New Bill may do away with key data protection body

The new privacy bill being drafted by the government may drop the concept of a centralised data protection authority (DPA) proposed in versions of the now-junked personal data protection bill, people aware of discussions said, adding that a grievance redressal mechanism for aggrieved individuals might be put in place instead.

DPA was pitched as an overarching regulator in past versions of the data protection law, with powers to lay down rules, monitor compliance and take action in cases where the privacy of Indian citizens is violated by private enterprise or state entities.

“A lot of the functions that were allotted to DPA were out of its remit; the collection, storage and sharing of personal data will either be worked into the law itself or be included in the rules that will be made under the law,” an official familiar with the matter said on the condition of anonymity. “The idea is to not overwhelm one authority and increase compliance costs for small companies.”

The official added that the law will be dynamic and evolve with the times, but there is likely to be no centralised structure like the DPA, although nothing has been finalised yet. “Instead, if the aggrieved person feels that their data has been misused, they can approach a grievance redressal mechanism that may be set up. Consent and privacy will always remain supreme,” the official said.

A second official said that this was one of the proposals under consideration and a grievance redressal mechanism was being considered. “The government wants the bill to be as uncomplicated as possible,” the official said.

The approach is still under consideration and whatever shape it takes will be circulated as a draft for public feedback, the second official added.

Experts said such a plan would be damaging to citizen rights. “These reports confirm the worst fears that the government is not interested in an independent and effective regulatory body to enforce data protection in India. A grievance redressal mechanism will not have any comparable powers and from past experience in the banking and telecom sector, have largely been ineffective. This would leave people without any real remedy,” said Apar Gupta, trustee at the Internet Freedom Foundation.

DPA was a central feature of the privacy law that was in the works till it was withdrawn from parliament in the monsoon session that ended earlier this month. In the latest version of the draft law, the authority was to be chosen by a panel shortlisted by the central government – a point that was a matter of contention since it raised questions about its autonomy.

This version, prepared by a joint committee of parliament with several of its members in dissent, suggested DPA be made to follow the government’s lead on all matters and not just questions of policy.

The manner in which a data fiduciary can share, transfer or transmit personal data to any person as part of any business transaction, breach of personal or non-personal data, and the definition of threshold of users for a company to be considered a significant social media intermediary were some of the prerogatives suggested for DPA.

The government earlier this month withdrew the data protection bill, 2021 which had been in the works for the last four years, as the government works to introduce a “comprehensive framework” for cyberspace.

The first official added that a new regulatory appellate mechanism was under consideration, and whether it would include ministries or other departments was being internally discussed within the ministry. “The creation of DPA would have increased compliance costs, especially for MSMEs and SMEs, the idea is to have light touch rules that do not disrupt India’s economic growth in the sector,” the first official said.