The Data Protection Authority is more of an overarching regulator rather than a sectoral regulator
The decision of the Indian Government to come out with a personal data protection law is a welcome move
It is important, that any proposed data authority, is accessible to individuals from all walks of life
The Personal Data Protection Bill, 2019 as the name suggests, aims at protecting the privacy of citizens by safeguarding their personal data from being exploited by any entity, be it a private company or the State. The Bill is ambitious in nature and intends to give the individual more control over their personal data and methods to exercise their digital rights.
For a country like India, going from state of abysmal data protection laws and practices to such an extensive framework is going to be no easy task. The proposed law is likely to impact the way digital businesses, or any business for that matter, function in a drastic manner. How these businesses collect data from individuals and what they do with that data will be subject to certain requirements and restrictions once the framework comes into force.
The Bill sets out to achieve a myriad of objectives, ranging from protecting user’s rights, monitoring the cross-border flow of data to establishing a regulator and creating a sandbox to promote innovation, to name a few. However, at the center of all the objectives it sets out to achieve, lies one largely empowered body – the Data Protection Authority (DPA) or the proposed regulator as per the Bill.
The Data Protection Authority (DPA) will have to fulfill the task of being the bedrock of the whole data protection framework in India in the upcoming years and it will also play a crucial role in the transition phase of the legislation.
Considering the sheer amount of responsibility that will be shouldered by the Data Protection Authority (DPA), the first concerns that emerge regarding the proposed authority as per the Bill, are regarding its independence. At present, the select committee responsible for the selection of members of the DPA, comprise of only members of the executive. The present version of the Bill strays from the earlier draft, that had proposed the inclusion of a judicial member on the committee to ensure a semblance of judicial oversight.
The inclusion of a judicial member or stakeholders from outside the executive, would promote transparency and also keep any fears of Government bias or control at bay. The need for independence is imperative, as the proposed DPA regulates not only private entities but also the Government, who happens to be the largest fiduciary of data.
The Government already has significant interaction with the functioning of the DPA through budgetary controls and the power to frame policy that will be binding on the DPA. In such a situation, the inclusion of a transparency obligation for the Data Protection Authority, along with measures to enable judicial oversight in selection would be a welcome move.
The Data Protection Authority is more of an overarching regulator rather than a sectoral regulator. The entities under its purview cut across different sectors, such as health, finance, national security, etc. Even the functions that the DPA is set to carry out lie across the spectrum, ranging from adjudicative, legislative, executive to advisory functions.
Such an authority, that dabbles in such a variety of sectors, is unprecedented in Indian regulatory history. Previous regulators have largely dealt with limited entities. Such a mandate, stresses upon the need for such an authority to have state-of-the-art technical expertise.
The matters relating to the regulation of the data framework often involve questions that require high-level technical expertise, the appointment of technical members in addition to regular members would be a welcome step in the direction of enhancing the capacity of the body. The capacity of the regulator to perform judicial functions is also one of its crucial functions, in such an event the existence of a requirement of prior judicial experience or some form of training in such matters is important.
Though the number of functions entrusted to the Data Protection Authority (DPA) have been reduced in comparison to the previous draft released, it still has a huge task at hand. The DPA’s functions include the monitoring compliance with the law, the provision of relief to wronged citizens, law-making and the promotion awareness amongst the populace. In addition to this, many of the principles laid down in the Bill are to be codified by the DPA in the days to come.
In such an event, there is a risk that the proposed authority will be overburdened, which will hamper its effectiveness. Such an issue accompanied by the single-tiered structure of the proposed authority may prove to be largely problematic in the future. A tiered structure, with an empowered body at the Centre with state-level or regional authorities that report to it, would ease the burden of the DPA and also resonate with the federal structure of India.
It is evident that the Data Protection Authority (DPA) has some heavy lifting to do. Thus, it is important for law-makers to recognize the importance that a sound structure will play in ensuring that the DPA is an effective body.
While having a conversation about the data protection authority (DPA), we often forget to mention one of the key requirements it must fulfil to truly be effective – accessibility. Since data is of such pervasive nature that it belongs to anybody using tools to connect to the internet or make a call, it is necessary to empower stakeholders across sections of society with respect to their data rights.
It is important, that any proposed data authority, is accessible to individuals from all walks of life. The platform for interacting with the DPA should ideally be multi-lingual, more graphic and less text-based to cater to a wide audience. It must be overall less dependent on literacy (and digital literacy), so that a broader section of the population, across economic lines, can raise their concerns with the authority.
The decision of the Indian Government to come out with a personal data protection law is a welcome move and will largely augment the Indian digital economy. However, the Government has not yet recognized the immediate burden that would fall upon the Data Protection Authority (DPA) to help the Government navigate through the transition and implementation of this law.
In order to achieve the kind of broad objectives proposed in this legislation, the Government must ensure that it has a strong, independent and sufficiently empowered authority in place right from the get-go. If such an authority, that ideally forms the foundation of such a framework, is shaky to begin with, it might bring down the whole structure with it.
[This article was co-authored by Kazim Rizvi and Shefali Mehta, strategic engagement and research coordinator at The Dialogue]