SUMMARY
As proposed in the draft, the government will form the Data Protection Board of India to determine non-compliance with provisions of the act and impose penalties
One of the biggest concerns is that the chief executive of the board will be appointed by the Union government
According to industry experts, it is imperative to ensure that the board functions as an independent regulator without becoming the harbinger of the government
The Government of India released the much-awaited draft of the Digital Personal Data Protection Bill, 2022, last week. While the government has proposed to create an online redressal forum, the Data Protection Board of India, the proposal has caused a stir in the industry. With the government having complete control over the board, industry experts fear the misuse of power.
As proposed in the draft, the government will form the Data Protection Board of India to determine non-compliance with provisions of the act and impose penalties. The board will be allowed to hear the pleas of individuals, carry out regulatory checks in companies collecting data, conduct court-like proceedings and set up inquiries, among others.
“The board may, in the event of a personal data breach, direct the data fiduciary to adopt any urgent measures to remedy such personal data breach or mitigate any harm caused to data principals,” the government said.
While every entity handling data needs to comply with the orders passed by the board, an appeal against any order of the board can be made before the High Court within a period of 60 days from the date of the order in question.
“The chief executive entrusted with the management of the affairs of the board shall be such individuals as the Central Government may appoint and terms and conditions of her service shall be such as the Central Government may determine,” the Bill said.
The Board May Act As A Government Arm
According to Anushka Jain, Policy Counsel, Internet Freedom Foundation, “One of the biggest concerns is that the chief executive of the board will be appointed by the Union government.
In addition, how the data protection board will be formulated has also been left to subsequent rules that will be made by the government. Hence, the independence of the board is in question right now.”
“In a situation where the board is not independent and following what the executive wants, the government could have more control over entities,” she added.
The founder of policy think tank The Dialogue, Kazim Rizvi, shares a similar sentiment. He is of the view that the board is totally executive-led. “The composition is government-led while there is no independence when it comes to the formation of the committee. The board may operate as a government arm in many ways,” Rizvi said.
While speaking with Inc42, some experts said as the government has the power to determine the membership and the functioning of the board, it leaves a scope for greater government control over entities handling data.
“The central government has concentrated a lot of discretionary and decision-making powers to itself. The role of the data authority contemplated in previous bills has been diluted – its ability to devise regulations and codes of practice is removed and handed over to the government,” said Vijayant Singh, Senior Associate at Ikigai Law.
There Is A Need For Industry Representation In The Board
According to experts it is crucial to have a DPB member who understands the technical and organisational concerns of businesses, especially in the context of data breaches that require companies to undergo a significant amount of time-sensitive investigative, containment, and remediation work.
“A DPB that is not privy to these realities – due to a lack of industry representation – may come in the way of critical breach investigation and response activities,” Ikigai Law’s Singh said.
“Moreover, the data protection board has to oversee the compliance of the clauses by the government or the private sector. It can impact user interest, as the data protection board may hold the interest of the government or the private sector above the interests of individuals,” said Jain of Internet Freedom Foundation.
According to The Dialogue’s Rizvi, it is important to have a data regulator that works independently from the government executives, as the government is the largest data fiduciary at the end of the day.
For factors such as deciding penalties, violation of privacy, or violation by the government itself, the board, being the government body, might get lenient, Rizvi pointed out. Hence, it is imperative to ensure that the board functions as an independent regulator without becoming the harbinger of the government.
Unlike earlier versions, which defined the role of the authority and the criteria for its membership within the law itself, the 2022 Bill empowers the government to prescribe – through rules – the role and composition of the DPB.
“This means that critical aspects of the board will not be put through parliamentary scrutiny. The Bill also does not mention if the issuance of rules will be subject to public consultations, which may also concentrate powers with the central government,” Singh said.
After a limbo of three years, the new draft Personal Data Protection Bill is finally out. However, it has narrowed the scope by considering only personal and digital data. While it is a good move for companies in terms of understanding how to deal with user data, the Bill is being crticised by many experts.
