Protection from Data Protection Authority

28 Dec 2021

Opinion: K P Krishnan

Parliament has to reconcile the twin challenge of protecting people not just from data fiduciaries but also from the protector itself.

The Personal Data Protection Bill (Bill) was introduced in the Lok Sabha in December 2019 and referred to a joint parliamentary committee (JPC). The JPC submitted its report recently. The original Bill was aimed at protecting personal data. The JPC felt that it is impossible to distinguish between personal and non-personal data. Hence it recommended that the Bill should provide for the protection of all data and it is now recommended to become the Data Protection Bill.

Experts have commented on domain issues dealt with in the Bill and the report. This piece will focus on an important but less discussed aspect of the Bill namely the design of the statutory regulatory authority (SRA). The Bill sets up a Data Protection Authority (DPA) which is empowered to take steps to protect the interests of individuals prevent the misuse of personal data and ensure compliance with the Bill.

Very broadly “regulation” is interventions by public agencies to correct market failure by inducing modification or change in behaviour in the activities of a target population. “Regulation” by the SRAs is more than just administrative interventions.

Chapter XIV of the Bill empowers the DPA to make regulations to carry out the provisions of the Bill. It lists specific areas for regulation besides an all-encompassing omnibus clause. In addition according to chapter IX of the Bill the DPA has the power and the duty to promote good data protection practices and facilitate compliance. These will also be effected through regulations made by the DPA and hence will have the force of law. These codes will be to ensure the quality of the data its retention its processing including obtaining of consent standards of security safeguards anonymisation etc. This chapter also has the all-encompassing omnibus general clause.

This arrangement is not unusual in India but it is important to understand how “regulation” works. A parliamentary legislation empowers an SRA to make subordinate regulate the substance of the domain. In effect the DPA will “legislate” extensively on this domain. More of the legal rights and obligations for us will flow from regulations made by the DPA and less from parliamentary law.

In addition according to chapter IX of the Bill the DPA has the powers of a civil court to call for information as well as conduct inquiries on data fiduciaries. Based on these inquiries the DPA can pass orders including suspension cancellation or modification of the registration granted to a data fiduciary. So in the extreme case the DPA can deny the right of that entity to carry on the business of a data fiduciary —a fundamental right under Article 19 of the Indian Constitution. Further in accordance with the provisions of chapter X of the Bill for statutory non-compliance the DPA can impose penalties which can go up to 4 per cent of the total worldwide turnover of the data fiduciary!

These are what we understand as judicial or quasi-judicial powers. The DPA which in the previous paragraph emerged as the principal legislator for “regulation” of data protection has also emerged as the first level adjudicator for violations of the very legislation that it wrote and inquired into.

It should be clear now even to the layperson that the DPA is more than a department. It is a mini-state as it is empowered to legislate implement the legislation as well as adjudicate on disputes with external agents on the very legislation that it writes and enforces. But we all thought that the principle of separation of powers and checks and balances were part of the basic structure of our Constitution?

Way back in 2004 the Supreme Court stated in the context of the SEBI Act that “… Integration of powers by vesting legislative executive & judicial powers in the same body in future may raise several public law concerns”. In recent times courts have been less forgiving and increasing their scrutiny and setting aside more regulatory actions than in the past.

Domains like data protection and finance (crypto assets fintech as examples) require “regulation” of the kind described above. They are technical and are characterised by fast and continuously evolving developments. Hence nimble-footed legislative responses and speedy adjudication by the same expert agency are perhaps a necessary evil. The challenge however is to reconcile this necessity with fundamental principles of Indian Constitutional rule of law.

Nearly a decade ago the Financial Sector Legislative Reforms Commission (FSLRC) had recommended a comprehensive framework for governance and accountability of SRAs including internal and external checks and balances. These included measures for a strong and independent board rigorous selection of board members empowering boards of SRAs to be an oversight on management greater accountability of SRAs to Parliament and greater transparency and outreach. Other best practices have also begun to be developed by more recent Indian SRAs. In a slight departure from other regulatory legislation section 196(1)(s) of the India Bankruptcy Code 2016 requires the regulator the Insolvency and Bankruptcy Board of India (IBBI) to “specify mechanisms for issuing regulations including the conduct of public consultation processes before notification of any regulations”. Going beyond this limited requirement the IBBI issued the IBBI (Mechanism for Issuing Regulations) 2018 and built in the requirement of an economic analysis of every regulation and a review of regulations every three years to decide on their continuance.

With a DPA that is personned entirely by whole- time members silence on regulation-making process and allowing instruments like “directions” which are not subject to the rigour applicable to “regulations” the Bill and the JPC report have unfortunately missed this entire aspect of regulatory design and governance. Hopefully the government will incorporate these essential design features in the proposed DPA framework when finalising the Bill. It is important to note that given the nature of the domain nearly every Indian and every commercial activity would be in the DPA’s ambit. Indians certainly need protection of their data. With an omnipotent DPA an ominous Latin phrase comes to mind: Quis custodiet ipsos custodes (Who will guard the guardian?).

The writer is professor at NCAER member of a few for-profit and not-for- profit boards and former civil servant. Views expressed in the article are personal.