Editor’s Note: This article was written before the Personal Data Protection Bill was approved by the Union Cabinet with undisclosed changes to the Draft version of the Bill which this author has based their opinions on. Therefore, some opinions expressed below may no longer be applicable under the revised Bill.
Conversations on the need for data protection and regulation surrounding it have been taking place in the world recently. The need was felt even more strongly ever since the European Union Parliament approved of the General Data Protection Regulation (GDPR) in 2016, and enforced it as recently as 2018. Similarly, other countries have differing levels of importance accorded to protecting their citizens’ rights regarding data.
However, the Data Protection Authority – who has the responsibility of making sure that data protection laws are complied with – is not discussed nearly enough. Based in Brussels, the European Data Protection Board (EDPB) has been devised for the purpose of bringing together national data protection authorities of different member states, and seeks to hold conferences which address data and privacy concerns that are relevant across borders. The idea is to cooperate and learn best-practices from their counterparts, converse on how to enforce privacy-law, work on joint initiatives and strategize on techniques to create awareness.
In India, the Personal Data Protection Bill (2018) outlines the establishment of a Data Protection Authority in Section 49, Chapter 10. The Bill recommends that this authority should consist of a chairperson and six other members, to be appointed by the Central Government. The recommendations shall be made by a selection committee, chaired by the Chief Justice of India (CJI) or a judge of the Supreme Court of India nominated by the CJI; a Cabinet Secretary and an expert in the field (nominated by the CJI, or a judge of the Supreme Court of India. The Cabinet Secretary shall also be consulted for this nomination).
The Bill further goes on to give powers to the Central Government with respect to the terms and conditions of employment, removal of members and grants of money, which raises concerns in terms of how much independence the Authority will practically have. There is no clear guideline on the establishment of regional offices in the Bill yet, which overburdens the envisaged Authority.
Furthermore, the Bill creates the post of an Adjudicating Officer appointed by the Central Government – and an adjudication wing which will handle the redressal and defense of user rights under the Draft Bill. There is little clarity on the method which will be used to hire such an Officer, and does not inspire confidence in terms of transparency and independence. Within the Bill, the Data Protection Authority is allowed discretionary powers – and one of the challenges that India can anticipate facing in the future is ensuring that it is not above inspection by the parliament.
The GDPR evaluates the role of the Data Protection Authority based on ‘independence’ and ‘adequacy’ which are embedded in Article 45(2)(b), emphasising the importance of an Authority which is required to be unbiased.
European countries have taken on the task of creating such authorities, but India will not be able to ensure compliance because of the issues highlighted in the previous section. It would be pertinent for India to take note and learn from the experiences of countries which are focussing on establishing the role of the Data Protection Authority as independent and adequate.
Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, the United Kingdom, Liechtenstein and Norway are all countries which have established Data Protection Authorities which meet and discuss issues of privacy and security, and collaborate on a regular basis.
The details concerning their office and point of contact are listed on the European Data Protection Board’s website in order to make the Authorities more transparent and accessible to their citizens. They listen to complaints as citizens become more aware and raise issues pertaining to the security of their personal data, and are open to critical feedback on how they can make their campaigns more effective. Their everyday job is primarily to ensure that the fundamental right to privacy is upheld and preserved.
However, countries which are not part of the European Union find it difficult to comply with all of the ideals laid out by the GDPR. The United States of America has not established a Data Protection Authority as yet – commercial issues fall under the purview of the Federal Trade Commission (FTC), and there are laws such as the United States Privacy Act and the Safe Harbor Act which seek to protect privacy and personal data of its citizens. Similarly, in spaces such as healthcare, financial services, telecommunications and insurance there are laws and regulations specific to the sector being discussed.
In Russia, the Roskomnadzor is recognised as the Data Protection Authority which overlooks the collection, storing and sharing of personal data and also has the authority to impose rules of data protection and seeks to secure personally identifiable information (PII).
Recently, Google and Facebook have come under fire by the Roskomnadzor for allegedly breaching the election law of Russia. China has a regulator called the Cyberspace Administration of China (CAC), which controls and censors the internet domain and everything related to it. Although the Ministry of Public Security also exists to address similar concerns, the CAC is the primary regulatory body. Apart from it, similar to the US, there are sector-specific regulatory bodies which choose to limit their focus.
Similar to India, Brazil has an established Data Protection Authority – the National Data Protection Authority (ANPD). The ANPD comprises of a board of directors, a national council, an inspection body, an ombudsman body, a legal advisory body and administrative, specialized units for the enforcement of the LGPD (Lei Geral de Proteção de Dados) – which is the General Law of Personal Data Protection. It is also a highly political body with little independence of its own. Also, ANPD is overburdened with administrative measures apart from adjudication.
Since countries which are neighbours and geographically closer to India look for inspiration in framing laws around the fast evolving internet and the zenith of concerns it brings, which society needs to address, the framing of the Data Protection Authority’s role is of key importance.
Taking inspiration from the GDPR which establishes the role of the Authority in clear terms, India needs to focus on the principles of adequacy and independence. Overburdening the authority or tainting the appointment process will not lead to the sort of transparency which is globally demanded. The future of privacy and security, and the role of storing and sharing data in between these concerns can only be addressed through a clearly conceptualised Data Protection Authority.
[The article is co-written by Kazim Rizvi and Trisha Pande, Policy Manager at The Dialogue.]