Professional Documents
Culture Documents
January 2022
Jai Vipra and Aniruddh Nigam are Senior Resident Fellow and Research Fellow, respectively,
at ALTR.
Ameen Jauhar is the team lead for ALTR. Dr. Arghya Sengupta is the Research Director and
co-founder of the Vidhi Centre for Legal Policy.
This referencer engages with each recommendation of the Report individually. It first
provides a gist of each recommendation and what it hopes to achieve. It then provides
our overall assessment of whether the recommendation ought to be acted upon or
not. Finally, it provides reasons for our assessment.
1 Objects The Committee observes that the PDP Agree The Committee rightly considers the DP Bill, 2021 to be
and Bill, 2019 is covered under a broad and within the legislative competence of the Parliament
Reasons liberal interpretation of Entry 31, List I. under List I of Schedule VII. However, there are
of the Bill Further, it observes that the DP Bill, significant state-level implications in the manner data is
2021 is a special law containing a non- collected and processed. Further, the role of state
obstante clause and would govern the governments will be essential in the functioning of an
field of data protection irrespective of entity like the proposed DPA. Given that data
pre-existing laws. As such, the governance is likely to be a prominent legislative field in
Committee recommends approval of the future, it is perhaps an apt time to consider how such
the Objects and Reasons of the DP Bill, provisions are to be legislated, specifically whether data
2021. governance should be added as a separate entry under
any of the three Lists in the Seventh Schedule. The fact
that such a large and emerging field for legislation is
covered under a residuary entry represents a sub-optimal
state of affairs in the federal framework of the
Constitution.
2 None The Committee observes that it is Differ 1. We differ from the Committee’s view in 1.15.8.1
impossible to distinguish personal and that a large volume of non-personal data is
non-personal data. Therefore, it essentially derived from the following sets of data-
recommends that for effective personal data, sensitive personal data and critical
1
Banking Regulation Act, 1949
2
Foreign Exchange Management Act, 1999
4 Clause 25 The Committee recommends that the Partially We agree with these recommendations insofar as
DPA should imbibe certain principles agree personal data breaches are concerned. For non-personal
when notified of a data breach. These data breach, please refer to our comments on
include ensuring privacy of data recommendation 46. Further, we note that the principle
principals when posting details of the relating to maintenance of a log of all data breaches to be
personal data breach, placing the reviewed periodically by the DPA has not been
burden on the data fiduciary to prove incorporated in clause 25, DP Bill, 2021.
that the delay in notifying the DPA /
data principal was reasonable and
maintaining a log of data breaches,
irrespective of the harm to the data
principal.
6 Clauses 1. The Committee recognizes that Partially 1. We differ with the recommendation on social media
26 and 28 there is an immediate need to agree intermediaries being considered publishers of the
regulate social media content in the data protection law. The
intermediaries and the current law recommendation is akin to doing away with the safe
is insufficient to regulate social harbor provision for social media intermediaries.
media platforms. In this context, it While the role of social media intermediaries may
recommends that social media require reconsideration, a data protection law does
intermediaries should be not provide the adequate context to do so. Section
considered publishers because 79 of the IT Act, 2000 currently sets out the safe
they have the ability to select the harbor provisions available to social media
receiver of the content and intermediaries, in conjunction with rules prescribed
exercise control over the access of under the IT Act, 2000. The recommendation goes
content hosted by them. beyond regulating personal data processing by social
7 Clause 20 The Committee recommends that in Agree We agree with this recommendation. However, the
order for meaningful implementation delegated legislative power within clause 20 is enabled
of the right to be forgotten, afforded to for the government’s rule-making powers, and not the
data principals under Clause 20, PDP DPA’s regulation-making power.
Bill, 2021, it is necessary to empower
the DPA with regulation making
power.
8 None The Committee recommends that Partially The SWIFT network has been known to contain
India should develop an alternative agree vulnerabilities, including a mechanism for the United
indigenous financial system to ensure States National Security Agency to document
privacy given the privacy concerns in transactions. To the extent that Indians' cross-border
the financial sector, especially in the transaction data should be protected from unlawful
context of cross-border payments. foreign surveillance, an alternative to SWIFT may be
considered. It is unclear whether the committee
recommends a legal provision in the DP Bill, 2021 to set
up such a network. Nothing in the DP Bill, 2021 prevents
10 None The Committee has recommended that Differ We differ with this recommendation. As far as any
separate certification processes hardware is being used for data processing, or a
should be enabled for hardware hardware manufacturer is collecting and processing
manufacturers given the potential data, it will be covered by the definition of “data
risks with computing hardware which fiduciary” and be obligated per the provisions of the draft
can cause breaches. law. It is unclear why this is inadequate. If there are
concerns around the general security aspects of the
hardware, and the risk of the same being compromised,
those must be covered by the Information Technology
Act, 2000, which deals with similar issues in terms of risks
to computer resources. These general security concerns
about the integrity of the hardware should not be
covered in a data protection law. It is also pertinent to
note that the same does not feature in the proposed
revisions in the DP Bill, 2021.
12 None The Committee recommends that Agree We agree with this recommendation. This
there should be a comprehensive data recommendation is not reflected in the DP Bill, 2021.
localisation policy formulated by the
Central Government, in consultation
with the sectoral regulators.
13 Clause 1 The Committee has recommended that Partially Please refer to comments for recommendation 2.
the title of the DP Bill, 2021 should be agree
amended as “Data Protection Bill,
2021” as non-personal data is also
recommended to be covered under the
DP Bill, 2021. The Committee gives
this recommendation stating that it is
impossible to demarcate one from the
other.
15 Clause 1 The Committee has amended the short Agree We agree with this recommendation of changing the year
title as the Data Protection Bill, 2021. of the PDP Bill, 2021.
16 Clause 2 1. The Committee has recommended Differ 1. We differ with the alteration in relation to “any
alterations to the applicability of person under Indian law”. The phrase ‘any person
the DP Bill, 2021 from “processing under Indian law’ seems to be a drafting error in this
of personal data by the State, any new draft, since the phrase “under Indian law”
Indian company, any citizen of previously referred to entities incorporated or
India or any person or body of created under Indian law, and has not been deleted.
persons incorporated or created This has the effect of rendering this clause
under Indian law”3 to “processing redundant since any processing under Indian law
of personal data by any person will ordinarily be in Indian territory which is covered
under Indian law”. by clause (a).
3
As stated in clause 2(A)(b), PDP Bill, 2019
19 Clause The Committee finds that “data Differ Please refer to our comments regarding
3(14) breach” has not been defined in the recommendation 2. Our comments on this
PDP Bill, 2019. Therefore, it recommendation are further discussed in
recommends addition of this definition recommendation 46, which discusses the provision
to definitions clause as “data breach pertaining to data breaches.
includes personal and non-personal
data”.
20 Clause The Committee has recommended that We differ with this recommendation on two grounds.
3(15) the phrase “a non-government Differ First, the current definition of “data fiduciary” covers all
organization” should be inserted in the kinds of legal entities. Therefore, no gain is being made
from including the term “non-government organisation”.
21 Clause The Committee has recommended that Differ Please refer to our comments regarding
3(17) the phrase “a non-government recommendation 20 above.
organization” should be inserted in the
renumbered clause 3(17), DP Bill, 2021
which defines “data processor”.
22 Clause The Committee has added the Agree We agree with the recommendation.
3(18) definition of “data protection officer in
clause 3.
23 Clauses The Committee has recommended that Differ We differ with this recommendation. The inclusion of the
3(20)(xi) the definition of “harm” needs to be two sub-clauses unduly expands the scope of ‘harm’
and (xii) widened to include “psychological under the PDP Bill, 2019. While it is important to address
manipulation which impairs autonomy data-based practices which may affect the autonomy of
of the individual”. Further, it also individuals, including such a vague reference within the
recommends inclusion of a residuary definition of harms is likely to create significant problems
clause which is “such other harm as in the interpretation and implementation of the PDP Bill,
may be prescribed”. 2019. These inclusions may be removed upon further
consideration for the following reasons. First, the phrase
‘psychological manipulation which impairs the autonomy
of the individual’ is highly vague. The threshold at which
The Committee has recommended Differ We note that the term ‘non-personal data’ has been
25 Clause adding the definition of “non-personal defined in the explanation for clause 91(2). Further,
3(28) data” as “data other than personal please refer to our comments on recommendation 2
data” in the definitions clause. regarding our views on including non-personal data
within the framework of the PDP Bill, 2019.
26 Clause The Committee has recommended Differ Please refer to our comments on recommendation 2
3(29) adding the definition of “non-personal regarding our views on including non-personal data
data breach” as “unauthorized within the framework of the PDP Bill, 2019. Our
including accidental disclosure, comments on this recommendation are further discussed
acquisition, sharing, use, alteration, in recommendation 46, which discusses the provision
destruction or loss of access to non- pertaining to non-personal data breaches.
27 Clause The committee has recommended Partially We would like to point out that this definition does not
3(44) moving the definition of social media agree carry with it the exceptions mentioned categorically in
intermediaries from the explanation in clause 26(4), PDP Bill, 2019. As such, we submit that the
clause 26(4), PDP Bill, 2019 to same should be carried along with the definition to
renumbered clause 3(44), DP Bill, renumbered clause 3(44). In reference to the change in
2021. Further, the term “social media terminology, please refer to our comments for
platforms” has been used instead of recommendation 47.
“social media intermediaries”.
28 Clause 4 In relation to Clause 4, PDP Bill, 2019 Differ The proposed changes are likely to have the legal effect
the Committee observes that the way of lowering the standard of protection offered to users,
it is drafted gives a negative and therefore, are not advisable. As a result of the
connotation. Therefore, the proposed changes, the requirement of the purpose of
Committee recommends an data processing to be ‘specific, clear and lawful’ does not
amendment to the clause as follows exist anymore. The negative connotation provided by the
“The processing of personal data by clause may be suitably modified without taking away the
any person shall be subject to the above-mentioned requirement related to the purposes
provisions of this Act and the rules and of data processing under the Act. To this end, the section
regulations made thereunder”. can be reworded to provide a positive connotation while
retaining safeguards for users. This may take the
following form: “4. Fair and reasonable processing – Any
person processing personal data shall do so in a fair and
reasonable manner that respects the privacy of the data
29 Clause 5 In relation to clause 5, PDP Bill, 2019, Agree This addition limits the purposes for which data is
on purpose limitation, the Committee processed by state agencies without taking consent from
recommends that an addition should data principals under clause 12, PDP Bill, 2019 to such
be made to the purposes under clause purposes which the data principal would reasonably
5(b) which provide for non-consensual expect. We agree with this recommendation as it places
processing under clause 12, PDP Bill, processing of personal data without consent under
2019. clause 12 within the purpose limitation framework of the
PDP Bill, 2019.
30 Clause Clause 8(3), PDP Bill, 2019, provides Differ We differ with this recommendation. It needs to be noted
8(3) that where a data fiduciary finds that that clause 12, PDP Bill, 2019, provides for non-
the personal data of the data principal consensual processing. This does not mean that the
which has been disclosed to another processing has to be covert or not known to the data
data fiduciary or processor is not principals. A notice is still required to be given for
complete, accurate or updated, it processing under clause 12, even though consent is not
should notify such individual or entity required. Further, accurate data is essential, given that
of the same. The Committee processing of data by the State can have significant
recommends that a proviso should be implications on the data principal.
added which exempts its application in
cases where processing may be
prejudiced under clause 12, PDP Bill,
2019.
32 Clause The Committee has recommended a Agree As proposed in recommendation 7, the DPA should also
9(1) slight modification to the general consider this in the regulations it formulates with respect
provision on limiting retention of data. to the right to be forgotten under clause 20, PDP Bill,
2019.
33 Clause The Committee has observed that the Agree We agree with the change made to clause 11(3)(b) to
11(3) language of clause 11(3)(b), PDP Bill, reflect this clarity.
2019, is ambiguous and needs clarity. It
recommends that the data principal’s
consent should be obtained after
specifying the conduct and context
explicitly.
34 Clause The Committee has recommended that Differ We differ with this recommendation. The value of this
11(4) the scope of the consent provision addition is not clear. A fiduciary cannot provide services
should be extended to include denial which require certain data if the data principal chooses to
based on exercise of choice too. not give consent for the collection of that data. If such
data is not necessary for the provision of the service,
35 Clause The Committee has recommended that Differ It is important to re-introduce the ‘legal’ qualifier for the
11(6) when the data principal withdraws his consequences to be borne by the data principal if she
consent from processing of personal withdraws consent for processing data without any valid
data, without valid reason, the reason. Without the word ‘legal’, even monetary
consequences they suffer should not consequences can be imputed to the data principal.
be qualified as only “legal”
consequences.
36 Clause The Committee recommends that an Agree We agree with this recommendation.
13(1) employer cannot be given unbridled
freedom to process the personal data
of an employee. An employer should be
allowed to process data only if it is
reasonably expected by the employee.
It recommends clause 13, PDP Bill,
2019, to be redrafted accordingly.
42 Clause The Committee observes that a data Differ We note that clause 21(3), PDP Bill, 2019 currently sets
21(5) fiduciary has been given arbitrary out regulation-making powers for the DPA regarding the
powers to reject requests for exercise period of compliance applicable to the data fiduciaries.
of the data principal’s rights. Therefore, in our view, this addition is superfluous as the
Therefore, it recommends that a regulation-making powers where the DPA can provide
proviso should be added which for grounds of denial of requests made by the data
empowers the DPA to make principal already exists.
regulations and determine the
rationale behind denial of request.
43 Clause The Committee has recommended that Differ We differ with the drafting changes recommended. The
22(3) clause 22(3), PDP Bill, 2019 should be intent of clause 22, PDP Bill, 2019 was that while every
amended so as to allow the DPA to data fiduciary is required to have a privacy by design
grant exceptions to certain data policy, only those data fiduciaries were required to get it
fiduciaries from requiring their privacy certified, as may be required by the DPA in its
by design (“PBD”) policy to be certified. regulations. The Committee, through the redrafting it
has recommended, flips this model and requires that
every data fiduciary, other than those in the exceptions,
have to get their PBD certified. This would make
compliance tedious and hamper ease of doing business.
Therefore, we differ with this recommendation.
47 Clause 26 1. The Committee recommends that Partially 1. While we agree that social media intermediaries
the term “social media agree have gone beyond the role of being mere conduits, it
intermediary” should be redefined needs to be pointed out that regulations as recent as
as “social media platform”. It does the Information Technology (Intermediary
so on the basis that social media Guidelines and Digital Media Ethics Code) Rules,
intermediaries “are not actually 2021 refer to these entities as “social media
intermediaries that do the dual intermediaries”. Change in nomenclature in the DP
functions of an intermediary and a Bill, 2021 leads to a certain sense of non-uniformity,
platform”. especially, since such change is not required from the
point of a data protection law. However, given that
49 Clause The Committee has proposed a small Differ We differ with this. It is unclear what the Committee has
29(3) amendment to the audit provisions of intended to include by using the phrase “concurrent
the DP Bill, 2021. It adds that audits”. As a general principle of legislative drafting, such
concurrent audits be encouraged as a ambiguities need to be avoided, or adequately clarified.
practice, by the DPA. Therefore, either the proposed modification be deleted,
or concurrent audits be defined in Clause 3, DP Bill,
2021.
50 Clause 30 The Committee proposes that the Data Differ We differ with this recommendation.
Protection Officer (“DPO”) for a data
fiduciary also be a key managerial The intention behind the Committee’s recommendation
person. As such, the explanation is evidently the need to have a senior official of the
proposed by the Committee includes company be held responsible for compliance with the
the CEO, CS, MD, and CFO of a provisions of the PDP Bill, 2019. That said, there is an
company. inherent contradiction in having the DPO also hold a top
managerial position with the same company. The DPO
needs to be an insider, yet, be an individual who is
independent of the obligations that company
management typically has (like being responsible to
investor interest). The DPO’s priority needs to be
51 32(4) The Committee has recommended the Agree We agree with this recommendation.
inclusion of renumbered clause 62 that
confers th4e right to the data principal
to file a complaint with the DPA, which
the DPA shall forward to the
adjudicating officer. In light of this, the
Committee has recommended that
clause 32(4) should specify that a data
principal be able to approach the DPA,
if their complaint has not been
satisfactorily resolved by the data
fiduciary.
53 Clause The Committee has recommended Differ Please refer to our comments on recommendation 52
34(1) addition of an explanation to clause above. This explanation does not provide any clarity on
4
Central Inland Water Transportation Corporation Ltd v Brojo Nath Ganguly, AIR 1986 SC 1571.
54 Clause The Committee, with a view to Differ The concern regarding sharing of sensitive personal data
34(1) safeguarding the data of Indians, has with foreign governments or agencies seems to be a
(b)(iii) recommended that sharing of sensitive policy decision that may be better placed within a
personal data with a foreign licensing framework or as a mandatory term in a cross-
government or agency would only be border data-sharing contract or agreement. In our view,
allowed if it has been approved by the it is not desirable to have such a provision encoded within
Central Government. the law.
55 Clause The Committee recommends that to Agree We agree with this recommendation.
34(1)(c) bring uniformity between different
provisions, transfer of sensitive
personal information, allowed by the
DPA, should be in consultation with the
Central Government.
56 Clause 35 The Committee recommends that in Partially This is an improvement on the PDP Bill, 2019 which
clause 35, when the Central agree provided carte blanche powers to the exempted
Government is laying down a agencies. However, this recommendation falls short by
procedure for data protection for failing to include several safeguards such as observance
exempted agencies, it should be “just, of security measures, fair and reasonable processing of
fair and reasonable and proportionate personal data. The draft proposed by the Srikrishna
procedure”. Committee, as recommended in the dissent note by
Jairam Ramesh, MP, should be adopted instead.
57 Clause 36 The Committee has recommended Agree We agree with the change recommended.
drafting changes to bring clarity to
clause 36.
60 Clause 40 The Committee has made small Partially We partially agree with this recommendation. This
amendments to the provision enabling agree addition is superfluous as the definition of “data
the creation of experimental fiduciary” is inclusive enough to include established tech
sandboxes for facilitating data-driven corporations as well as newer startups. It is also likely to
innovation. It suggested a categorical create some confusion as to why start-ups are mentioned
inclusion of “start-ups” in sub-clause categorically while other data fiduciaries are not. The
(2). provision should not imply any difference in start-ups or
other data fiduciaries, any of which may require
sandboxes for technological innovation.
62 Clause The Committee recommends that a Differ We differ with this recommendation. This can be
42(1) person can be appointed Member understood to mean that a person who is not qualified in
(Law) if they are an “expert in the area law can be appointed as Member (Law). We differ with
of law” having such “qualifications and this re-drafting. Member (Law) should be a person
experience as may be prescribed”. holding a formal qualification in law not “in the area of
law”. The statute should provide for qualification and
experience requirements as well.
63 Clause The Committee has recommended that Agree This would make the selection committee more inclusive
42(2) the selection committee, for the and representative. We agree with this recommendation.
appointment of the Chairperson and
whole-time members, should include
technical, legal and academic experts.
64 Clause 45 The Committee has recommended Agree We agree with this recommendation.
drafting changes to clarify the role of
the Chairperson of the DPA.
66 Clause The Committee has recommended that Agree We agree with this recommendation.
49(2)(o) the Central Government and the DPA
should be empowered by way of
statutory authority to allow them to
create a framework that provides for
monitoring, testing and certification to
ensure integrity of hardware
equipment.
67 Clause The Committee has recommended that Partially The term “technical service organization” should be
50(2) clause 50(2) should be amended to agree reworded to technical standards’ organisation, which
include approval of codes of practice may be defined as a national or international agency
submitted by technical service determining benchmarks, metrics, and other forms of
organisations. standards that aid in the development, evaluation,
auditing or any other form of assessment of a
technological device. Examples of this could be the
Institute of Electrical and Electronics Engineers (IEEE),
and ForHumanity.
69 Clause The Committee has recommended that Agree We agree with this recommendation. It is instrumental in
55(1) there should be a safeguard preventing potential abuse of discretion by the Inquiry
mechanism, in the form of prior Officer.
approval from DPA, when the Inquiry
Officer orders for seizure of relevant
documents and data, during an
investigation.
5
In Re: The Delhi Laws Act, 1912, AIR 1951 SC 322
74 Clause The Committee has recommended that Differ We differ with this recommendation. An adjudication
64(4) the DPA create guidelines for the process can only be governed by the statute and
adjudicating officers while imposing delegated legislation under it. Guidelines for
penalties for violations of the proposed determination of penalties may be perceived as
DP Bill, 2021. interfering with the independence of the quasi-judicial
authority. It is recommended that principles of
imposition of penalty may either be inserted with the
parent statute itself, or be evolved over time through
pronouncements of the adjudication officers, and courts.
75 Clause The Committee has recommended Agree The inclusion of the phrase ‘representative application’
65(2) substituting “one application” with allows for the institution of class-action suits allowing
“representative application”, in clause flexibility for the affected data principals, especially
65(2), to refer to class action case when suffering varying degrees of harm. This is a positive
applications. change recommended by the Committee.
77 Clause The Committee has recommended that Agree We agree with this recommendation.
68(2) the number of members in the Tribunal
should be specified as consisting that
of a chairperson and not more than six
members.
78 Clause The Committee recommends that for Agree We agree with this recommendation.
69(1) being a member of the Appellate
Tribunal a person should be an expert
in the stated fields. It does away with
the requirement that the member
should either be a bureaucrat or a
judicial officer.
79 Clause 73 The Committee has recommended the Agree We agree with this recommendation. These amendments
amendments be made to the original will ensure that appeals lie not just against the final
clause 72, DP Bill, 2021 to allow for decisions but also interlocutory orders, which are
appeals not only against decisions, but commonly appealable in regular courts proceedings
also orders passed by the DPA or its (under the civil or criminal procedure codes).
Adjudicating officers.
80 Clause 75 The Committee has recommended Agree Given that the Appellate Authority has been conferred
clause 74(2) should be removed the powers of a civil court regarding the execution of its
83 Clause 85 The Committee has recommended that Agree We agree with this recommendation.
given that an offence may be
attributable to a party of the business,
and not the entire business of the
company, renumbered clause 85(1)
and (2) should be amended to reflect
that change.
85 Clause 86 The Committee has recommended Differ This recommendation dilutes this accountability by
shifting of the responsibility of allowing an internal enquiry to determine a responsible
offences committed under this law person, which is a lesser incentive for institutional care
from the head of any governmental regarding data security starting from the top. Further,
department, authority or body to an under the previous formulation, the guilty officer was
individual deemed responsible after an also liable to be punished under clause 85(3), PDP Bill,
in-house enquiry by that head of 2019. Effectively, this recommendation seeks to remove
governmental department, authority the accountability of the department head.
or body.
Further, the concerns highlighted by the Committee
regarding this accountability impeding decision-making
processes owing to the vast volume of data collected by
the government are counter-intuitive. It is necessary for
these decision-making processes to model themselves
around the core idea of data security, given the vast
amount of data processed by the government, and if such
modeling happens through holding the department head
86 Clause 87 The Committee has recommended an Differ We differ with this recommendation. A statutory
amendment to clause 86. Clause 86 regulator is created to maintain an arm’s length distance
provides that the Central Government from the government to ensure that there is no bias in the
can issue directions to the DPA on discharge of its regulatory functions, especially in the
questions of policy, and the DPA is context of the DPA, which will regulate multitude of
bound by such directions. However, government entities also. The government should not
the Committee is of the opinion that control the day-to-day affairs of a regulator, and
the DPA should not only be bound in adherence to directions should be confined to policy
matters of policy, but all matters. matters alone. Moreover, the norm followed in other
statutes is also to limit such directions to policy matters.
Guidance in this matter can be obtained from section 25
of the TRAI Act, 1997; section 55 of the Competition Act,
2002 and section 16(1) of the SEBI Act, 1992.
87 Clause The Committee recommends Differ For our comments on the inclusion of non-personal data
92(1) amendment of renumbered clause in general within the framework of this law, please refer
92(1) to remove specific reference to to our comments in recommendation 2.
“personal data” to include both Notwithstanding those points, it is superfluous to enable
personal and non-personal data. the central government to frame a policy regarding the
handling of non-personal data, as such a policy need not
88 Clause The Committee, with a view to Agree The disclosure of directions issued to data fiduciaries
92(3) ensuring greater accountability of the within the Annual Report presented before the
Central Government, recommends Parliament is a positive change recommended by the
that the directions it issues under Committee, as it enhances the accountability of the
renumbered clause 92(1) should be laid executive branch to both houses of parliament.
before both Houses of the Parliament.
89 Clause 94 1. The Committee has recommended Partially 1. We agree with this recommendation. Based on a
the requirement for previous agree reading of section 23 of the General Clauses Act,
publication prior to framing rules 1897, this requirement implies prior public
and regulations under the PDP Bill, consultation through the publication of draft rules,
2019. allowing for stakeholder inputs to be shared.
2. The Committee has recommended 2. We differ with this recommendation. The Committee
shifting the DPA’s regulation- does not offer any reasons or factors that necessitate
making power on the manner of this change. In our view, this change is unwarranted
registration of data auditors to a as the DPA continues to be responsible for all other
rule-making power to be aspects and functions of data auditors under section
prescribed by the central 29, PDP Bill, 2019, and is ideally placed to prescribe
government. regulations regarding the manner of registration of
data auditors.
91 Schedule The Committee has recommended an Agree We agree with this recommendation.
to the DP amendment to Section 81 of the
Bill, 2021 Information Technology Act, 2000 to
make it concurrent with the DP Bill,
2021.
92 None The Committee has summarised all the Agree We agree with this recommendation, subject to our
drafting changes it has made to the comments above.
PDP Bill, 2019.
93 None The Committee has recommended that Partially We agree with this recommendation, subject to our
the suggestions made by it should be agree comments above.
incorporated in the Bill and it should be
implemented in due course.
vclp@vidhilegalpolicy.in