Rama Vedashree, CEO of Data Security Council of India and a member of the Srikrishna Committee that submitted a draft of the data protection Bill last Friday, has said that the overloading of the proposed Data Protection Authority (DPA) with functions as mentioned in the current form of the Bill could prove to be one of the bottlenecks in the implementation of a data protection framework in India.
Vedashree, who had sent a dissent note to the committee in which she has disagreed with three specific provisions of the Bill, also told The Indian Express that there could have been “a more balanced representation” in the committee, with more people from the civil society and a broader representation from verticals that deal with consumers, such as telecom and banking.
The 10-member committee, which was constituted on July 31 last year, Friday submitted the draft of the data protection Bill containing sweeping recommendations, including amendments to at least 50 laws such as Aadhaar and RTI, setting up a regulator and imposing strict terms for storage.
The Bill, while being seen as an attempt to empower the citizen against private entities through a consent-based regime, has come in for criticism from several quarters on how it overwhelmingly empowers the state against the citizen through several exemptions such as the sweeping powers accorded to the state to process certain categories of personal data without obtaining consent.
Also, in the draft Bill submitted to the government, the committee has allotted 24 onerous functions to the DPA, including processing of data breach notifications and taking prompt and appropriate action in response to a data security breach. In the report, the committee has explained that due to the complicated nature of breaches it was not advisable to list specific thresholds in the law of what can be reported to the DPA, thus leaving it to the wisdom of the authority to take necessary action.
“The Data Protection Authority (DPA) cannot be overloaded particularly given the current state of privacy and data protection readiness in the country across all agencies — whether small, medium or large, government or private sector. So in the first two-three years, the DPA should focus on some core enforcement and capability building charter and not be overburdened,” Vedashree said.
“Once the privacy awareness gets built and the consumers become aware, what is the speed of response and the agility and resources that are needed will have to be decided. It may not be just one central authority and maybe we will need a hub and spoke model because when consumers come up with complaints and if there isn’t a speedy response or redressal to it, the trust deficit grows. Therefore, overall, the authority taking up so many responsibilities is a big challenge, when it comes to enforcement,” she added.
Asserting that something like the data protection framework, which impacted every vertical in India, needs voices from various quarters of the society to be heard, Vedashree called for a wider consultation process of the draft Bill. “There could have been a more balanced representation in the committee with more people from the industry as well the civil society. Privacy, as a fundamental right, and the harm that can be caused with privacy breaches — civil society is more actively engaged at a community level. So I think civil society and a more broader representation from verticals, which deal with consumers like telecom, banking, healthcare etc could have been there. I am assuming now that the draft is out and when they do stakeholder consultations, the key verticals will have their voices on the table. It was an expectation of the chair as well that the bill should be put up in the public domain for consultations,” she said.
In her dissent note, Vedashree mentioned that the committee’s approach on cross-border data flow was not only regressive but also “against the fundamental tenets of our liberal economy” along with expressing her disagreement on categorisation of financial data and password as sensitive personal data. She also noted her reservations on the inclusion of provisions in the bill treating violations as criminal offences.