The House Committee agrees to limit exemptions to government in the Data Protection Act

A parliamentary body deliberating on the Personal Data Protection Act has recommended restricting the exemptions available to the government under the current version by putting appropriate restrictions on the use of the exemption, said people aware of the development.

The design Personal Data Protection Act, 2019 was referred to a Joint Parliamentary Committee (JPC) in 2019, tasked with preparing a report on its recommendations on the various provisions of the bill.

Trickypedia learned that the committee had finalized a draft report and that a copy of it had been circulated to its members for final review, after which it would be presented to the winter part-session of Parliament.

In its preliminary report, well over a hundred pages long, the JPC recommended that government exemption only through “just, fair, reasonable and proportionate process,” said a person with direct knowledge of the contents of the report Trickypediaon condition of anonymity as the report is currently confidential.

In addition, the committee recommended that an exception should only be used in very “exceptional” cases. We have been told that these recommendations are in the draft report and could very well change when the final version comes out.

Currently, the contentious clause 35 of the draft Data Protection Act allows the government and its agencies to obtain blanket exemptions from complying with all provisions of the bill without the presence of checks and balances. Authorities such as the Aadhaar authority UIDAI and the income tax office have already tried to get an exemption from the bill.

Trickypedia was that report first Earlier this month, the committee is considering reducing the government’s leeway under the current bill.

After examining court rulings and laws in other countries, the committee found that state exemptions have a precedent as the fundamental rights of citizens are subject to reasonable restrictions, said the person quoted above.

The JPC also relied on the GDPR, the U.S. Cloud Act, and India’s 2017 Right to Data Protection, all of which allow the state to make certain exceptions to protect national interests, but only with controls and balances.

In the GDPR, for example, government agencies are excluded if they act to prevent, investigate, detect or prosecute criminal offenses for public safety.

Civil society activities and data protection practitioners have historically been cautious about delegating such overarching powers to the government in India as they have been exaggerated in the past. In this context, the recommendation of the committee becomes even more important, as it could possibly restrict the government apparatus against abuse of rights.

In fact, this was a major concern shared by several members of the committee – about the possible abuse of this particular clause in cases where citizens’ privacy had to be subsumed to protect state interests, said the source cited above.

More clarity when differentiating between personal and non-personal data

While the current draft empowers the government to develop a separate policy on non-personal data in the future, the GPA felt that the draft law did not provide enough clarity about the types of data that would be outside the scope of the Personal Data Protection Act, said the source.

The JPC recommended in its report that the government keep non-personal information “including anonymous information” outside the scope of the Personal Information Protection Act.

Trickypedia also learned that last December, during the GPA’s consultations with the IT Ministry, it was announced by officials from the Ministry that any instructions to draft a Non-Personal Data Policy could be exempted from submission to Parliament – currently Clause 95 of the Data Protection Act requires the government to bring all rules and regulations made under data protection legislation to parliament.

Leave a Comment