Joint Committee On Data Protection Bill Recommends Single Regulatory Body For Personal, Non-Personal Data

New Delhi: The Joint Committee on Personal Data Protection Bill, 2019, has recommended creating a “single administration and regulatory body” to avert contradiction, confusion, and mismanagement as it noted that non-personal data has to be dealt with within the legislation if privacy is the concern. 

The committee’s report was submitted in parliament on Thursday and it stated that all data should be dealt with by one Data Protection Authority (DPA), news agency ANI reported.

“Since the Bill provides for the establishment of one Data Protection Authority, we cannot have two DPAs one dealing with privacy and personal data and the other dealing with non-personal data,” it stated. 

“The committee has, therefore, recommended that since the DPA will handle both personal and non-personal data, any further policy or legal framework on non-personal data may be made a part of the same enactment instead of any separate legislation,” the committee added, as quoted by ANI. 

ALSO READ | As India Moves To Raise Legal Marriage Age Of Women, Here Is A Look At Laws Around The World

The report recommended that as soon as the provisions to regulate non-personal data are finalised, “there may be a separate regulation on non-personal data in the Data Protection Act to be regulated by the Data Protection Authority”. 

It also “approved the objects and reasons of the Bill as these are in the nature of public policy as these suitably address the concerns that emerge out of the Puttaswamy judgment on privacy as a fundamental right and the broad recommendations of Justice B.N. Srikrishna Committee” reported ANI. 

The Joint Committee also recommended changing the name of the bill and observed that to define and restrict the new legislation only to personal data protection or to name it as Personal Data Protection Bill is detrimental to privacy. 

“The bill is dealing with various kinds of data at various levels of security and it is impossible to distinguish between personal data and non-personal data when mass data is collected or transported,” it stated. 

It was noted that Clause 1(2) of the Bill does not provide for any timeline for implementation of the Act after the issue of notification. 

The committee observed that the implementation of the Act will be in phases and therefore felt that the period for implementation of various provisions may “not be too short or too delayed”. 

“Data fiduciaries and data processors would also require sufficient time for transition. No specific provision for transitional phase necessarily creates uncertainty for the concerned stakeholders,” the report mentioned. 

The committee suggested that provisions of the Act be deemed to be effective not later than 24 months from the date of notification. 

Stating that a phased implementation may be undertaken to ensure that within three months chairperson and members of DPA are appointed, it said the DPA should commence its activities within six months from the date of notification of the Act, the registration of data fiduciaries should start not later than nine months and be completed within a timeline. 

“Adjudicators and appellate tribunal commence their work not later than twelve months and provisions of the Act shall be deemed to be effective not later than 24 months from the date of notification of this Act,” the panel added. 

The report suggests that a comprehensive analysis and consultation with stakeholders should be undertaken by the government to discover and understand the technical or operational and managerial requirements for compliance with the provisions of the bill. 

It noted that the government should ensure that it should keep the legitimate interests of businesses in mind in the process of implementation of each phase, so that it does not detract, too far, from its stated objective of promoting ease of doing business in India. 

The Joint Committee on Personal Data Protection Bill, 2019 is headed by BJP Lok Sabha member PP Chaudhary. The report contains two parts. The first part consists of general descriptions and 12 recommendations on data protection and privacy with respect to provisions made in the Bill. The second part is about clause by clause examination of the bill and contains 81 recommendations making modifications and more than 150 drafting corrections and improvements in various clauses of the legislation.

(With Agency Inputs)