Need data protection bodies at state level for robust law: JPC member
There is a need for state-level data protection authorities (DPAs), along with a national watchdog, to ensure that the data protection law becomes more robust and implementable, according to parliamentarian Amar Patnaik of the Biju Janata Dal, who is a member of the joint parliamentary committee (JPC) looking into the draft legislation.
“I’m strongly of the view that the DPA in its current form means that there is one DPA for all of India, and every state government or institution is accountable to it,” he said in an interview with Hindustan Times. “We need state-level DPAs so as to not raise issues of federal override. This way the administration of data protection regime will become more robust and implementable. Else, it will be overwhelming for an institution to deal with all of it.”
The personal data protection committee is considering a slew of changes, including introducing psychological manipulation as a violation and stressing on the need for algorithmic fairness, HT reported over the past week.
The key amendments are under consideration of the House panel, which aims to table its report in the winter session of Parliament. The JPC was set up in 2019 to look into the provisions of the bill and has since sought several extensions, the latest one after chairperson Meenakshi Lekhi had to step down as she was elevated to the post of a union minister.
Patnaik stressed that while the proceedings of the committee were confidential, concerns about various aspects of the bill have been discussed. “There have been concerns regarding the heavy compliance cost,” he said. “The second one is that it will be a consent based framework. How does one ensure informed consent is there? Then of course is the concerns that the government has overriding measures, which empowers it to bypass the bill, like in the interest of national security.”
The proposed law will not only protect a citizen’s privacy but will also unlock the value of data. “Once encryption enforcement happens, personal data can become non-personal data. The exemptions that the bill provides for speaks to how narrow it is and what are the chances that it can be misused,” Patnaik said. “It should be as discretionary as possible.”
He said that the concerns about non-personal data (NPD) being addressed in the personal data protection (PDP) bill have been discussed. “There is the question whether non-personal data should be regulated at all, how should NPD be addressed in PDP, and whether NPD should not be regulated at all,” Patnaik said.
Over 60 sessions later, a new report is set to be drawn up by the committee. “An immense amount of attention has been given to the bill,” he said. “DPA will be a behemoth. It will have a say over how data are used.”
“In terms of structural independence and functional capacity of DPA, I believe it should be a constitutional authority,” Patnaik said. “Unless its a constitutional body, one can’t ensure its independence.”
“I’m reasonably optimistic that the final form of the report may see a bit of delay, but it will be adopted in the winter session.”