The government should reconsider the clauses on exemptions and the method of forming a data protection board in the draft Digital Personal Data Protection Bill, 2022, said Justice B N Srikrishna, who headed the committee of experts that created the first draft of the legislation.
The Ministry of Electronics and Information Technology (MeitY) on Friday released a draft version of the much-awaited data protection law, in the fourth such effort since it was first proposed in July 2018. The draft proposes the formation of the Data Protection Board of India to determine non-compliance with the provisions of the act and decide the penalty amount for it.
“The strength and composition of the Board and the process of selection, terms, and conditions of appointment and service, removal of its Chairperson and other Members shall be such as may be prescribed,” says the draft released by the government.
Justice Srikrishna said this could lead to concerns over the independence of the board. “The draft does not say anything about who should be qualified to be a member of the data protection board. A regulator, to a large extent, should be an independent authority. If the government determines the members of the board from time to time, it will be nothing but a government body and could never be independent,” he said.
The previous version of the bill had prescribed criminal penalties against employees of companies involved in data breaches. As per the new draft, data fiduciaries failing to take reasonable security safeguards may invite financial penalties of up to Rs 250 crore for each such instance.
Srikrishna said the draft should have included criminal penalties at least for repeat offenders. “In this country, unless there is some kind of a sanction behind any civil order, things don’t work out,” he said.
MeitY has said the bill would be open for public consultation until December 17, while the final version is expected to be tabled in the Budget session of Parliament next year.
The retired judge added that the parliament should debate all the concerns and carefully look into them. “We are dealing with the fundamental rights of privacy of an individual. Personal data is elevated to the status of a fundamental right. Please note, it comes out of Article 21 of the constitution, which deals with the right to life and liberty. It’s not just about the non-personal data, with which you could have played a little,” he said.