IT Standing Committee’s Review of MeitY’s Response to Its Recommendations on Citizens’ Data, Privacy

In its report published last week, the Committee reviewed MeitY’s action taken notes and further urged the Ministry to adopt its recommendations on certain pressing themes.

The IT Standing Committee has released its 55th report reviewing action taken by MeitY on the observations and recommendations the Committee made in its 48th Report on ‘Citizens’ Data Security And Privacy’. It covers issues with the DPDP Act and Rules, their effect on IT Act, their consent framework, broad exemptions, and excessive rule-making. It urges MeitY to expedite passage of the DPDP Rules and “DIA” – we review these recommendations and urge MeitY to place meaningful public consultations and deep research at the heart of lawmaking. The blog includes excerpts from the reports, IFF’s past analysis on these issues, and naturally, some Taylor Swift songs.

Who is Parliamentary Standing Committee anyway?

An extended arm of the legislative, Parliamentary Standing Committees (“PSC”) (which include departmentally related standing Committees, finance Committees and administration Committees) keep a check on parliamentary affairs and give recommendations on complex law-policy issues to aid policy-making and reform. While a significant amount of Parliament’s work gets done on the floor of the House, it is difficult for the legislative to scrutinise all ongoing government activities during short parliamentary sessions. PSCs were constituted to ease this burden by reviewing and issuing detailed observations and recommendations on proposed legislation, government policies, the legal environment, and union accounts and expenditure. Each Committee has a systematic deliberation process wherein they can invite inputs from experts and stakeholders, and even publish dissenting opinions as part of the Committee’s composite reports. Read more about the role of PSCs in legislative processes here.

After examining certain laws, policies or issues, PSCs come up with a consolidated report and table them in the parliament. Subsequently, they also submit Action Taken Reports which show how many of their recommendations have been accepted by the government, and the progress made on them. The report being analysed in this blog is one such action taken report.

IT Committee’s 55th Report: a list of would’ve, could’ve, should’ves

On February 08, 2024, the Parliamentary Standing Committee on Communications and IT (“Committee”) published its 55th report, reviewing the action taken by the government, in this case, the Ministry of Electronics and IT (“MeitY”) on the observations and recommendations the Committee made in its 48th Report (dated August 01, 2023) on ‘Citizens’ Data Security And Privacy’. Reports of the Committee can be read here.

In its original report, which predates the Digital Personal Data Protection (“DPDP”) Act, 2023 in its current form by a mere 10 days, the Committee raised a list of concerns to MeitY on the rising risk of misuse of personal data and outdated provisions of the Information Technology (“IT”) Act, 2000, highlighting that a data protection law must be urgently introduced, and citizen awareness and empowerment in data security should be prioritised. One member of the Committee submitted a dissent note regarding the rule making powers of the central government, exemptions to government agencies, and non-inclusion of non-personal data. MeitY has since submitted action taken notes to the Committee, responding to its recommendations and submitting updates on if they have been accepted or followed. In this report, published on February 08, 2024, the Committee reviews MeitY’s action taken notes and further urges the Ministry to adopt its recommendations on certain pressing themes.

Also read: Digital Personal Data Protection Law Raises Questions About Consistency With Right to Privacy Ruling

Diving into the report

Here, we break down what the Committee said about actions taken by MeitY so far:

On DPDP Act: not a lot going on at the moment

The Committee passed its original report before the introduction of the current DPDP Act in the parliament. Many of its recommendations on the data protection environment predate the Act, but principally still hold some value. On provisions of the DPDP Act relating to consent mechanisms and notice requirements, the Committee reiterated the importance of providing consent and notice in languages specified in the Eighth Schedule to the Constitution to ensure accessibility, clarity and comprehension. The Committee further noted that the default consent settings under the Act should be designed to extend benefits to data principals, especially those with low levels of digital literacy. For this, the Committee suggests MeitY can incorporate visual elements for consent and notice, promoting easier understanding, accessibility, and inclusive digital access while defining the prescribed methods for obtaining consent and delivering notices.

To this, the Ministry responded that has noted the suggestions and is taking steps to ensure they reflect in the Act through the DPDP Rules. The Committee, unsatisfied with the response, noted that MeitY has not furnished any information on the present status of this action and merely parroted what the Committee suggested, and urged urgent action.

The second issue raised by the Committee on provisions of the DPDP Act is the ‘deemed consent’ clause, which was present in the draft DPDP Bill, 2022 and has since been removed based on public consultation and feedback from stakeholders. Instead now, under the DPDP Act, personal data can now only be processed without consent “for certain legitimate uses”. The exemptions listed in Section 7 are limited to the State and its instrumentalities to “perform functions under law or in the interest of sovereignty and integrity of India and security of the State, to provide or issue subsidies, benefits, services, certificates, licences and permits that are prescribed through rules, to comply with any judgement or order under law, to protect or assist or provide service in a medical or health emergency, disaster situation or maintain public order and in relation to an employee.”

In its original report, the Committee expressed concerns that there is still a possibility of these exceptions being misused, and strongly recommended the Ministry to devise a mechanism to ensure that these exceptions “do not become the general rule and are used only in exceptional circumstances, with the aim of promoting ease of living and the digital economy.” The Ministry’s response to this was evasive and vague. It listed Section 7 requirements again, said it “is aware” that it can be misused… and said nothing else. The Committee notes this in the current report and again strongly urges MeitY to act and update them about their plans.

Not only is a vague and broad exemptions clause in the DPDP Act dangerous in its current form, the rule-making powers conferred to the executive by the Act as a whole makes it a tool for potential misuse as well. The union reserves the right to exempt any of its department or a third private party it is contracting with, from consent provisions under the Act. If this is the case, no matter how strong and expansive consent and other rights framework is under the data protection legislation, overbroad executive control and excessive future lawmaking powers can eventually render it meaningless. Additionally, it is difficult to meaningfully engage with and analyse provisions of the Act, because it has not been enacted and remains to be operationalised through Rules (coming soon?).

On DPDP Rules: Death by a thousand “as may be prescribed”s

In its original report, one of the many concerns on the DPDP Act that the Committee noted was the rule-making powers it confers on the union government. While the digital landscape remains dynamic and ever-evolving, it noted that rule-making powers must be used judiciously and with utmost care and responsibility by MeitY. In response, the Ministry assured the Committee that rule-making powers were a routine part of policymaking and necessary to make the implementation of the Act practical and feasible in the long run.

The Committee, unsatisfied with MeitY’s response, reiterated the need for responsible and judicious use of rule-making powers, adding that the rules formulated must be presented to the Parliament for scrutiny and discussion. It noted that the Ministry has merely outlined the established practice for rule-making without providing clarity on when the DPDP Rules will be finalised. According to established norms, it stated, rules under an Act should be framed within six months of its commencement. Since the data protection law was notified on August 11, 2023, the Committee expects that the Rules in this regard should be nearing completion.

The Committee further believes that the lack of properly framed rules has prevented the notification of essential components of the data privacy law, including the Data Protection Board, which is mandated to investigate privacy breaches and impose penalties as outlined in the Act. It urged the Ministry to prioritise the finalisation and introduction of the DPDP Rules within the prescribed period of six months, and avoid seeking an extension on this front. It added that the rules drawn up must be simple and easy to understand and administer. The Committee asked to be informed of the efficacious steps taken by MeitY in this regard.

The DPDP Act, 2023 lists 25 specific situations for which the union government will notify rules at a later stage and also gives itself the leeway to notify rules at a later stage for “any other matter which is to be or may be prescribed”. Such excessive rule-making has severely limited the ability of stakeholders to meaningfully engage with the DPDP Bill, 2022 and Act, 2023, and for data principals and fiduciaries to understand and prepare for how the legislation will impact their rights, obligations, and conduct of business. While in some instances, procedures and specificities have to be left on future rule-making, these must not completely hamper the operationalisation of the parent law and must be accompanied by relevant safeguards to protect against arbitrary rule-making. The DPDP Act has not been enacted yet, and several of its procedures including on consent mechanisms and setting up of the statutory Data Protection Board cannot be operationalised without notifying specific rules. We agree with the Committee’s concerns about the overreliance on rule-making and the need to use these powers responsibly.

We also agree that the rules thus drafted must be simply written and easy to understand and administer, without compromising their substantive quality or scope. However, what causes some worry is the pressure from the Committee to expedite rule-making. Any legislative process must be preceded by extensive consultation with experts, civil society and the public, and must fall squarely within the mandate of the Constitution. Though MeitY officials have indicated that the DPDP Rules will be put for public consultation, news reports say that the time given for the public to respond will be 45 days. It is worth noting that the Ministry invited feedback and public comments on the draft Digital Personal Data Protection Bill, 2022 for 30 days. Where on one hand the Ministry provided stakeholders an entire month to send comments on a bill that was only 24 pages long, on the other it is considering a mere 45-day public consultation period for 21 draft rules for a key piece of legislation. Further, some news reports said they would be out before January 31, 2024. Some say not before the conclusion of the 2024 general elections.

Amid confusion, delays, and an inadequate consultation process, the DPDP Rules have a significant responsibility of operationalising the Act. Though deep research and nuance in lawmaking takes time and delays can be justified in certain circumstances, the contradicting statements from officials and rumours about a worryingly small consultation time frame are definite causes for concern. Thorough public consultation process forms the foundation of any democracy and is an effective means for the public to participate in policy-making and exercise their constitutional rights. MeitY must release the Rules for consultation with an ample time frame for the public to respond in.

On the “DIA”

In its original report, the committee “strongly urged” the Ministry to “promptly finalise the framework of the Digital India Bill and expedite its enactment without any undue delay”. MeitY simply replied to this descriptive and long suggestion with…

The Committee, understandably, reiterated its concerns more emphatically, stating that the outdated IT Act, 2000, which is now 24 years old, needs to immediately be replaced with a new “Digital India Act” (“DIA”). The Committee urged the Ministry again to “promptly conclude the framework for the Digital India Bill and expedite its enactment without unnecessary delays.” The curt response from MeitY did not help, as the report notes the lack of specified timelines for rolling out the “Digital India Act” and no indication of introducing it in the Budget Session of Parliament. The Committee notes that the Ministry has had ample time to release the draft bill for public consultation before its presentation in Parliament, but did not do so. The Committee reiterated the prompt action required and closed the review by stating “the earliest action in this regard would be appreciated.”

The “DIA” so far has been all bark, no bite. As we spoke about at length in our blog posts here and here, MeitY officials have been talking to the media about the law at length and teasing its release, but no official notification or indication has come from the Ministry. As per media reports from May 2023, the consultation on the DIB was supposed to begin on June 7, 2023 and the draft was “likely to be ready by early July”. Then on June 30, 2023 the Minister of State admitted to the delay in the release of the Bill, and promised that it would be released “very soon”.

While we believe that a clear, concrete timeline helps prepare stakeholders for a bill with such significance and alleviates a lot of mystery-led misery around the bill, we also consider deep consultations and consensus around the legislation from all stakeholders as equally important as the timelines by which the legislation is enacted. The only available resources include a powerpoint presentation shared by MeitY officials, which we have already performed post-mortem on (in this blogpost here). Several questions remain unanswered about the “DIA”, its ambitions and its mystery digital ecosystem “reform”. Until then, while we share the Committee’s frustrations with still not having a law, we hope due process is followed by MeitY in opening it up for consultations and engaging with stakeholders more meaningfully.

On the IT Act

Some provisions of the two-decade old IT Act, 2000 will become redundant with the enactment of the DPDP Act. The Committee noted that the DPDP Act will overhaul IT Act Sections 43A, 81 and 87, and also affect disclosure provisions under the Right to Information Act. The Committee urged MeitY to proactively revisit the provisions of and notify amendments to all affected legislations and provisions, specifically in the IT Act. In response, MeitY noted the recommendation and listed the following amendments to the IT Act:

  1. The removal of section 43A.
  2. In section 81, the inclusion of the phrase “or the Digital Personal Data Protection Act, 2023” after the words “the Patents Act, 1970” in the proviso.
  3. In section 87, the omission of sub-section (2), clause (ob).

The Committee seemed satisfied with MeitY’s response, but the reforms brought in by the DPDP Act undermine other digital rights and freedoms in and out of the IT Act. For instance, it weakens the right to receive information from public authorities by removing the public interest exception to disclosure of personal information under the Right to Information Act, 2005, thereby diluting the Act. It further dilutes the scheme of the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011, which accords a higher degree of protection to the processing, sharing and storing of sensitive personal data than other personally identifiable data, by removing the categorisation of “sensitive personal data” from the DPDP Act itself. Such data, including health, sexuality, financial and biometric data, will now be processed with no more procedural requirements than data relating to home addresses, phone numbers, etc. This is one of the many failures of the current DPDP Act.

MeitY, are we out of the woods yet?

While many of the Committee’s recommendations are useful requests, we reiterate that MeitY must place meaningful public consultations and deep thematic research at the heart of lawmaking. Issues like consent and bridging the digital divide are complex and can benefit greatly from expert insights and stakeholder consultations. In fact, the “DIA” is chalk full of complicated themes and globally debated issues, so “hurrying up” may not be solid advice. Instead, a comprehensive and well-thought out timeline for legislative processes, which is published by MeitY after talking to each other may be the better solution for now.

This article first appeared on the Internet Freedom Foundation’s official website. Read the original here.

Anxious to Block Parliamentary Panel Probe Into Illegal Snooping, BJP Suffers Rare Defeat

After first agreeing that the agenda for the Standing Committee on IT would cover the Pegasus/WhatsApp snooping scandal, BJP MPs, evidently on instructions from their high command, tried unsuccessfully to scuttle meeting.

New Delhi: In a rare defeat for the ruling Bharatiya Janata Party in parliament, the Standing Committee on Information Technology voted on Wednesday to take up allegations that dozens of citizens were subjected to illegal surveillance by one or more entities in India using an Israeli malware called Pegasus that is installed surreptitiously on smartphones via WhatsApp.

The allegations surfaced earlier this month when it emerged that human rights activists, lawyers, journalists and even politicians in India had been illegally spied upon. Pegasus is sold by an Israeli company called NSO, which needs to procure a license from the Israeli government’s Defence Export Control Agency for every overseas sale.

Congress MP Shashi Tharoor, who chairs the IT committee, shared a statement with the committee members in early November noting that it was important for the parliamentary panel “to establish whether the government has written or complained to the NSO Group about its action in installing the hack required to intercept communications. This is all the more important, since reports suggest that the NSO Group only provided this technology to governmental bodies and not to private citizens.” 

“Before passing any judgment,” Tharoor wrote, “we must ascertain the veracity of the information reported in the media. These reports, and the alleged use of the technology, are a matter of grave concern. Therefore, the Standing Committee will consider this matter at its next meeting, scheduled on November 20th.”

Tharoor’s note incorporated two suggestions BJP MP Rajyavardhan Rathore had made to the Lok Sabha secretariat. Accordingly, the agenda was finalised and three Union secretaries – from the IT ministry, the home ministry and the Department of Atomic Energy – were asked to present themselves before the standing committee at 3 pm on November 20.

Though the Lok Sabha speaker had approved the agenda and none of the committee’s members had raised any objection, Rathore took the floor as soon as the meeting was called to order. Citing Rule 331E of the Rules of Procedure and Conduct of Business in Lok Sabha, he insisted the panel did not have the mandate to discuss the WhatsApp snooping matter and that the agenda be scrapped.

This was countered by Mahua Moitra of the Trinamool Congress, who said the same rule made it clear the committee was empowered to consider the ministry’s annual report and since cyber security figured as a subject in the IT ministry’s report, the standing committee had every right to discuss the manner in which Pegasus/WhatsApp was used to spy on citizens.

At this point, the BJP MPs changed tack and invoked Rule 261 – “All questions at any sitting of a committee shall be determined by a majority of votes of the members present and voting”. Rathore and Nishikant Dubey said they wanted the committee to vote on whether they could take up the current agenda.

The IT committee has 31 members, of which 16 are either affiliated with the BJP or are government-nominated MPs. At the meeting on Wednesday, 24 MPs were in attendance of which the BJP’s strength was 12. There were, in addition, one MP each from NDA allies Lok Janashakti Party and Shiv Sena, besides one MP each from the TRS and YSR Congress, both of which have tended to side with the BJP.

Knowing the numbers were on his side, Rathore demanded a vote. After some argument on whether the vote would be by a show of hands or a secret ballot, an open vote was held in which 12 MPs supported the scrapping of the agenda while 12 – including the Sena, LJP and TRS – wanted the Pegasus matter to be taken up.

At this point, Tharoor threw the rule book back at the BJP MPs. “In the case of an equality of votes on any matter, the chairperson or the person acting as such shall have a second or casting vote,” says Rule 262 and Tharoor declared the motion (to scrap the agenda) defeated.

According to parliamentary sources, “two and a half hours were wasted” in these procedural wrangles and the secretaries, who were waiting outside all the while, were finally asked to come in at 5:30 pm.

Officials stonewall

IT secretary Ajay Sawhney told the panel that the government was yet to receive any formal communication from WhatsApp about the security breach and that it was up to the affected individuals to pursue the remedies available to them under the Information Technology Act.

Sawhney and other IT ministry officials also said that “officially, we have no names of the affected people.” At this point, Rathore and Dubey insisted that Tharoor not refer to them as “victims”.

The home secretary, who had to leave for a meeting with home minister Amit Shah after waiting two hours, deputed another MHA official to answer questions on behalf of the ministry. According to sources, this official  reportedly said that the law permitted specified government agencies to intercept the communication of citizens but that he had no information about the use of Pegasus.

When MPs asked why the government had made no effort to find out from the Israeli government – which licenses each sale of Pegasus – who NSO’s customers in India are, the officials had no answer.