provisions of the bill. While some JPC recommendations are positive and recognise new privacy challenges, such as regulating data collected by hardware and requiring data breaches to be disclosed within a certain time frame.  They have also been criticized for key issues such as blanket exemptions provided to the State, backing of clause 12 (non-consensual processing of data of the individuals), independence and accountability of DPA, age of consent, etc. If these loopholes are neglected, it will defeat the intended purpose of this framework. Hopefully, when the Bill is tabled before the parliament, the government affords a raison d’être of acceptance or rejection of JPC’s recommendations. However, when fully implemented, it will bring India’s data protection law at par with those of other countries.  As a result, major companies would also begin to prepare for adherence to the data privacy laws of India.


[1]Committee of Experts under Justice B.N Srikrishna, “A Free and Fair Digital Economy Protecting Privacy, Empowering Indians.,” 2018, 133.

This blog has been authored by Anubhuti Awasthi, a student at Amity University, Lucknow. This blog is a part of RSRR’s Right to Privacy and Legality of Surveillance Blog Series, in collaboration with the Centre for Internet Security. 


bottom of page