With the tabling of the JPC report on the Personal Data Protection Bill, 2019 (PDP Bill), a data protection law for India is seemingly imminent in the near future. The effectiveness of this law depends primarily on how well the law is enforced. Apart from effectiveness, significant adverse consequences on regulated and protected entities arise due to abuse of discretion and misapplication of the law. The PDP Bill provides for the creation of a Data Protection Authority (DPA) to enforce its provisions. It is important to examine the potential regulatory challenges that the DPA may face.
Existing Regulatory State
Apart from some variations (with respect to appointment of adjudicatory officers), the PDP Bill follows the standard model that can be found across legislations constituting regulators in India. These legislations typically specify qualifications, terms and conditions of appointment and removal for members, quorum and voting requirements and the powers and functions of the regulator. This uniformity, however, is symptomatic of the larger underlying failure in the development of and inadequate reflection on the regulatory governance in India. This is further demonstrated by the JPC report, which does not delve in any perceptible depth on the DPA’s provisions. In a recent index published by the World Bank, India achieved a middling position, figuring in 40-50 percentile bracket, in terms of regulatory capacity. The reasons for this inadequate regulatory capacity are several.
Regulatory Capacity Issues
The generic challenges faced by Indian regulators get accentuated in the context of the DPA for a number of reasons. First, Indian regulators suffer from structural weakness in the form of vacant posts, leading to regulatory capacity issues. In so far as capacity issues are concerned, the mandate of the DPA is far wider than any of the other existing regulators. Given the diverse nature of regulated entities it applies to, data protection legislations often follow a principles-based approach, wherein they lay down the fundamentals of data protection in the statute, and leave it to the regulator to provide context-specific detail.
ALSO READ | Blue Tick for All? JPC Report on Data Protection Bill Can Impact Online Anonymity, Privacy
Further, unlike other regulators that exercise sectoral jurisdiction over an identifiable number of players, which in most cases are registered or licensed by the regulator, the DPA’s jurisdiction is defined by way of an exception clause. It is required to regulate data processing by all entities, except small entities that manually process data. Further, the nature of regulatory jurisdiction to be exercised on these entities is resource-intensive. For example, examining data audit reports of significant data fiduciaries, monitoring cross-border flows of personal data, application of mind as to which data breaches the data fiduciary is to be informed of, and taking action on reports submitted by inquiry officers are transaction-intensive activities which require extensive human resources.
In the context of personal data, regulatory incapacity can have insidious consequences, given its potential for misuse which is often irreversible. This is particularly noteworthy at the level of the adjudicating officer, to whom the DPA may forward a complaint of individuals regarding unsatisfactory resolution of their concerns at the regulated entity’s level. Continuation of data processing malpractices, in these cases, due to delay in resolution of the complaints can often lead to the relief being rendered infructuous.
Maintenance of DPA’s Independence
Second, reluctance of the government to cede regulatory control often leads to turf wars between the respective ministry and the sectoral regulator, thereby diminishing trust of the market in the regulator. Maintenance of functional independence from the government is necessary for the DPA to inspire trust as a neutral regulator. The primary reason for that is that the government is going to be a substantial data fiduciary, against whom individuals will be enforcing their data protection rights. This, more so, because of the various exemptions that are made available to processing of personal data by the government for certain purposes.
As such, the DPA would have to ascertain the judicious application of these exemptions, enforce data protection obligations that are not exempted and levy appropriate deterrent penalties in case of contravention of the law. This is also important to ensure a level-playing field between government data fiduciaries and private data fiduciaries when they process data in the same capacity, so that government data fiduciaries do not gain unfair advantage from unauthorised processing.
There are certain elements in the PDP Bill which may hamper this independence. First, the constitution of the selection committee, as per the PDP Bill, does not have non-governmental members. The JSK Committee had recommended the inclusion of the Chief Justice or her nominee in the selection committee. However, the PDP Bill, 2019 derogates from this and provides for the selection committee to include only secretaries-in charge of various ministries. The JPC partially addresses this by recommending expansion of the membership of the selection committee to include other officials, but does not include a judicial member.
In other areas, however, the JPC’s recommendations significantly impinge on the DPA’s independence. First, the JPC recommends that the DPA should lay down guidelines which would be followed by the adjudicating officer while determining and imposing penalty. Laying down of “guidelines” by the DPA would impinge upon the discretion of the adjudicating officer. Any directions to hem the discretion of the adjudicating officer should be provided statutorily. More importantly, the institution of the adjudicating officer is constituted outside the DPA, to ensure the former’s independence. This is because the DPA is in fact supposed to submit complaints to the adjudicating officer for determining fines and penalties on errant data fiduciaries. As such, the DPA laying down guidelines for the adjudicatory officer’s levy of fines and penalties would result in conflict of interest and disregard the principle of separation of powers.
Second, the JPC recommends that the DPA should be bound by the directions of the central government in all cases and not just on questions of policy. The effect of this would be to completely negate functional independence of a regulator. As mentioned above, a statutory regulator is created to maintain an arm’s length distance from the government and depoliticise regulation. Allowing government to control day to day affairs of the regulator would not make it different from any other department under the government. Further, this provision is not reflected in parent legislations of most regulators. Statutes constituting TRAI, SEBI and CCI, all limit governmental directions to policy matters alone. Therefore, such recommendations of the JPC in relation to the DPA’s independence are ill-advised.
ALSO READ | Personal Data Protection Bill: Overbroad Exemptions on Data Processing Dilute Govt’s Own Cause
Incorporation of Administrative Law Principles
The last facet for increasing effectiveness as a regulator for the DPA is to incorporate sound administrative law and regulatory practices in the discharge of its functions. Unlike other jurisdictions, which have codified administrative law, India has seen development of this law by customisation of constitutional and common law on a case to case basis. When discharging such legislative and standard-setting functions, DPA should adopt a robust stakeholder consultation process, like TRAI.
DPA is required to make regulations primarily on rights of data principals and obligations of data fiduciaries. Given the scope of entities and individuals that will be impacted by this and the magnitude of this impact by these regulations, it is pivotal that the DPA institutionalise stakeholder consultations in their making. Similarly, developing practical codes of practice, would require interaction with the industry to understand technical feasibility and standards of practice. The government would do well to heed the advice of the JPC in that regard, where it recommends that there should be “previous publication” of the regulations before their notification.
As far as discharge of quasi judicial functions, both by the DPA and the adjudicating officers, are concerned, there is a need to institutionalise practices that promote the incorporation of principles of natural justice. Regulation by the DPA for itself, and by the adjudicating officers of the central government should lay down the contents of a valid show cause notice, the manner in which the right to hearing is to be afforded to the regulated entity, scope of the right for examination of documents during the proceedings, and maintenance of separation of powers between the inquiry officer and the DPA as also the adjudicating officer and the DPA. Further detailed guidance on these aspects should be given through manuals that establish standards of practice so that there is building up of institutional capacity to follow these best practices.
The PDP Bill provides that one of the members of the DPA should be specifically trained in law. This is probably done to reduce incidents of orders of regulatory authorities being overruled by appellate authorities on the ground that principles of natural justice have not been observed. The PDP Bill should further provide that Member (Law) should be part of the quorum whenever the DPA is discharging quasi judicial functions. This would minimise situations where these principles were not adhered just because members of the DPA were not aware of the substantive content of these principles.
The Way Forward
It is clear that duplicating existing regulatory legislations and structures will result in a DPA that is encumbered with similar problems. The JPC proposes a two-year timeline for the PDP Bill to come into effect once passed, and six months from date of notification of the Act for the DPA to come into existence. Given the mandate of the DPA, it is circumspect whether it will be able to put in place the requisite regulations and codes of practice within a period of the intervening 18 months. To have these regulations and codes of practice ready before the provisions take effect is imperative, given that the data protection law in its present form is a novel field of regulatory compliance for data fiduciaries in India. While the IT (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 laid down some requirements akin to the PDP Bill, they are nowhere as close to the compliance requirements under the PDP Bill.
Typically, the lifecycle of regulation making, when it includes pre-legislation consultation, is between eight to 12 months. Therefore, to expect the DPA to finalise its regulations and codes of practice in such short span is unrealistic. The government could possibly follow the example of SEBI. In its initial stages, SEBI was not set up as a statutory body, but as an advisory body. It may be considered that an interim DPA may be constituted in an advisory capacity, and various working groups under it are constituted to develop blueprints of regulations and codes of practice through a consultative process with online users, industry bodies and the government. A working group should also be specifically constituted to provide model administrative law and regulatory best practices that the DPA should adopt.
Finally, the government should reconsider JPC’s recommendations on including additional areas of regulation, such as non-personal data and social media intermediaries, which seem superfluous in relation to what is contained under the PDP Bill. These will add further stress to issues of capacity constraints of the regulator.
India has travelled a long way since 1954, when the case of M.P. Sharma first discussed the right to privacy. It has chartered a still more difficult course since the Puttaswamy case in 2017 recognised this right to privacy as a fundamental right, in terms of consensus building on different aspects of this law. The government would do well to not undo these gains by stumbling at the stage of its effective enforcement.
This is the last in a four-part series by the author on key issues around India’s data policy. You can read the first, second and third article in this series here.
Trishee Goyal is a project fellow at at the Centre for Applied Law and Technology Research, Vidhi Centre for Legal Policy. The views expressed in this article are those of the author and do not represent the stand of this publication.
Read all the Latest Opinions here
Comments
0 comment