The central government should have absolute power over the Data Protection Authority (DPA) and be able to exempt any government body from the provisions of the bill citing ‘just, fair, reasonable and proportionate procedure’, the Joint Parliamentary Committee on the Personal Data Protection Bill 2021 has recommended in its report.
The committee has made significant changes to the 2019 draft, expanding the government’s power over the DPA and implementing light-touch limitations on their ability to exempt government agencies from the bill.
The government’s ability to access personal data of citizens can threaten citizens’ right to privacy if not regulated carefully. The independence of the DPA might also be critical to protecting the rights of individuals. Here are the stances the bill takes on these issues.
What powers will the central government have under the bill?
DPA power: The central government has been given absolute power to direct the DPA in all matters.
- Earlier draft: The Authority was bound by the central government’s directions specifically ‘on questions of policy’. The draft did mention, however, that the central government’s decision on all questions, whether of policy or not, will be final.
- Reason for the change: The Committee said that the Authority should be bound by the directions of the central government under all cases and not just on questions of policy.
Exemptions for government bodies: The central government will have the authority to exempt any agency of the government from the provisions of the act, subject to just, fair, reasonable and proportionate procedure.
- Earlier version: The earlier draft gave the central government the power to grant exemptions without qualifying that the procedure for granting exemptions must be just, fair, reasonable and proportionate.
- Reason for the change: The Committee is concerned about the possible misuse of the provisions if the privacy rights of the individual have to be subsumed for the protection of the larger interests of the State. With the qualification, the committee aims to “strike a balance between Article 19 of the Constitution, Puttaswamy judgment and individual rights with respect to privacy.”
How will offences by government bodies be penalised?
Body to be held liable: Particular ‘government data fiduciaries’ will be held liable for offences under the provisions of the act, instead of state departments or ministries.
- Earlier draft: The earlier draft placed the liability directly on the ‘department or authority or body of the State’ which committed the offence.
- Reason for the change: “The Committee express their concern with respect to the capacity of Government departments to protect the large volume of data that they collect,” the JPC report said explaining the reason for the change.
Personnel to be held liable: In case a government body commits an offence under the act, the head of office must conduct an in-house enquiry, and the person deemed responsible for the offence will be punished accordingly.
- Earlier Draft: The head of the government body was held personally liable for offences, unless they were able to prove that the offence occurred without their knowledge.
- Reason for the change: The committee said that holding the head of department responsible for offences under the PDP Act may impede the decision making process in the department create multiple hurdles in the everyday functioning of the department.
Key concerns around powers of the government
Through previous iterations of the Personal Data Protection Bill, various stakeholders have expressed concerns regarding government access to data:
- Law enforcement agencies can be exempt: “In terms of application of the Bill, it means that an agency like the Delhi Police can be exempted from all provisions of the Bill, citing security of the State or public order,” a speaker said addressing the previous version of the bill at a MediaNama event.
- Adequacy with the EU: Insufficient safeguards against government access to data might make it harder for India to achieve adequacy with the EU, European Commission Deputy Head of International Data Flows & Protection Ralf Sauer indicated at PrivacyNama 2021:
“We had some question marks on some of the grounds for processing for public authorities, and whether they were always sufficiently framed. The corollary to this is that there was a clause at some point that allowed for broad exceptions from the data protection rules which put a shadow over the law,” Sauer said.
Subscribe to MediaNama to get access to our ongoing coverage of the bill. Here is everything we have planned around the report: