Regulatory governance under the PDP Bill: A powerful ship with an unchecked captain?

Author: Smriti Parsheera

This article was first published in Medianama on January 7, 2020 . The views are of the individual author.


“I prefer to sail in a bad ship with a good captain rather than sail in a good ship with a bad captain.”
— Mehmet Murat ildan

If the ship here is a metaphor for the rights and obligations offered by the draft Personal Data Protection Bill (PDP Bill) and the Data Protection Authority of India (DPA) as its captain, where does the current draft of the Bill leave us? Is it a good ship with a good captain or does it place the wheels of a powerful untested machine into the hands of an untrained and unchecked captain?

The preamble to the PDP Bill offers a precursor to the ambitious task that the Bill sets out for itself. It lists the various objectives of the law, which include specifying the usage and flow of personal data, creating organisational and technical measures for data processing, monitoring cross border data transfers and providing remedies against harmful processing. It then speaks of the role of the DPA as the agency responsible for giving effect to all of those purposes.

As per Section 41 of the PDP Bill, the DPA is to be set up as a body corporate, consisting of a Chairperson and up to six whole-time members. In adopting this structure, the Bill deliberately opts out of allowing any part-time members on the DPA’s board. This is not in line with the practice that has been followed in the composition of many other statutory agencies. For instance, the Telecom Regulatory Authority of India can have up to two whole-time and two part-time members in addition to the Chair. By closing the possibility of having such part-time members, the Bill denies the DPA the opportunity to gain from the expertise of academics, researchers, practitioners and technical experts who could otherwise have injected independent ideas and critiques into its functioning.


Read the full article here.