The Union government must set up data protection authorities at the state and national level, and provide adjudicatory powers to these authorities, Rajya Sabha MP Dr. Amar Patnaik has suggested in his dissent note carried in the Joint Parliamentary Committee (JPC) report on the Data Protection Bill, 2021.
“A state-level data protection authority would be ideally positioned and suited to handle events relating to consent and data breaches occurring in the geographical area,” Dr. Patnaik said.
The JPC report along with the Data Protection Bill, 2021 was tabled in both houses of the Parliament on December 16, after two years of deliberations. The dissent notes from committee members give a view of what the current draft of the bill fails to take into account.
Constitute Data Protection Authority at the state level
Patnaik recommended a two-tier structure for data protection authorities at the national and the state level as a constitutional and administrative imperative. He cited Indian laws like the Right to Information Act and Consumer Protection Act as precedents, and suggested drawing elements from the German and European frameworks.
- Reason for recommendation: The dissent note reasoned that the bill in its current form puts a strain on federalism and will create problems in implementation.
“Nothing was done to change the design and architecture of the Bill until its final adoption on 22.11.2021 even though I had made repeated observations regarding setting up of state-level Data Protection Authorities from a point of view of constitutional, legal, administrative and jurisdictional balance between the Centre and the State in the true spirit of federalism,” Dr. Patnaik said.
Establish Constitutional Data Protection Commission
Dr. Patnaik recommended an overarching, independent data protection authority to regulate the Union government and its departments, one of the largest data fiduciaries.
- Reason for recommendation: “A data protection authority controlled by the central government will exercise control over state government functions under List II of the Seventh Schedule of the Constitution of India, 1950, such as health, education, public order etc. This will raise issues of conflict in the principle of federalism,” Dr. Patnaik explained. He further wrote that the separation will ensure structural, fiscal, and functional autonomy and protect the commission from adverse changes to tenure, composition, salary, and appointment methods.
Here are some of the features which must be borne by the authority, according to Dr. Patnaik:
- “The administrative expenses of the Commission must be charged on the Consolidated Fund of India and must be free from government control and interference,” Dr. Patnaik said.
- “Tenure and method of removal must be introduced into the Constitution,” he added.
- “The Commission can coordinate between the state data protection authorities, along the lines of the European Data Protection Board coordinating with the national data protection authorities under the GDPR,” Dr. Patnaik said. (emphasis added)
Empower DPAs to perform quasi-judicial adjudicatory functions
Dr. Patnaik’s dissent note offered the following suggestions for the government to keep in mind:
- An adjudicatory role will save cost for adjudication and allow state authorities to frame their own rules.
- Benches for adjudication at the district level to improve accessibility.
- “The number of adjudicating officers, the manner and term of their appointment and the jurisdiction of such officers must be decided by the authority and not the central government to avoid issues of independence, conflict of interest and bias,” Dr. Patnaik said.
Staff data protection authorities independently
The Chairperson and the Members of the Data Protection Authority will be appointed by the Central Government on the recommendation made by a Selection Committee, according to Section 42 of the Bill.
- Recommendation: Dr. Patnaik called for the authority to be led by a sitting or retired Judge of the Supreme Court because the DPA will have overriding supervision in regards to privacy of data principals and overall data fiduciaries including constitutional authorities like GAG, CEC Lokpal, UPSC, etc.
- Reason for recommendation: “The Cabinet Secretary represents the Executive which itself is the biggest data fiduciary in the system and against whom most complaints are likely to arise under Articles-32 & 226 of the Indian Constitution as it currently happens in respect of other fundamental rights,” read the note. The selection committee should comprise two experts from the market, one from law and another from IT & social media, etc.
Retain penalties as a deterrent against data fiduciaries
The JPC report has recommended that data fiduciaries be liable to pay fine ‘as may be prescribed’ up to a maximum penalty, upon violation of the Data Protection Act.
- Recommendation: “The suggestion for removal of penalties from codification under Section 57 of the Data Protection Bill, 2021, to something to be prescribed by the government is not acceptable because these were proposed at the time of initial introduction of the bill by the state,” Dr. Patnaik wrote in the dissent note.
- Reason for recommendation: “The purpose behind these penalties is to keep the privacy of the citizens as the primary overarching objective of operation on the internet by any data fiduciary, or data processor including the government and promote the digital economy of the country at a parallel level but the latter cannot supplant the former as the primary objective of this Bill,” Dr. Patnaik said categorically.
Limit government exemptions
The Union Government has the power to exempt any government agency from all or any of the provisions of the Data Protection Act for various reasons, as stipulated in Section 35.
Recommendation: Dr. Patnaik said that the scope and applicability of Section 35 should be defined in line with principles laid down by the Supreme Court in the Puttaswamy case. He also asked for a prescribed mechanism by law to review each decision (under section 35) either by a parliamentary body or a judicial institutional arrangement.
Design the bill in accordance with Right to Privacy
Recommendation: “The design of the Bill should adhere to the judgement set out by the SC that privacy is a fundamental right which is guaranteed by the Constitution now, and not by any government. So, citizens’ privacy would be safeguarded by the Constitution when breached even by central or state governments,” read the note by Dr. Patnaik.
Reason for recommendation: “The government cannot appear to be taking a pre-eminent position in safeguarding citizens’ informational privacy as per their whims and interpretation of an event/ occurrence, which is getting conveyed at several places/sections/wordings in the Bill,” Dr. Patnaik said.
Update, December 18, 7:15 pm: The report has been updated following editorial inputs.
Get our white paper on the Data Protection Bill 2021 in your inboxWe may also reach out occasionally with our coverage of the Data Protection Bill and more.
Subscribe to MediaNama to get access to our ongoing coverage of the bill. Here is everything we have planned around the report: