A parliamentary committee should have been given oversight over exemptions given to government bodies, MP Gaurav Gogoi said in his dissent note on the Data Protection Bill 2021. He also highlighted issues in the report related to non-personal data and the appointment of the Data Protection Authority.
The Joint Parliamentary Committee (JPC) report, which was recently tabled in Parliament, could significantly shape the final iteration of India’s Data Protection Act. Dissent notes from JPC members, however, highlight areas where it may have failed to be effective.
On government access to data
The committee’s report adds that the Union Government has the power to exempt any government agency from all or any of the provisions of the Data Protection Act under ‘just, fair, reasonable and proportionate procedure.’
Recommendation: Provisions related to prohibition on processing data, purpose of processing data, limitation on collection, retention and security safeguards for data should also be applied to State agencies, Gogoi recommends. There should be oversight by the parliament or a committee of the parliament on such exemptions and the agencies exempted.
Reasons for recommendation: According to him, in such cases there should be higher standards of data protection and inspiration can be taken from the United Kingdom’s General Data Protection Act where principles of lawful and fairness, adequacy and limitation, accuracy and retention have been applied on law enforcement agencies. On Parliamentary oversight, Gogoi refers to practices in the UK and Germany, where such agencies are subject to oversight by Parliamentary committees.
- UK: In case of the UK, the Intelligence and Security Committee of the Parliament has oversight over expenditure, administration, policy and operations of the security of intelligence agencies and holds evidence sessions with Ministers and senior officials of intelligence agencies, Gogoi pointed out.
- Germany: In case of Germany, the Parliamentary Oversight Panel monitors the Federal Intelligence Service, the Military Intelligence Service and the Federal Office for the Protection of the Federal Government, Gogoi highlighted in his note. They also need to be informed of their general activities and important events ‘with a view to protect the rights of third parties’.
Other objections related to government access
- The exemption provided to the State under Clause 35 and the inclusion of an expectation of surveillance in the definition for harm leaves citizens with no recourse in case of unlawful or misuse of surveillance mechanisms.
- Terms like ‘public safety’, ‘sovereignty of state’,etc. have unclear legal interpretation.
- Concepts like Necessity and Proportionality, which were laid down as principles in the 2017 Right to Privacy judgement, should have been fine-tuned by the committee and employed in the legislation.
- The committee should also have deliberated more on parliamentary and judicial oversight over surveillance mechanisms, Gogoi says referring to the ongoing hearing into Pegasus
Issues related to non-personal data regulation
In its report, the JPC has recommended that non-personal data be included within the ambit of the Data Protection Bill 2021. Gogoi takes issue with this recommendation:
“To include personal data without going through comprehensive consultation and deliberation, as was done for personal data, would lead to a process that fails to acknowledge the nuances of non-personal data regulation,” Gogoi says.
The inclusion of Non-Personal Data (NPD) in the bill will be counterproductive, as the bill has reached a ‘delicate’ consensus related to various provisions on governing personal data through extensive consultation, Gogoi said in his dissent note. Here are key points he made on NPD:
- Definition of NPD and other provisions: Gogoi raises concerns with the definition of NPD, provisions related to data breaches, and mandatory sharing. According to him the current definition of non personal data in the bill is ‘exclusionary’ and ignores its multi-faceted nature. The ‘last-minute’ inclusion of non-personal data under data breaches and mandating sharing of NPD is concerning, he says.
- Impact on Artificial Intelligence/Machine learning development: Gogoi says that NPD is also used by organisations to train algorithms which raises concerns about mechanisms for anonymisation, and algorithmic accountability while ensuring business confidentiality of the data. According to him, advancements in computing could make it possible to balance these considerations, however imposing such policies without carefully considering society and markets could impede Indian innovation in AI and ML.
- Ask for an extension: Recommending that consultations be undertaken on the inclusion of non-personal data in the bill, Gogoi asks that the committee request parliament for an extension. He also mentioned that they should study and discuss the report of the Kris Gopalakrishnan committee set up by the government to study non personal data regulation in 2019.
On the structure of the Data Protection Authority
Chapter 9 of the Data Protection Bill lays down provisions for the creation of a single data protection authority. It also says that
- It will have a seal.
- It can hold, acquire, dispose of property
- It sue or be sued.
- Be created by a notification of the government
Recommendation: An institutional design that allows for zonal or state offices could be more effective, according to Gogoi.
Reason for recommendation: The nature and size of India’s demographic, scale of work assigned to the DPA may render the centralised structure envisioned for the DPA as ineffective. Gogoi refers to the implementation of the GDPR in Europe, where despite multiple authorities the barrage of responsibilities and data breaches felt overburdening.
On the powers of the DPA
Powers accorded to the DPA under the report are:
- Appointing any agency authorised by the Central government to monitor, test, and certify hardware and software of computing devices to prevent breaches.
- Monitoring, enforcing a provision of the act “and the rules and regulations made thereunder”
- Taking prompt action in response to a data breach
- Maintaining a database of fiduciaries in the form of a data trust score indicating compliance with the law
- Examine data audit reports
- Classify data fiduciaries
- Monitor cross-border transfer of personal data
- Specify codes of practice
- Promote awareness and understanding risks, rules, safeguards, and rights in respect of personal data
- Promote research in the field of data protection
- Advise Union government, state governments, and any other authority on measures to be taken to promote the protection of personal data
- Specify fees and other charges for carrying out the various provisions of this Act
- Receive and inquire complaints
Recommendation: The DPA should be given more powers and functions.
Reason for recommendations: Gogoi points to two specific instances in the JPC report where the DPA’s power has been shifted to the central government in the current bill. These are about notifying categories of sensitive and personal data and power to decide on penalties. According to him, the report has significantly diluted the DPA’s powers even in comparison to the 2018 version of the bill and is silent on the need for the DPA’s independence and autonomy.
On DPA’s creating codes of practice
The DPA has been given powers to create ‘codes of practice’ to promote good practices of data protection and facilitate compliance with the Act. These are in areas like obtaining consent, retaining data, ensuring quality of data, transfer of data, security safeguards,etc. Apart from creating them, it can also approve such codes submitted by sectoral regulators, ministries, industry associations, trade associations,etc.Further, these will also be specified transparently, and in compliance with the provisions related to rights of data principals and obligations of data fiduciaries.
Recommendations: Transparency from the DPA, including ensuring public consultation on the implementation of the Data Protection Bill, should have been emphasised in the report, according to Gogoi.
Reason for recommendation: It is important to ensure that the DPA’s codes develop in line with international best practices, and the importance of building its capacity is sufficiently highlighted.
On appointments to the DPA
The DPA shall consist of a chairperson, not more than six members, one of whom shall be qualified “‘an expert in the area of law”, the draft said. They will be appointed by a selection committee comprising —
- Cabinet secretary as the Chairperson of the Selection Committee
- Secretary in the Ministry or Department dealing with Legal Affairs as a member
- Secretary in MeitY will be another member
- Attorney General of India will be a member too
- An independent expert will be nominated by the Union government from fields of data protection or Information Technology as a member
- Director of any Indian Institute of Technology (IIT) will be nominated by the government as a member
- Director of any Indian Institute of Management (IIM) will be nominated by the government as a member
The draft also said that the chairperson and members of the Authority should have experience of 10 years or more in the fields of data science, data security, cyber and internet laws, public administration, national security, or related subjects.
Recommendation: A member or a committee of Parliament should be a part of the selection process of the Selection committee members.
Reasons for recommendation: The selection process of the committee is executive driven, according to Gogoi. The inclusion of a member of parliament will enhance the independence of the DPA.
Objection related to co-ordination by the DPA
The authority can also enter into Memorandums of Understanding in case an action it proposes to take needs the participation of another authority with jurisdiction in the matter. However, Gogoi says the procedure on how the DPA will coordinate with other regulatory bodies however has not been spelt out in the bill.
On allowing government to process data without consent
Data processing and collection is allowed even without consent for providing government services, maintaining public order, safety, etc. under Section 12 of the Data Protection Bill 2021.
Recommendation: A timeline and a roadmap for implementation should have been given to Government agencies to comply with the Data protection bill, instead of giving exemptions, Gogoi wrote in his dissent note.
Reason for recommendation: According to Gogoi, the government can set up mechanisms to effectively collect consent, as the Ministry of Electronics and Information Technology has designed a consent manager framework. Further, Gogoi says that under the Pradhan Mantri Awas Yojana (PMAY), the government collects data like name, gender, Date of Birth, Caste category number, ration card number, etc along with an undertaking that the individual wants to get their house constructed under the scheme. According to Gogoi, a similar undertaking can be taken by the government in terms of data collection, its purposes and limitations.
“A user-friendly process such as this may also encourage and promote an understanding among our populace about data rights,” Gogoi said.
He also expressed the concern that clause 12 could be interpreted in an expansive manner allowing almost all government agencies to be exempt wherein parliamentary oversight could prevent misuse. Lastly, he also pointed out that the clause was against the right to privacy.
- Data Protection bill 2021: How the JPC wants to deal with non-personal data
- Indian govt forms committee to recommend governance norms for non-personal data, Infosys’ Gopalakrishnan to head it | MediaNama
- Data Protection Bill 2021: How India’s data protection authority will be set up and work
- #PrivacyNama2021: Who to approach with a privacy complaint data – DPA or CPO?