Power of the Data Protection Authority (DPA) over Personal Data Governance
- Lack of stakeholder interaction (Clauses 26,34,53,93, 94)
Although Clause 50 mentions that trade associations, among other actors, will be included to conduct stakeholder interactions to develop the code of practices, it is unclear how small organizations, who are not members of these trade associations, can participate in giving inputs about PDP compliance practices.
- Final authority and layers of governance (Clauses 23, 34, 35, 86, 93, 94)
1. Clauses 93 and 94 allow the DPA to hire members of the Appellate Tribunal to finalize PDP regulations.
2. Clause 34 allows the DPA to have final say in what data can leave the country. Even this is overridden by the Central Government in Clause 35 and by government departments in Subclause 86(3).
3. PDP creates the role of the consent manager. Under Clause 23, consent manager is defined as a part of the Data Fiduciary but represents the Data Principal in case of complaints.
All of the above roles confuse the boundaries of authority during implementation and add layers of governance that will add more complexity.