State governments have asked a Parliamentary panel deliberating on the Personal Data Protection Bill for a decentralised data protection authority (DPA) in order to allay concerns of a singular, all-powerful DPA as currently proposed in the bill, people aware of the matter said.
The proposal is likely to be met with stiff resistance, although hardly a ‘kill bill’ suggestion, considering the numbers in favour of the central government in parliament.
“Many states have asked for a decentralised DPA and the chairman [of the Parliamentary panel] may seek some time to consult with the states,” a person with direct knowledge of the discussions told Entrackr requesting anonymity.
According to the current timeline, a final draft of the committee’s report is expected to be circulated among its members by November 15, another person said, seeking anonymity. However, if the committee’s chairperson decides to consult with state governments on a decentralised DPA, that may push timelines further.
The draft Personal Data Protection bill was referred to a Joint Parliamentary Committee in 2019, which has since been consulting with several stakeholders to present a report on its recommendations to the bill.
The JPC’s report was supposed to be submitted in Parliament in the monsoon session. That however did not happen since the committee’s then chairperson Meenakshi Lekhi was made a cabinet minister, and the panel’s new head, PP Chaudhary requested an extension to present the report in the winter session of Parliament.
The DPA is pegged to be a central regulator overseeing the enforcement of the data protection bill and has wide-ranging powers, including defining new types of sensitive personal data in consultation with the central government.
Moreover, the selection of the members of the DPA includes a lot of central government involvement — selections will be based on the recommendations of an executive-led selection committee consisting of the Cabinet Secretary and the Secretaries in charge of Legal Affairs and Information Technology.
“Many non-BJP state governments feel that the current structure of the DPA gives the central government too much indirect control over how the data protection bill would be implemented,” the second person said.
The first source quoted above also said that a lot of discussion has happened around a section of the bill which allows blanket exemptions to government agencies from adhering to any and all provisions of the bill.
“Many members of the committee, especially those who come from the non-ruling BJP, have asked to streamline Section 35 of the bill [which allows exemptions to the government], fearing that it may give a lot of leeway to the central government and its agencies,” this person said.
According to a report in the Hindu, the Unique Identification Authority of India (UIDAI) which issues Aadhaar and the Income Tax department have already asked the JPC to keep it outside the purview of the data protection bill.