Data Protection Authority should be sole data regulator in India: CUTS

ET Telecom, July 16, 2020

The Data Protection Authority should be the sole data regulator in the country, said Udai S. Mehta, Deputy Executive Director, CUTS International, and added that there was a need to adopt a ‘whole government system approach’ towards data regulation.

Mehta’s comments have come on the back of Non-Personal Data (NPD) draft, on which the Centre has invited feedback from the industry.

Cautioning against having different regulators in cognate sectors, he said that the report appropriately considers the sensitivity of NPD in the light of personal data as given in the Personal Data Protection Bill 2019 (PDPB), the report is devoid of data principals, as is the case with the PDPB.

Mehta said that even though the report stresses on ‘light-weight regulation and remains conscious of the compliance costs of regulation’ but it misses out on emphasising scientific and inclusive regulation-making process, such as undertaking regulatory impact assessment; framing risk-based regulations giving due consideration to rights of data principals; and ensuring regulatory harmonisation.

The report recommends securing the consent of data principals for processing NPD, along with personal data but it increases the risks of consent fatigue and the report additionally does not comprehensively discuss the rights of data principals, such as the actions they are eligible to take in case of violation of rights. ‘The avenues and mechanisms for data principals to avail redress of their grievances are also not discussed adequately,’ Mehta said.

Mehta also argued that the report misses out on recommending of upholding of ‘principles of necessity, legality, and proportionality’ as the report empowers the government to request access to NPD for security, legal, law enforcement, and regulatory purposes

The report further calls for mandating of sharing of NPD to open up competition for startups, however, Mehta argued that such a step may not bode well with the startup ecosystem for fostering competition and suggested an enabling environment through data sharing could be envisaged for the same.

“The report has rightly excluded algorithms and proprietary knowledge from the ambit of data sharing,” he added.

He suggested that areas like the relation between data custodian and data principals, trusteeship model for enforcing rights of community data principals, and management of data trusts, among others require further scrutiny.

This news item can also be viewed at: