Data Protection Board will not be a regulator like RBI or Sebi

The Data Protection Board (DPB), mandated by the Digital Personal Data Protection bill, which was passed by the Rajya Sabha on August 9, will not be a regulatory authority like the Reserve Bank of India (RBI) and Securities and Exchange Board of India (Sebi) and thus the debate over its independence is not relevant, Union Minister Rajeev Chandrasekhar told Moneycontrol in an interview.

“The DPB will be notified for the specific purpose of adjudicating the consequences of a breach under the law. It is not a regulator. It is not an authority in the sense that you think of RBI or Sebi. It is a board that will say, ‘I have received the complaint that you have sent that your data has been breached. I will ascertain the consequences of the breach and I will investigate it and enforce a penalty on the platform that has breached the data’,” he said.

Under the bill, the DPB will be the nodal body for all data processing and data breach-related issues that may arise. The board’s members, including the chairperson, will be appointed by the central government for a term of two years and can be reappointed.

In the event of a personal data breach, the board may direct mitigating steps, conduct an investigation, and also impose a penalty. It must provide the individual a chance to be heard, and it has the authority to issue directives, which the person must follow.

The DPB’s overarching powers have been criticised, and its independence has been questioned. Although the legislation states that the board will function as an independent body, experts have pointed out that the government controls the appointees, its functions, and more.

“Now whether it has to be independent or not independent is an extraneous debate because it is not a regulator and every decision of the DPB will be appealable to the TDSAT (Telecom Disputes Settlement and Appellate Tribunal) and courts. There is enough oversight and enough scrutiny. The issue is of accountability and we have designed the DPB to be accountable to those who are principal stakeholders,” said Chandrasekhar, who is the Minister of State for Electronics and Information Technology.

The DPDP bill has now been passed by both houses of Parliament. This comes six years after the Supreme Court ruled that the right to privacy is a fundamental right, and that it is the government’s responsibility to create legislation to protect the online data of citizens.

There have been multiple versions of the bill in the intervening period which underwent a long set of deliberations between the government, industry and civil society.

Chandrasekhar also said that the government won’t have an unfettered access to citizens’ personal data and consent will be taken except in circumstances like national security or health emergencies.

“Privacy in our scheme of things is not absolute. There are always reasonable restrictions in privacy as there are in freedom of expression,” he added.

The Centre has introduced certain “legitimate causes” in the Digital Personal Data Protection bill where the government largely and, in a few cases, private entities can process citizens’ data without explicit consent. Moneycontrol