Editor’s Note: This article was written before the Personal Data Protection Bill was approved by the Union Cabinet with undisclosed changes to the Draft version of the Bill which this author has based their opinions on. Therefore, some opinions expressed below may no longer be applicable under the revised Bill.
Governments world over are finally acknowledging the importance of protecting citizen’s data. This acknowledgement and recognition have resulted in the establishment of laws and institutions which specifically safeguard databases from misuse. As data privacy is one of the top concerns in the minds of governments, businesses, data principles and academics, there is an overall consensus developing amongst them pertaining to protecting it.
As of now, of the seven international agreements and standards relevant to data privacy, five require the establishment of an independent supervisory authority. While the OCED Principles did not call for an independent supervisory authority, the EU model, both the GDPR (previously Directive 1995) and the Convention 108 of the Council of Europe, did – 90% of countries with data protection laws have opted for this model.
Hence, now the question that lies is – how important is it for India to have an independent data regulator? In order to enforce ambitious regulations that ensure the safety and privacy of data, India needs a data regulator or protection authority to enforce and supervise the compliance of these regulations. The GDPR, which acts as a model for most data regulations, provides for independent supervisory authorities under Article 45 (2) (b).
However, the Justice Srikrishna committee has determined that the salaries of data regulators will be determined by the Union Government, creating a shadow of doubt over the true autonomy of the regulators. This is important given the fact that in India, the government may soon be the biggest processor of data. Such provisions raise concerns regarding the independence of the authority. The selection process around the composition of the authority requires improvements, including greater civil society involvement.
Additionally, the method of appointing the adjudication officer is unclear and is kept at the sole discretion of the central government. Given that the adjudication officer is the direct source of redressal and defence of user rights under the Draft Bill, this regulation further pushes them away from the realm of independence. It is, therefore, imperative that the appointment and functions are also ensured to be bipartisan and independent.
In order to truly protect data and at the same time bring about technological advancement in India, data needs to flow across borders and be exchanged amongst countries. This data exchange requires an independent authority which can coordinate with their international counterparts and help India become a part of an international community – allowing them to learn from and develop alongside each other.
Additionally, in order to establish a relationship with the EU, Article 45(2)(b) of EU GDPR requires the European Commission to consider the existence and functioning of an independent data protection authority for a country to pass the adequacy test. Without such a separate and independent body, India is unlikely to be considered adequate for the purposes of cross border transfer of data. Enforcement of the GDPR is the prerogative of data protection regulators in Europe (including The United Kingdom), known as supervisory authorities.
The GDPR creates the concept of “lead supervisory authority”. However, under Article 56(2) the lead supervisory authority is required to cooperate with all other “concerned” authorities, and a supervisory authority in another Member State may enforce where infringements occur on its territory or substantially affect data subjects only in its territory. Article 52 of the GDPR also talks about complete independence of the supervisory authority.
If we were to take other international practices as examples, The US has no single national authority. The FTC has jurisdiction over most commercial entities and has authority to issue and enforce privacy regulations in specific areas (eg, for telemarketing, commercial email, and children’s privacy) and to take enforcement action to protect consumers against unfair or deceptive trade practices, including materially unfair privacy and data security practices.
In addition, a wide range of sector-specific regulators, particularly those in the healthcare, financial services, telecommunications and insurance sectors, have authority to issue and enforce privacy and security regulations, with respect to entities under their jurisdiction.
At the end of the day, along with resources, data protection authorities also need to be provided with space and autonomy by their governments in order to bring security and safety in the digital ecosystem as envisaged in Data Protection Acts to fruition. Any sort of government interference and overburdening the appointed data protection authorities will only lead to greater security breaches, and a reduction in cross-border flow of data since other countries will be distrustful of the authorities who cannot function independently.
[The article is co-authored by Kazim Rizvi and Maanya Vaidyanathan, Policy and Engagement Manager at The Dialogue.]