Trust Goes a Long Way

CONTEXT: Recently, data breaches can be regulated by the Data Protection Authority(DPA) proposed under the Draft Personal Data Protection Bill.

Provision under the Bill for DPA:

• Regulatory oversight: It will have oversight over data processing by both private and public entities

• Data Breach: Mandatory reporting In case of data breach at the data-intensive entity. In case DPA finds it appropriate, affected individuals will also be reported.
• Investigation: DPA could also investigate into Data breaches.
• Punitive Powers: DPA will have virtually unfettered enforcement powers ranging from simple warning and reprimands to suspending business or data flow or levying penalties and imprisonment against data fiduciary.

Issues with the draft Bill:

• Composition of DPA: 

• Limited to six Full-time members 

• Appointed by the selection committee comprising of only central governments bureaucrats.

• Discretion to DPA: No standard guideline to guide DPA’s wide powers for enforcing rules and selecting tools for it.

Way Ahead: 

• Diversity in Composition and Appointment:

•  A good mix of executive, non-executive and independent board members to ensure accountability and effectiveness. 

• The previous draft bill of 2018 included Supreme Court judges and technical expert, ensuring diversity in the selection committee.

• Building Credibility: By including certain guidelines and requirements in the draft bill, which are to be met in order to justify any enforcement action by DPA.

• Basis of Enforcement to be included in Section 54 such as nature and seriousness of the contravention and its impact on other entities and individuals.

• The requirement to publish a monthly report on complaints received an annual report on enforcement action taken to be included in section 49 of the bill.

Conclusion: An effective personal data-protection regulator must be independent, responsive, transparent and accountable.