India's Joint Parliamentary Committee Announces Recommended Changes to Privacy Bill

Last month, the Indian Joint Parliamentary Committee submitted its report on the 2019 Personal Data Protection Bill after two years of consideration, research, and analysis. The bill, while not a certainty but likely to pass, would replace what some consider to be archaic data protection regulations. Although not finalized, the biggest obstacle if implemented as envisioned is strict data localization. India has been in the group of countries legislating data privacy for decades, culminating in the 2021 JPC report submission. Here’s a look at the history of data privacy legislation in India.


The History of Data Privacy Legislation in India

  • 2000 – Information Technology Act is passed by parliament and signed by President K.R. Narayanan addressing electronic documents, e-signatures, and record authentication.
  • 2017 – The Indian Supreme Court hears Justice KS Puttaswamy vs Union of Indiaand passes a historic judgment affirming the constitutional right to privacy.
  • 2019 – Introduction of the Personal Data Protection Bill and immediately sent to the JPC to be examined.
  • 2021 – JPC submits report on PDP to Indian Parliament revisions.


The long-awaited report submitted December 16, 2021 by the JPC has provided necessary clarification and modifications that seek to enhance the syntax and governance of the bill.


The recommended amendments are as follows:

  • Scope – The bill has a proposed name change to Data Protection Bill and will cover both personal and non-personal data which is unusual as distinction of data type can be difficult when managing mass amounts of data. Clauses also address the deceased and transfer of minor rights (see Clause 16 below).
  • Implementation Timeline – The report outlines a timeline with a 24-month implementation period for data processors to comply.
  • Definitions – The following terms have been defined or revised: consent manager, data auditor, data breach, data fiduciary, data processor, data protection officer, harm, and non-personal data.
  • Clauses 13 & 14 – These clauses apply to consent of personal data processing for employment and legitimate interest, marrying the interests of both the data principal and data fiduciary.
  • Clause 16 – Entities dealing with the data of children must register with the DPA and are required to communicate with the subject 3 months prior to adult age to regain consent and “must continue providing the services to the child unless the child withdraws consent.”


The implementation timeline for the Data Protection Bill is still unknown but will likely be a phased approach. Like California, there is discussion of an oversight committee called the Data Protection Authority of India that would supervise compliance with the proposed law. With the notable amendments to the bill, it’s unlikely we’ll see this come to fruition quickly. Not unlike most proposed privacy legislation, it has been met with dissent and opposition and will have to make its way through the courts of India before becoming law.


All Posts

Did Mactaggart fail to submit signatures for the CPRA?

Did Mactaggart fail to submit signatures in time for the California Privacy Rights Act (“CPRA”) to be on the ballot for the November 3rd election? It is very possible he did.

California law requires a proposed initiative to be certified for the ballot by the Secretary of State at least 131 days before the next general election at which it is to be submitted to the voters, in this case, the November 3, 2020 election. That means that the CPRA must be issued a certificate of qualification for the ballot by June 25, 2020. Any proposed initiative that is not certified on or before that date will not be placed on the ballot.  Because of this hard deadline, initiative proponents like Mr. Mactaggart are advised to provide themselves with sufficient time to complete the necessary requirements to be on the ballot. This includes factoring in the time it takes for government officials to perform the required tasks of counting and verifying petition signatures.  

Mr. Mactaggart’s proposal was behind the recommended schedule from the beginning. For the November 3rd general election, the California Secretary of State suggested submitting proposed initiatives no later than August 20, 2019.  Mr. Mactaggart submitted his proposed initiative, the CPRA, on October 9, 2019.  Because of this, the timeline to complete the required process qualification became extremely condensed. Once submitted, proposed initiatives must undergo a 30-day public review process and a the Department of Finance and the Legislative Analyst prepares a fiscal estimate or opinion of the proposed initiative. Only after this process is completed does the Attorney General’s office prepare the Official Summary of the proposed initiative. The date the copy of the Official Summary is delivered or mailed to the proponent(s) is the “Official Summary Date.” No petition may be circulated for signatures from the public prior to the official summary date and proponents are allowed a maximum of 180 days from the Official Summary Date to collect signatures and file the petitions with county election officials. The Official Summary Date for the CPRA is December 17, 2019.  Therefore, Mr. Mactaggart is permitted to submit petitions for verification until June 15, 2020.  On a Twitter post dated May 4, 2020, the Californians for Consumer Privacy, Mr. Mactaggart’s organization, stated that it had submitted over 900,000 petition signatures to the county election officials to qualify for the November ballot.  Obviously, this is well within the 180-day deadline mandated by law. 

However, submitting the required signatures before the 180-day deadline does not mean that the CPRA will be on the November ballot.  County election officials must still count and verify the signatures submitted for the petition before the June 25th deadline.  The Election Code requires election officials to determine the raw number of signatures on the petition submitted in their county and report the total to the Secretary of State within eight working days from the date of the submission.  Assuming county election officials take all eight working days starting from May 4th, their report would not reach the Secretary of State until May 14th.  Once the report is received by the Secretary of State, he must determine whether the raw count of signatures on the submitted petitions meets the 623,212 signature requirement to be eligible for the ballot.  If the raw count is fewer than 623,212, the ballot initiative will have failed.  If the raw count equals 100 percent or more of 623,212 signatures needed, the Secretary will immediately notify the county elections officials that a random sample will be necessary to verify the signatures.  If a random sample is necessary, county elections officials will verify the validity of the signatures filed with their office using a random sampling technique of verification. 

This random sampling signature verification process must be completed within 30 working days of receipt of the Secretary of State’s random sample notification. Elections official are required to verify at least 500 signatures or three percent of the number of signatures filed in their county, whichever is greater. Counties receiving less than 500 petition signatures are required to verify all the signatures filed in their county. Upon completion of a random sample, the county elections officials will immediately certify to the Secretary of State the number of valid signatures appearing on the petitions that were filed in their counties. (Elections Code § 9030(e).) The Secretary of State then applies a formula to determine the projected statewide total of valid signatures. Assuming the county election officials take the maximum 30 days to complete this process starting on May 14th, verification of the validity of the signatures would not reach the Secretary of State until June 26th, one day after the deadline for the certification to be on the November 3rd ballot. To get an idea of how long it takes some county election officials to complete the random sample verification process, of the 58 counties who received random notices for another ballot initiative on April 16th, 35 of them have yet to complete the random sample verification 13 working days later.  Moreover, the largest counties with the largest number of signatures to verify, including Los Angeles, Orange, and San Diego, and San Bernardino, have yet to complete the verification process.

Even if the county election officials do not take the maximum 30 days to complete the signature verification, the CPRA is not home free.  Depending on the outcome of the signature verification, one of the following scenarios will occur:

  • If the result of the random sample indicates that the number of valid signatures is less than 95 percent of the required number of signatures to qualify, the proposed initiative fails to qualify.
  • If the total number of signatures is greater than 110 percent of the required number of signatures, the Secretary of State will be able to certify that the initiative measure is eligible for the next statewide general election held at least 131 days later.
  • If the result of the random sample indicates that the number of valid signatures represents between 95 percent and 110 percent of the required number of signatures to qualify the initiative measure for the ballot, the Secretary of State directs the county elections officials to verify every signature on the petition. This process is referred to as a “full check” and must be completed within 30 days from the receipt of the Secretary of State’s full check notification.

Given these scenarios, the only probable way the CPRA qualifies for the November 3rd ballot is if the county election officials conduct the raw count and verification process before the deadlines to complete those processes and the random sampling indicates that the number of valid signatures is greater than 110 percent of the 323,212 signatures needed.  Absent those circumstances, it is unlikely the CPRA qualifies for the November 3rd ballot.

Michael Hellbusch
About Michael Hellbusch
Mike Hellbusch, Partner at Rutan & Tucker, counsels companies on privacy and data security matters. He also advises on and regularly drafts technology contracts and policies. He is co-chair of the Orange County Chapter for the IAPP.
Recent Posts

India's Joint Parliamentary Committee Announces Recommended Changes to Privacy Bill

Last month, the Indian Joint Parliamentary Committee submitted its report on the 2019 Personal Data Protection Bill after two years of consideration, ...

Log4J Vulnerability Update

At Truyo we take data privacy and security very seriously. Recently a security vulnerability was reported in the open-source Java library “Log4J” that...

Forrester Wave Announcement: Truyo Named Strong Performer

Report notes Truyo’s “management and fulfillment of individual privacy rights capabilities are some of the best in the market ” PHOENIX (Dec. 09, 2021...

Human Error: The Pitfalls of Manual SAR Response

In the age of information, organizations have increased the amount of consumer data housed in structured and unstructured environments. As consumers b...