Protection from data protection authority

News: The Personal data protection bill was introduced in the parliament in 2019 and then referred to a joint parliamentary committee (JPC) which has recently submitted its report. 

Read the JPC’s recommendation here. 

What is Data protection authority (DPA)? 

The bill recommends setting up of a statutory regulatory authority (SRA) called Data protection authority. 

It is empowered to take steps to protect the interests of individuals, prevent the misuse of personal data, and ensure compliance with the Bill.  

Given that data is an integral part of our lives now, probably every Indian and every commercial activity would be in the DPA’s ambit.  

What are the powers given to DPA? 

DPA can draft regulations to carry out the provisions of the Bill. These will have force of law. This also means that most of the obligation and rights related to data protection will be based on these regulations and not on the parliamentary law.  

It has the power and the duty to promote good data protection practices and also facilitate their compliance  

Some chapters of the bill also have an all encompassing omnibus general clause which give wide powers to DPA. 

Judicial or quasi-judicial powers: DPA will have the powers of a civil court to call for information, as well as conduct inquiries on data fiduciaries. It can under extreme cases even deny the right of any entity to carry out the business of a data fiduciary. 

Note-Data fiduciary is the entity that controls the storage of the data and defines the permitted ways it can be processed . 

This can violate the Fundamental Right to do commerce through internet (Article 19). 

It can impose penalties for non-compliance. 

What are the apprehensions regarding its powers?  

Compromises the separation of power (part of basic structure of constitution)- It is empowered to legislate, implement the legislation(executive function), as well as adjudicate on disputes on the very legislation that it writes and enforces.  

The Supreme Court (in 2004) stated, in the context of the SEBI Act, that ‘Integration of powers by vesting legislative, executive & judicial powers in the same body, in future, may raise several public law concerns’. 

It will have full time permanent members who will have power to draft directions which are not subjected to the scrutiny which is applicable to regulations. 

What is the way forward?  

Public policy should strive to make a balance between regulation and fundamental principles of the Constitution. 

Example: India Bankruptcy Code, 2016 has a clause that requires the Insolvency and Bankruptcy Board of India (IBBI) to “specify mechanisms for issuing regulations, including the conduct of public consultation processes before notification of any regulations”. 

Financial Sector Legislative Reforms Commission (FSLRC) had recommended that there is need for internal and external checks and balances. 

Source: This post is based on the article “Protection from data protection authority” published in Business Standard on 27th Dec 2021.

Print Friendly and PDF