In his dissent note on the Joint Parliamentary Committee (JPC) report on the Data Protection Bill, Lok Sabha MP Ritesh Pandey objected to the high age of consent, the composition of the Selection Committee tasked with appointing members of the Data Protection Authority, and the power of the government to exempt any of its agencies from the Bill.
“I am in complete agreement with the recommendations of this Committee, barring [these] three sections,” Pandey said.
The landmark JPC report along with Data Protection Bill 2021 was tabled in both houses of the Parliament on December 16 after two years of deliberations, bringing us one step closer to India’s first data protection law.
Age of consent too high, not in the best interest of children
Section 3(8) of the Bill defines a “child” as a person who has not completed eighteen years of age. Data fiduciaries processing children’s data have a different set of obligations to follow including getting consent from a parent or guardian before processing the child’s data.
- Proposed amendment: Pandey has recommended bringing down the age of consent to fourteen years.
- Rationale: Pandey argued that the current definition “does not stand with the principle of the best interest of a child in the digital age.”
“Although protecting children’s privacy and welfare is a vital concern of the Bill, the definition of a child should be anyone under the age of 14, so as to allow young users to benefit from innovative technologies without the onus of obtaining consent from their parent/guardian. This amendment also takes into account the social barriers that young women face in accessing the internet, particularly in rural India.” — MP Ritesh Pandey
Government power to exempt any of its agencies must be based on the principle of necessity and proportionality
According to Section 35, the Central Government has the power to exempt any government agency from all or any of the provisions of the Data Protection Act for various reasons.
- Proposed amendment: Pandey has recommended that any exemption should be granted based on the principle of necessity and proportionality and under no circumstances should any government agency be exempted from sections 5 and 24. Section 5 lays down that personal data must be processed in a fair and reasonable manner and ensure the privacy of the data principal and for the purposes that the data principal consented to, while section 24 deals with security safeguards such as encryption and measures to prevent unauthorised access.
- Rationale: Pandey wrote that Section 35 “gives broad-reaching and unfettered power to the central government” and referred to the Personal Data Protection Bill, 2018 (“the Srikrishna Bill”), which allowed government access to personal data for security purposes based on principles of necessity and proportionality and upon due authorisation under law.
“Section 35 of the current bill effectively enhances existing surveillance powers of the government without the limitations built in Section 5 and guaranteeing best practices of security under Section 24. Therefore, granting access to personal data to the Central Government, without appropriate safeguards and judicial oversight is against established constitutional principles and should not form part of the Bill.” — MP Ritesh Pandey
Selection Committee for DPA members must be impartial and independent
According to Section 42 of the Bill, the Chairperson and the Members of the Data Protection Authority will be appointed by the Central Government on the recommendation made by a Selection Committee. The Selection Committee will be constituted by:
- The Cabinet Secretary, who shall be Chairperson of the Selection Committee
- The Attorney General of India
- The Secretary to the Government of India in the Ministry or Department dealing with the Legal Affairs
- The Secretary to the Government of India in the Ministry or Department dealing with Electronics and Information Technology
- An independent expert to be nominated by the Central Government from the fields of data protection, information technology, data management, data science, data security, cyber and internet laws, public administration or related subjects
- A Director of any of the Indian Institutes of Technology to be nominated by the Central Government
- A Director of any of the Indian Institutes of Management to be nominated by the Central Government
- Proposed amendment: Ritesh Pandey has suggested that the Selection Committee must also include a Supreme Court judge appointed by the Chief Justice of India and that the Committee must have a flat hierarchical structure i.e. each member has an equal vote and equal power within the committee. Furthermore, the industry expert and academic experts must be confirmed by Parliament, Pandey said.
“The J, Srikrishna Committee Report emphasized that the independence of the DPA is of paramount importance to the welfare of data principals and the growth of India’s technology industry. Therefore, it is vital to ensure that the members of the DPA are impartial and independent of outside influence from any party including the central government.” — MP Ritesh Pandey