The JPC report on PDPB 2019 contains 91 recommendations many of which are included in the main bill as amendments to PDPB 2019. The main amendments have been already discussed in several of our earlier articles. There are many small amendments in the nature of typo corrections which add up to the numbers but may not require specific discussions. However there are a few recommendations which are significant but for some reason have not been included in the amendments. They may however become guidelines for the DPA to incorporate in the regulations later on or for the Government to include during the Parliamentary debate. In order to keep track of such recommendations which are part of the legislative history of DPA 2021, we shall try to bring it on record through the following presentation.
Some of these comments would be referred to in a manner similar to the reference to “Recitals” under GDPR.
- During the final stages of passage of the bill there was a discussion on whether the State Governments should be allowed to have their own “Data Protection Authority”. If this had been agreed to, it would have given room to the State Governments coming up with their own data protection legislations to counter the DPA 2021 and create issues of their own. We have seen such attempts in bringing amendments to ITA 2000 through some state laws.
The Committee has made a categorical observation that this Act falls within the exclusive legislative domain of the Union Government.(Recommendation 1). Hence the State Governments cannot bring their own legislations. This would avoid a situation like what prevails in USA where each state wants to have a data protection law for its own citizens or situations that prevail in Canada and UK where provincial Governments may have some rights of their own through constitution to keep separate laws like what we had in Kashmir prior to the Article 370.
One India-One Data Protection law is therefore the policy pursued by the JPC and is welcome.
JPC has also clarified that this is a special law and overrides any other pre-existing laws that may govern the subject incidentally.
JPC has also clarified that the law would apply irrespective of any other law governing contractual relations between a data fiduciary and a data principal.
In Section 43A of ITA 2000 (Which will be removed after DPA 2021 becomes effective), the “Reasonable Security Practices” had given precedence to contractual agreement between parties over other aspects including law in force.
P.S: Section 43A Explanation :
“reasonable security practices and procedures” means security practices and procedures designed to protect such information from unauthorised access, damage, use, modification, disclosure or impairment, as may be specified in an agreement between the parties or as may be specified in any law for the time being in force and in the absence of such agreement or any law, such reasonable security practices and procedures, as may be prescribed by the Central Government in consultation with such professional bodies or associations as it may deem fit.
The JPC has in its recommendation tried to clarify this point..
With the removal of Section 43A from ITA 2000 it will be deemed that DPA 2021 is the principal law in India covering personal data while ITA 2000 may continue to cover some aspects of personal data not addressed in DPA 2021. The coverage of ITA 2000 will be considered mainly as restricted to “Protection of Non Personal Data” and the “Criminal punishments on the abuse of Personal Data” and any other application of ITA 2000 to personal data would be considered as “Incidental” application. As a result, if there are any contradictions, DPA 2021 would prevail.
It is important to note that the clarification that the provision would apply irrespective of other law governing contractual relations between the data principal and the data fiduciary will have an impact on all the Data Processing contracts currently being used by the Data fiduciaries either with the Data Principals or with other Data Processors.
A review of all such contracts may therefore be necessary.
(To Be continued…)
Naavi
Other articles on DPA 2021
14. PDPA 2021: Concept of Discovery Consent
13. JPC Recommendations on SWIFT Alternative: Out of scope and Disruptive of Global Economic System
12. JPC recommendation on Children Data
11. JPC recommends DPA to watch on Incident Register
10. JPC comments beyond the Amendments-2: Implementation Schedule
9. JPC comments beyond the Amendments-1-Priority of law
8. Clarifications from the JPC Chairman on DPA 2021
7. Anonymisation is like Encryption with a destroyed decryption key
6. PDPA 2021: The data breach notification regarding Non Personal Data