Call Us Now

+91 9606900005 / 04

For Enquiry

legacyiasacademy@gmail.com

HOW TO RESOLVE INDIVIDUAL DATA PRIVACY COMPLAINTS?

Focus: GS-II Governance

Why in news?

The current version of the draft Personal Data Protection (PDP) Bill is being reviewed by a Joint Parliamentary Committee.

Personal Data Protection Bill 2019

  • The Personal Data Protection Bill 2019 (PDP Bill 2019) is being analyzed by a Joint Parliamentary Committee (JPC) in consultation with experts and stakeholders.
  • The Bill covers mechanisms for protection of personal data and proposes the setting up of a Data Protection Authority (DPA) of India for the same.
  • Some key provisions the 2019 Bill provides for which the 2018 draft Bill did not, such as that the central government can exempt any government agency from the Bill and the Right to Be Forgotten, have been included.
  • The Bill proposes “Purpose limitation” and “Collection limitation” clause, which limit the collection of data to what is needed for “clear, specific, and lawful” purposes.
  • It also grants individuals the right to data portability and the ability to access and transfer one’s own data. It also grants individuals the right to data portability, and the ability to access and transfer one’s own data.
  • Finally, it legislates on the right to be forgotten. With historical roots in European Union law, General Data Protection Regulation (GDPR), this right allows an individual to remove consent for data collection and disclosure.

The Bill trifurcates data as follows:

  1. Personal data: Data from which an individual can be identified like name, address etc.
  2. Sensitive personal data (SPD): Some types of personal data like as financial, health, sexual orientation, biometric, genetic, transgender status, caste, religious belief, and more.
  3. Critical personal data: Anything that the government at any time can deem critical, such as military or national security data.

Issues with the bill

  • The current draft requires the DPA to maintain a cadre of adjudicating officers and specifies their desired areas of expertise.
  • All other important details, like the terms of appointment, jurisdictional scope, and procedure for hearings, are, however, left to be decided by the central government.
  • The Bill doesn’t even specify whether the adjudication process can, or should, be preceded by mediation, which could help in the amicable settlement of many complaints.

Data Protection Authority (DPA): The solution?

  • One of the many important duties cast on the Data Protection Authority (DPA) that is to be created under the Bill is to adjudicate complaints received from data principals — individuals whose personal data is processed by others.
  • The DPA is set to function as what the Financial Sector Legislative Reforms Commission (FSLRC) termed as a “mini-state”. This refers to an agency that is entrusted with a mix of quasi-legislative (regulation-making), executive (supervision and enforcement), and quasi-judicial (adjudication) functions.
  • It comes with the risk that, absent structural safeguards, the agency might end up abusing or, conversely, neglecting some of its functions. A carefully-crafted regulatory design and robust accountability mechanisms are, therefore, essential.

Broad Mandate of the DPA, a problem

  • Unlike other sectoral regulators that oversee specific businesses, the DPA’s authority will extend to anyone who deals with personal data.
  • This may include individuals, private entities or any department or agency of the state.
  • Further, since each data principal is party to multiple online and offline relationships, the universe of regulated transactions becomes even larger.
  • Even a miniscule 0.5% rate of complaints out of the total shares of personal data will result in more than 10 million cases in a year. A caseload of this sort would be daunting for any agency.
  • As a consequence, the DPA may either be overwhelmed by the volume of complaints or may grossly under-prioritise this aspect, resulting in delays, erosion of trust and poorer outcomes.

Way Forward to help out the DPA

  • As a consequence, the DPA may either be overwhelmed by the volume of complaints or may grossly under-prioritise this aspect, resulting in delays, erosion of trust and poorer outcomes.
  • The DPA’s grievance redress function can be moved to a stand-alone Data Protection Ombudsman (DPO).
  • The law should also target making redress more accessible, affordable and efficient, including through the use of technology.

-Source: Indian Express

October 2024
MTWTFSS
 123456
78910111213
14151617181920
21222324252627
28293031 
Categories