Almost 12 years after the initial Personal Data Protection Bill 2006 has lapsed, a new Data Protection Bill has been submitted to Parliament. The jury is still out on the pros and cons of the proposed bill. There are reports of gaping holes in the Bill, as well as some wholesome provisions to protect the personal data of citizens. One aspect that is overlooked by various erudite reports on the subject, so far, is the gargantuan nature of the proposed Data Protection Authority and role of the police in protection of personal data.
The setting up of a Data Protection Authority (DPA) has to be seen in the perspective of one basic hypothesis in the proposed Bill. This hypothesis is about treating personal data as a matter of trust. If something has to be treated as a matter of trust and not as property then surely there is a need of an adjudicating authority. It is this assumption that led to the proposal of setting up a Data Protection Authority at the center with a large staff selected from the government and judiciary.
At the outset, very proposition of setting up of a new Data Protection Authority seems to assume that existing institutions are incapable of handling the work involved. All violations of personal data, barring a few, which have been made criminal offences, are to be enquired into by this authority. The DPA also has powers of search and seizure and can requisition police officers in case of need. It is proposed to be manned by persons from judiciary and bureaucracy. The retirement age of members has been set at 65 years, which, in addition to other ramifications, clearly promotes a ‘post retirement’ benefit plan for many senior bureaucrats who are nearing their superannuation in government.
The moot question is, whether this DPA is really required at all? The European Union’s (EU) General Data Protection Regulation (GDPR), which seems to have had a great influence on this proposed Bill, treats personal data as property and applies the same rules as would be applicable to any other loss of property. Surprisingly, while most sections of the proposal are complete copies of GDPR, this very basic attribute of personal data has been diluted in the present Bill. In hindsight, this appears to have been done on purpose. As, without this, the civil nature of adjudication would not have arisen and the need of authority would not be there.
Even if one accepts the proposal for a separate authority, there is probably a constitutional flaw here. The Bill in its present form takes away the supervision of the High Courts in matters emanating out of the Appellate Tribunals.
Appeals against Appellate Tribunals will lie only in the Supreme Court. No one can deny that personal data relates to personal privacy. Right to Privacy is a fundamental right, which is enforceable by High Courts of the States. This Bill somehow proposes to take away the supervision of High Courts on such a basic and fundamental issue, which relates to the right of privacy of individuals.
This assumption flows from the fact that the Bill does not even mention the authority of the State. Policing is a state subject as per the Constitution of India. It appears that there has been a clear attempt to keep the States out of the picture in this Bill. The proposed Authority is proposed as a Central government institution and there are no state bodies recommended. It is surprising that the elite members on the drafting committee of the Bill looked at the issue of personal data as a central subject, when it is clearly in the domain of the States. This was probably overlooked as police was not involved in the drafting the Bill.
The proposed Bill also envisages a minimal role for the police. This stems from two facts. One, that personal data was treated as trust and not as property. Second, that DPA is envisaged as a central government body while policing is a state responsibility and hence there would be no role for the police.
This is no to deny that there are certain provisions where police officers do figure. The proposed Bill deems certain violations as criminal offences. These offences have been made non-bailable and cognizable. Police officers of the rank of inspectors and above are proposed to be given powers to investigate such offences. However, since the vast chunk of violations are not made criminal offences and are under the DPA, the role of the police in securing protection of personal data is indeed minimal.
Dilution of personal data to the status of mere trust and overlooking the role of the state and the original jurisdiction of the High Courts are issues that need to be addressed. If left unattended, in its present shape, the proposed Bill will lead to creation of yet another elite authority, which will remain out of reach of ordinary people.
(Sanjay Pandey, an IPS officer from the 1986-batch, is Director General of Police and Commandant General, Home Guards and Director, Civil Defence, Maharashtra)