Yesterday, the newspaper The Hindu reported that it expects “More delays on Data Protection Bill as panel reopens debate”
The report was based on the fact that the JPC under the new Chairman Mr P P Choudhary has convened two sittings on September 15th and 16th with the agenda ” Comparison between The Personal Data Protection Bill, 2019 as introduced in the Parliament, as discussed in the Joint Committee and the suggestions for amendment by the Chairperson, Joint Committee.”.
According to the newspaper, two key amendments are being proposed namely
- Expanding the scope of the Data Protection Authority to cover personal as well as non personal data
- Expand the scope of “Data Breach Notification” from “Personal Data Breach notification” to even “Non Personal Data Beach”.
Accordingly the newspaper predicts that there will be objections from the committee members and demands for more detailed discussion leading to further delay in the passage of the Bill.
It is understood that if the Government does not want to pass the Bill, then it can be delayed and anything can be used as an excuse. On the other hand, if the Government wants to pass the Bill, it can pass it despite the opposition.
However, there was perhaps a technical gap in the process earlier and the Bill after its earlier discussions and corrections made was not re-presented in its final corrected form back to the JPC for its final approval but presented directly to the speaker of the Loksabha. Perhaps this needed a correction and a meeting was required for this purpose before the presentation of the Bill in the Parliament in the next session as per the commitment of the Government. We presume that the JPC meeting on September 15th and 16th is required for this purpose.
As regards the two amendments suggested in the report of the Hindu which may also be only be be a speculative report, our views are as under.
The Personal data protection act needs to co-exist with the current ITA 2000 and the proposed Non Personal Data Governance Act. It is a legislation which is prompted by the Puttaswamy judgment and meant to focus on the protection of Privacy as per the Constitution through a data protection legislation that addresses the “Information Privacy Issue”.
The main objective of this legislation is to provide that the data principal should be able to exercise his choice regarding collection, use and disclosure of personal information. It is enforced on those organizations which collect and process the personal data in India.
While PDPB2019 absorbs Section 43A of ITA 2000, it is not a legislation to replace ITA 2000. ITA 2000 has a mandate to define and manage Cyber Crimes which are data related crimes without a distinction of whether the data is personal or non personal.
Presently, ITA 2000 has civil and criminal provisions and victims of data related crimes can approach the Adjudicator for compensation for losses suffered as per Section 46 of Chapter IX of ITA 2000. The Police can prosecute persons for the offences indicated in Chapter XI of ITA 2000.
The PDPB2019 adds the dimension of administrative penalty which was not the subject matter of “Adjudication” under ITA 2000. At the same time, PDPB 2019 does not address the offences under Chapter XI.
However overlap between ITA 2000 and PDPB 2019 may occur because of
- Section 43 which has the potential for being extended into personal data related crimes.
- PDPB 2019 in addition to retaining the power to levy administrative penalty on the data fiduciaries also retains the power to provide compensation to the data principal. This could be an overlap with the power of the Adjudicator under ITA 2000.
Given the general reluctance of IT Secretaries (adjudicators under ITA 2000) to adjudicate on cyber crime cases, they may be happy to pass on the responsibility to the Adjudicator under the DPA and hence the overlapping jurisdiction of the two adjudicators may not affect the enforcement. If however, there are multiple forums available in a few cases, it can be handled as we presently handle cyber crimes with the adjudicator as well as the consumer court etc.
The “Non Personal Data Governance Act” is yet to be drafted and even when it comes into existence, it is not expected to interfere with ITA 2000 in terms of offences. This Act is meant to be for “Establishing a structure for Governance of Non Personal Data” and the
Protection aspects can continue to be addressed by the ITA 2000.
PDPB 2019 defines what is “Personal Data” and what ever is not a personal data automatically falls into the purview of Governance under the Non Personal Data Governance Act (when it comes into existence) and the purview of protection as per the ITA 2000.
There is no need for PDPB 2019 to extend the authority of the Personal Data Protection Authority under the PDPB 2019 to the domain of Non Personal Data Governance or Protection. It is enough if the PDPB 2019 defines Personal data so that the boundary between Personal Data and Non Personal data is defined through either “Anonymization” or because the data itself does not contain and personally identifiable element.
If PDPB 2019 tries to extend the scope of the authority of DPA to Non Personal Data or extend the Data Breach definition to Non Personal Data, there will be a needless interference with the activities of the CERT-In which is a quasi judicial authority under ITA 2000 and is the authority designated to receive data breach reports.
Any move to extend the definition of “Data Breach” under PDPB 2019 to Non Personal Data Breach will bring lakhs of cyber offences to the table of the DPA .Data Breach may occur due to Viruses in Computers or Mobiles, through negligence or malicious attacks or even technical failures.
If all these data breaches land at the desk of DPA, it will paralyze the functioning of the DPA.
Hence the move to enhance the scope of PDPB2019 to Non-Personal Data, if it is true, is avoidable.
The writer – Naavi is Data Protection and Data Governance Consultant. He is Chairman, Foundation of Data Protection Professionals in India (FDPPI) and Founder of www.naavi.org