wordpress blog stats
Connect with us

Hi, what are you looking for?

Data Protection Bill 2021: How India’s data protection authority will be set up and work

Here’s a detailed look at the various functions of the country’s proposed Data Protection Authority. 

The Data Protection Bill, 2021 presented by the Joint Parliamentary Committee (JPC) has proposed a government-established, singular data protection authority (DPA) that will look into breaches of both personal and non-personal data, ensure compliance of significant data fiduciaries to the provisions of the bill, and so on.

Establishment of Data Protection Authority (DPA) (Clause 41)

The draft Bill said that a DPA will be established by the Union government by notification, having perpetual succession, common seal with power to acquire, hold and dispose of property and to sue or be sued.

Earlier draft: Same as current Bill.

Powers of Data Protection Authority (Clause 49)

The current draft includes a new power of the data protection authority to appoint any agency authorised by the Central government to monitor, test, and certify hardware and software of computing devices to “prevent any interdiction or seeding that may cause personal data breach”.

The draft also said that if the Data Protection Authority processes any “personal data” then the authority will be treated as data fiduciary or a data processor. If the authority comes across any confidential data, then the current draft dictates that it will not be allowed to disclose that information unless required under any ” law for the time being in force to do so”.

Advertisement. Scroll to continue reading.

Other powers include —

  • Monitoring, enforcing a provision of the act “and the rules and regulations made thereunder”
  • Taking prompt action in response to a data breach
  • Maintaining a database of fiduciaries in the form of a data trust score indicating compliance with the law
  • Examine data audit reports
  • Classify data fiduciaries
  • Monitor cross-border transfer of personal data
  • Specify codes of practice
  • Promote awareness and understanding risks, rules, safeguards, and rights in respect of personal data
  • Promote research in the field of data protection
  • Advise Union government, state governments, and any other authority on measures to be taken to promote the protection of personal data
  • Specify fees and other charges for carrying out the various provisions of this Act
  • Receive and inquire complaints

Earlier draft: The previous draft did not have the provision to appoint a central government agency for checking hardware and software. It separately lays down the point that the authority will be responsible for enforcing “rules and regulations” made under the act and not just the act alone. The earlier draft also specifically talked about taking action against breach of “personal data”. In the current draft, the word “personal” has been removed.

Reason for change: During the deliberation on Clause 49, the Committee raised the concern about hardware integrity which is essential for privacy. The Committee termed hardware attacks as “graver than software-based incidents” as it is more difficult to pull off but more “devastating due to their rarity and lack of regulation for it.

It also took cognisance of a submission made by MeitY during a meeting held on December 28. The submission said, “Any product that is being sold in India from anywhere in the world, including the Indian manufacturers as well, has to go through the entire process of evaluation, which is at different levels – EAL1 through EAL7. They have to get their products tested and certified at the product level.”

The committee justified the removal of “personal” from “data” in context to the DPA and data breaches by saying, “The Committee feels that since the ambit of the Act has been widened to include regulating of non-personal data also, the powers of the Authority to take action in the event of non personal data breach should also be enlarged. The Committee, accordingly, recommended that the word “personal” may be deleted from Clause 49 (2) (b).

Composition and qualifications for appointment of Chairperson and Members (Clause 42)

The DPA shall consist of a chairperson, not more than six members, one of whom shall be qualified “‘an expert in the area of law”, the draft said. They will be appointed by a selection committee comprising —

  • Cabinet secretary as the Chairperson of the Selection Committee
  • Secretary in the Ministry of Department dealing with Legal Affairs as a member
  • Secretary in MeitY will be another member
  • Attorney General of India will be a member too
  • An independent expert will be nominated by the Union government from fields of data protection or Information Technology as a member
  • Director of any Indian Institute of Technology (IIT) will be nominated by the government as a member
  • Director of any Indian Institute of Management (IIM) will be nominated by the government as a member

The draft also said that the chairperson and members of the Authority should have experience of 10 years or more in the fields of data science, data security, cyber and internet laws, public administration, national security, or related subjects.

Earlier draft: The 2019 draft of the bill did not have provisions to appoint the Attorney General of India, an independent expert, Director of any IIT or IIM as members of the selection committee of the DPA.

Advertisement. Scroll to continue reading.

Reason for change: The inclusion of technical, legal, and academic experts in the selection committee of the DPA, was to make the authority more “inclusive, robust and independent,” the committee reasoned.

Terms and conditions of appointment (Clause 43)

Chairperson and members will be appointed for a term of five years or till they attain the age of 65 years, whichever is earlier. They shall not be eligible for re-appointment. The members and chairperson, during their term and for a period of two years after their terms complete should not accept —

  • Employment either with Union government or State government
  • Appointment with a significant data fiduciary

The draft also said that a chairperson or member may —

  • Relinquish his office by giving in writing to the Union government and serving a notice period of three months
  • Be removed from his office in accordance with the Act

Earlier draft: Same as current Bill.

Removal of Chairperson and other members (Clause 44)

The Union government may remove the chairperson or any member of the DPA who —

  • Has been judged insolvent
  • Has become physically or “mentally incapable” of acting as Chairperson or member
  • Has been convicted of an offense
  • Has acquired financial or other interest that may be a conflict of interest

Earlier draft: Same as current Bill.

Powers of chairpersons (Clause 45)

The chairperson can supervise, direct “in the conduct of the affairs” of the authority and apart from “presiding over meetings of the authority”, “do all acts and things which may be exercised or done by the Authority under this Act”.

Earlier draft: The previous draft does not mention that the chairperson will have superintendence and direction of the “conduct” of the authority and that he or she will also “preside over meetings of the authority”.

Reason for change: In its report, the committee said that during their deliberations it observed that Clause 45 of the previous draft did not specifically mention that a chairperson can preside over meetings of a data protection authority. The report also read, “The committee also recommends that the words ‘in the conduct’ may be added before ‘of the affairs’ to qualify the powers of the Chairperson.”

Advertisement. Scroll to continue reading.

Meetings of Authority ( Clause 46)

The current draft has stated that —

  • Chairperson and members shall meet and observe rules mentioned in the act
  • If the chairperson is unable to attend then any members chosen by members can preside over the meeting
  • All questions which come up during the meeting shall be decided by votes of the members. If there are an equal number of votes cast, then the chairperson will cast the deciding vote. If the chairperson is absent, then the member presiding will do the same.
  • If a member has any pecuniary interest in a matter that may come up during the meeting, then the member will disclose the nature of the interest, and he or she will not take part in the deliberations

Earlier draft: Same as current Bill.

Vacancies in DPA cannot invalidate proceedings (Clause 47)

DPA proceedings cannot be rendered “invalid” because of vacancies or defects in the authority; defect in the appointment of the chairperson; irregularity in the procedure of authority that does affect the merits of the case.

Earlier draft: Same as current Bill.

Codes of Practice (Clause 50)

This provision pertains to ‘codes of practice’ to promote good practices of data protection and facilitate compliance with the obligations under this Act, such as—

  • Requirements for notice under Section 7 including any model forms or guidance relating to notice
  • Measures for ensuring the quality of personal data processed
  • Measures pertaining to retention of personal data
  • Measures for obtaining valid consent
  • Measures for processing personal data
  • Activities where data can be processed
  • Processing of sensitive personal data
  • Requirements for processing personal data of children
  • Exercise any right by data principals under Chapter V of the Act
  • Standards and means by which a data principal can port his or her data
  • Transparency and accountability measures
  • Standards for security safeguards to be maintained by data fiduciaries
  • Methods of erasure of personal data
  • Methods of de-identification and anonymisation
  • Appropriate action to be taken by DPA in response to a breach of personal data
  • Transfer of personal data outside India

One of the provisions under this clause is that the DPA can approve any code of practice submitted by —

  • Associations representing: Technical services organisations, (***) industry or trade (***), (***) the interest of data principals
  • Any sectoral regulator or statutory authority
  • Any Departments or Ministries of the Central Government or State government

The clause also said that —

  • The authority shall ensure transparency and compliance with obligations of data fiduciary and rights of data principal under this Act while specifying any code of practice.
  • A code of practice should not be issued until consultations have been carried out with regulators and stakeholders

Earlier draft: It did not specify the codes and practices proposed by technical services organisations that can be approved by the DPA.

Reason for change: The Committee took note of a suggestion received from a stakeholder which said that the Authority should not specify technical standards to ensure coherence of data protection but empower technical services organisations to do the same. “The Committee, therefore, recommends that Clause 50(2) should also include an association representing technical services organisations, in addition to associations related to industry, trade and those representing interest of data principals,” the report said.

Power of DPA to issue directions (Clause 51)

These are the following powers of a DPA in context to issuing directions —

Advertisement. Scroll to continue reading.
  • The DPA can issue directions from time to time and data fiduciaries and processors will be bound to comply with such directions.
  • Authority may modify, suspend, withdraw, cancel any direction issued.

Earlier draft: Same as current Bill.

Powers of DPA to call for information (Clause 52)

The DPA may ask a data fiduciary or a processor to provide information as required under the Act. It can also specify the manner in which the fiduciary or the processor will have to provide the information.

Earlier draft: Same as current Bill.

Power of DPA to conduct an inquiry (Clause 53)

The DPA on its own complaint received may inquire —

  • The activities of a data fiduciary or processor which are “detrimental” to data principals
  • Any data fiduciary or processor who has violated the provisions of the Act

It can also by an order in writing appoint one of its officers as Inquiry Officer to look into the matters of a data fiduciary or processor. The order has to specify the reasons for the inquiry such as “scope of inquiry”. The Inquiry Officer can take the help of another person for the same.

A data fiduciary or data processor who is being investigated by an Inquiry Officer is required to produce before the official all books, registers, documents, records, and so on, relating to the affairs of the data fiduciary as the Officer may require.

Under the Code of Civil Procedure 1908, an inquiry officer can keep in their custody or summon any data, books, registers, documents, records, or any other data for six months. After that, it should be returned. Approval has to be taken for extending the custody for another three months from the Authority.

Earlier draft: The previous version did not say that the inquiry officer before taking up an investigation has to mention the “scope of the inquiry” to the party. In the current it also specified that the inquiry officer can inspect “data”. It was not mentioned earlier.

Advertisement. Scroll to continue reading.

Reason for change: No reason was provided.

Action to be taken by authority pursuant to an inquiry (Clause 54)

On receipt of an inquiry report, the data protection authority can —

  • Direct data fiduciaries or data processors to cease and desist from committing or causing and violation of the act
  • Direct such actors to modify its business activity, or,
  • Direct fiduciaries or data processors to take up any action arising as a result of the enquiry report
  • Issue warnings to data fiduciaries
  • Suspend, cancel any registration granted to a significant data fiduciary by the authority
  • Suspend cross-border transfer of personal data

Earlier draft: In the 2019 draft, fiduciaries were “required” to cease or desist from causing any violation; to modify business or activities, and so on, in contrast to the now, “direct”. In terms of cross-border data transfer, the previous draft had used the term “cross-border data flow”.

Reason for change: No reasons were provided.

Search and seizure (Clause 55)

If the Inquiry Officer believes that any documents or data are likely to be tampered with or destroyed, then he/she can, after taking permission from the authority, make an application to a court for an order for the seizure of the said documents, data, etc. The officer can take assistance from the police for this. After hearing the matter, the court may authorise the officer to —

  • Enter the property where such data are kept
  • Search that property
  • Seize books, registers, documents, and records it considers necessary for the purposes of the inquiry

The officer can keep the seized property in his or her possession until the conclusion of the inquiry. Every search or seizure will have to be carried out in accordance with provisions of CrPC.

Earlier draft: The provision to take permission of the authority for approaching a court for a seizure order was not present in the earlier draft. The current one also, like the previous clauses, separately specifies “data” as one of the key information for which the inquiry officer is responsible.

Reason for change: The Committee observed that the 2019 draft Clause 55(1) enabled the Inquiry Officer to make an application to a designated court for an order for the seizure of such books, registers, documents and records, and so on. “However, the Committee feels that there should be a safeguard mechanism in the form of a prior approval from DPA to strengthen the Inquiry Officer when he renders his duties in this regard,” the report said.

Advertisement. Scroll to continue reading.

Coordination between authority and other regulators or authorities (Clause 56)

This clause states that if any proposed action by the DPA may require the participation of another regulatory authority having concurrent jurisdiction of the subject, then the DPA should consult or enter into an MoU with the other authority before taking the decision.The  MoU would govern the “coordination of such actions including economic activities”, the draft read.

Earlier draft: The earlier draft did not specify that the “coordination” arising out of a possible MoU between the DPA and a regulatory authority would include the ambit of undertaking “economic activities”.

Reason for change: The Committee said that a proposed MoU between a DPA and regulatory authority may require consultation with economic regulators such as the Reserve Bank of India. “Therefore in order to increase the scope of the word “action” and for the sake of clarity, the committee desires that there words ‘including economic activities’ might be inserted at the end of the clause,” the report read.

Some key issues pertaining to Data Protection Authorities

  • What about State Data Protection Authorities? Audience members at a MediaNama event had pointed out that the constitution of a single, central data protection authority and not providing any provisions for state-level data protection authorities, is problematic. Although the comment was made with the 2019 draft of the bill in context, it holds true for the current draft too.
  • Priorities: Speakers at a MediaNama event pointed out that a DPA has an adjudicatory function, a legislative function (drafting the regulations), an executive function (enforcing the regulations), and an advisory function (making recommendations to the government). It will have to prioritise what it wants to do immediately, what it should take up later.
  • Friction with other regulators:  When one or two government institutions have similar rules or their functioning clashes with each other, it often turns into a powerplay issue. This is not uncommon in governments and as former Executive Director of Ghana’s Data Protection Commission Teri Akuetteh Falconer pointed out at PrivacyNama 2021, it could have very well been possible during her stint in Ghana’s data protection commission if the right appointments had not been made at the beginning.

What makes a Data Protection Authority effective? 

  • Right leadership: Falconer said that it was important to have the right person at the top because a data protection authority would essentially be a new institution and very few people would be familiar with it.
  • Ample resources: Falconer recounted how it took more than three years since 2012 before Ghana’s DPA got the first approval to hire permanent staff for the institution. This was mostly because there was not enough financial backing for the institution back then.
  • Publicity: Marit Hansen, State Data Protection Commissioner of Land Schleswig-Holstein, said that a data protection authority has to make their work visible in the public eye, to build more awareness, etc.

What about the relationship between a DPA and a data protection officer?

During PrivacyNama, Justin Weiss, the Global Head of Data Privacy at Naspers Group described the relation between a CPO and DPA as that of an economy of scale, wherein there is a distributed model for dealing with complaints. “Only those complaints that lead to an escalation, or a conflict or something that can’t be resolved, get referred to the real data protection authority in the government. So that’s that part of the model,” Weiss said.

Chief Privacy Officer at Match Group Idriss Kechida said that the economy of scale model that is in place for handling privacy complaints in countries with data protection laws, and other relevant structures, should not be seen as a way of data protection authorities ‘trying to shift the burden’ of handling complaints on chief privacy officer.

Get our white paper on the Data Protection Bill 2021 in your inbox

We may also reach out occasionally with our coverage of the Data Protection Bill and more.
Name(Required)
By filling out this form, you agree to receive a copy of MediaNama's white paper and further information about MediaNama's work and services.

Subscribe to MediaNama to get access to our ongoing coverage of the bill. Here is everything we have planned around the report:

 

Advertisement. Scroll to continue reading.

Written By

Among other subjects, I cover the increasing usage of emerging technologies, especially for surveillance in India

MediaNama’s mission is to help build a digital ecosystem which is open, fair, global and competitive.

Views

News

Looking at the definition of health data, it is difficult to verify whether health IDs are covered by the Bill.

News

The accession to the Convention brings many advantages, but it could complicate the Brazilian stance at the BRICS and UN levels.

News

In light of the state's emerging digital healthcare apparatus, how does Clause 12 alter the consent and purpose limitation model?

News

The collective implication of leaving out ‘proportionality’ from Clause 12 is to provide very wide discretionary powers to the state.

News

The latest draft is also problematic for companies or service providers that have nothing to with children's data.

You May Also Like

News

Google has released a Google Travel Trends Report which states that branded budget hotel search queries grew 179% year over year (YOY) in India, in...

Advert

135 job openings in over 60 companies are listed at our free Digital and Mobile Job Board: If you’re looking for a job, or...

News

Rajesh Kumar* doesn’t have many enemies in life. But, Uber, for which he drives a cab everyday, is starting to look like one, he...

News

By Aroon Deep and Aditya Chunduru You’re reading it here first: Twitter has complied with government requests to censor 52 tweets that mostly criticised...

MediaNama is the premier source of information and analysis on Technology Policy in India. More about MediaNama, and contact information, here.

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ

Subscribe to our daily newsletter
Name:*
Your email address:*
*
Please enter all required fields Click to hide
Correct invalid entries Click to hide

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ