Ensuring Constitutional status to the proposed Data Protection Authority is among the three main issues to be thrashed out at the November 22 meeting of the Joint Select Committee of Parliament on Data Protection Bill.

Most members of the panel are veering towards the view that since it is the government that collects and processes citizens’ data, the authority that protects this fundamental right in the digital space should have a more autonomous, Constitutional status rather than a statutory one.

Other issues

Besides Constitutional status, other issues to be thrashed out include creating State Data Protection Authorities and watering down the penalty provisions on fiduciaries if they breach or process data in an unauthorised manner. The panel is most likely to adopt the report and draft amended Bill on November 22. The final draft is likely to be circulated to the members on November 18. In the past, the Cabinet had accepted most of the suggestions of the select committees including ones in the GST Bill. The select panel on the Data Protection Bill is headed by BJP MP PP Chaudhary.

Highly placed sources said MPs pushing for Constitutional status for the Data Protection Authority have argued that the government collects data for various schemes and most of the complaints of data breach, as was the case in the Unique Identification Authority of India in the Aadhaar data leak, are related to government agencies. The members contend that a statutory authority functioning under the aegis of the government would have a conflict of interest, which is why it is imperative that its expenses are derived from the Consolidated Fund of India.

Experts also share this opinion. Said senior lawyer and privacy right activist Sanjay Hegde: “This is the only logical course of action as the government or its agencies are often the chief infringers of privacy rights. Autonomy is essential although it’s not the only guarantee of the independent functioning of an institution.”

Penalty provisions

Another issue being thrashed out is the penalty provisions prescribed in Section 57 of the Bill. While the draft Bill says that if a data fiduciary contravenes its obligation to take prompt and appropriate action in response to a data security or fails to register with the Authority and fails to appoint a data protection officer, it shall be liable to a penalty which may extend to ₹5 crore or 2 per cent of its total worldwide turnover of the preceding financial year, whichever is higher. Also, ₹15 crore or four per cent of its total worldwide turnover of the preceding financial year, whichever is higher, would be charged if a fiduciary processes personal data and data of children violating the provisions of the Bill, and transfers data to foreign countries violating the law.

“The Chairman wants to do away with the clause on the penalty in tune with the worldwide turnover. He fears that it will impact investment. But we showed him GDPR laws in other countries which are very stringent,” a member of the panel told BusinessLine.

Some members are reportedly pressing for creation of State-level Data Protection Authorities. The logic for this is that a Central Authority will be exercising control over state government functions under List II of the Seventh Schedule of the Constitution such as health, education. This authority may raise issues of federalism, said a member. The MPs have suggested examining international precedents in Germany and the US that have General Data Protection Regulations separately for the Centre and the provinces. BJD MP Amar Patnaik, a member in the panel, has publicly demanded State-level authorities.

“Public order is a State subject. If a privacy breach creates an issue of public order, the State or even district administration cannot wait for the clearance of the Central Authority before they act. A structure similar to the Central Information Commission and State Information Commissions under the RTI Act can be considered,” Patnaik said.

Related Topics
comment COMMENT NOW