Data Protection Bill needs consultation, has loopholes: CUTStext_fields
New Delhi: A policy advisory NGO, CUTS International, has said certain key terms such as "personal data", "sensitive personal data", "critical personal data" and "harm" are not adequately defined in the Data Protection Bill which can lead to ambiguity among consumers and service providers (data fiduciaries) alike.
The bill is currently with the Joint Parliamentary Committee (JPC). As of December 17, 2019, the Bill is being analyzed by the JPC in consultation with various groups. The Bill covers mechanisms for the protection of personal data and proposes a data protection authority (DPA) of India. It has also sought public consultations over the Bill.
According to government sources, the JPC panel will issue an advertisement inviting the general public and the stakeholders to send in their suggestions. The stakeholders will be given four weeks to respond.
"Considering the elaborate changes made from the draft bill of 2018, coupled with the suggestions given, we urge the JPC to hold extensive and inclusive open house discussions on the Bill before finalising its report. Also, recommendations received by it from various stakeholders must be made public," said a source.
There are many loopholes as per CUTS International. It said the Bill does not prescribe any time limit to set up the DPA. This, coupled with the absence of transitional provisions as given in the draft bill, may lead to uncertainty for service providers. It may become difficult to interpret if all the provisions of the bill will come into force with immediate effect upon enactment, or in a phased manner.
According to the NGO, the bill goes beyond its objective of 'personal data protection' and runs the risks of regulatory overlaps. It empowers the government to gain access to non-personal data and anonymised personal data, governance of which is already being deliberated by a separate committee.
The Bill, it says, requires social media intermediaries to provide consumers with voluntary account verification options. Intuitively, this aims to solve the menace of inappropriate posts/misinformation, which is also being dealt under the draft intermediary amendment guidelines.
CUTS has recommended removal of both these provisions from the Bill, which it says, has lack of independence of the DPA. The selection committee prescribed by the Bill for appointing members of the DPA, consists only of government executives.
Also, certain powers given to the DPA under the draft bill of
2018, have been transferred to the Central government, such as notifying more categories of sensitive personal data. Such issues weaken the independence and effectiveness of the DPA.
CUTS recommends setting up a neutral selection committee comprising members from the judiciary, civil society organisations and subject experts. The Bill should reinstate powers given to the government to the DPA, along with mandating it to undertake cost-benefit analysis while exercising the same, it said.