This is the second post in our series covering our events in Delhi and Bangalore on India’s Data Protection Law. Click here to read the rest.
“The Data Protection Authority of India, as it stands, performs legislative, executive and judicial functions. It’s not a bad thing,” said Alok Prasanna Kumar, Senior Resident Fellow at the Vidhi Centre for Legal Policy at the #NAMAprivacy discussion on the data protection bill in Bangalore last week. “But unlike other regulators, the DPA’s ambit is vast. It could potentially deal with every kind of company. So, there’s no way one entity could do this in regards to efficacy and no single entity should do it either.”
That was one of the many challenges that our panelists have suggested that the regulator may face when it is established. Panelists, however, were largely unsure on how the proposed regulator will impact consumers or businesses, given that the most regulations are yet to be defined in the Personal Data Protection Bill, 2018. To this extent, Renuka Sane, Associate Professor at the National Institute of Public Finance and Policy (NIPFP) said, “On most questions about this law, I would have one answer, that it is too early to say anything. We will have to wait and see how it will evolve.”
To reiterate, the draft bill, 2018 proposed establishing a regulatory body that will implement and oversee the data protection law in the country; the Data Protection Authority of India (DPA). The regulatory body will be empowered to impose penalties on data fiduciaries, accept complaints from data principals, prevent misuse of personal data, determine if the data protection law has been violated, and promote awareness of data protection. The authority will consist of six whole-time members and a chairperson, to be appointed by the central government, based on the recommendations of a selection committee that includes the Chief Justice of India (CJI), the Cabinet secretary and one CJI nominated expert.
The following are some of the key points made in both, Delhi and Bengaluru. Please note that these points are not necessarily listed in the order they were made and are not verbatim excerpts of the speakers’ remarks. We’ve edited them for brevity.
Regulatory and Enforcement by the DPA
- Tasks to be undertaken: There are four main functions that the DPA has to undertake at some point of time –
- The DPA will have to issues licenses to some players
- It will have to come up with regulations as there are several places in the Act (Bill) that will be determined by regulations,
- It will have come up with some sort of monitoring mechanism to gauge if you are abiding by the regulations are not and iv. It will have to determine violations and undertake enforcement actions. (Renuka Sane)
- To increase transparency and credibility: Regulators have to demonstrate what is the problem that they are trying to solve before passing a regulation. Is the solution they are opting for, the most appropriate way of solving the problem? Have they considered all the available alternative solutions? They need to hold public consultations on all these issues in a transparent manner. Unless all these things are embedded in the law, we are not going to make much progress on the DPA. (Renuka Sane)
- Regulatory balance: The regulators in India need to merge the two sides of responsive theory – compliance theory, where we put a lot of faith in businesses to self-regulate and comply with processes, with dissonance theory, where we have punishments, fines and criminal enforcement for noncompliance. (Amber Sinha, Senior Programme Manager at Centre for Internet and Society (CIS))If a DPA were to come in today and regulate everybody who is dealing with personal data at a significant level, there are more than 600 million entities that they have to regulate. (Beni Chugh, Dvara)
- Accountability: When you create an extremely powerful agency like the DPA, you will have to put in place a system of regulatory governance, where the DPA is held accountable for its actions or else you will exhaustipate the asymmetry of power between the regulator and the regulated. (Renuka Sane)
One big feature, which has become a standard practice across regulators, that is missing in the DRA is a reporting board structure, where you are internally accountable to the management board and externally, you are accountable through self-reporting mechanisms. The functioning of the Chairperson is not defined well enough for us to see if there is enough internal accountability at the organisation. The internal governance of the regulatory body is what can improve the outcomes of the regulations. (Beni Chugh).
Penalties for violation of privacy laws.
- Criminal penalties: According to me, the threshold for a criminal offence is low in this bill. If the law were to be implemented today, a vast majority of the businesses would be criminally charged. There are three provision in the bill that deal with criminal penalties, they essentially deal with data processors breaching individual rights in a reckless or in a grossly negligent fashion. There are legal standards on how to construed ‘reckless’ behavior, particularly from the domain of tort law. However, what will trigger an enforcement action is still kind of open to speculation because the language of the bill open to interpretation. (Amber Sinha, CIS)
The bill enables the Data Protection Authorities to impose penalties of up to Rs 15 crores or 4% of the annual global turnover, whichever is higher, for violating privacy laws.
- Penalties for govt authorities: Even if you levy a heavy fine on a government authority for breaching any laws, it’s you and I who will be paying for their fault, because its ultimately going from the Budget. I think that’s where the criminal offense part of it becomes important. You can hold people personally liable. (Beni Chugh)An individual liability on a government official or secretary may be the way to go and I find that the bill has that provision In (Bill) 96 (3). (a member of the audience)I think that there are several exceptions given to the state and perhaps that will make it more difficult to define whether there has been a violation by the state. (Renuka Sane)
Impact on consumers and businesses
- Onerous task for consumers: The problem with the bill is that it assumes a lot of active understanding of the law. For a consumer to file a grievance, she has to say that there was a violation and it is likely to (or) has caused her harm. But, since harm is not well defined, how are you going to file a grievance? (Beni Chugh)
- Uncertainty over regulations: I’m uncertain about the impact the bill would have on businesses because many of the obligations that one needs to abide by, are not well defined. (Beni Chugh)
- Bill will become less ambiguous once the DRA creates regulations. (Renuka Sane)
- One thing that the bill does fairly well is defining the obligations of a data processor. (Amber Sinha)
- There are certain discrepancies which exist between the approach that the report seems to espouse and what is actually reflected in the Bill. (Amber Sinha)
- On most questions about this law, I would have one answer that it is too early to say and we will see how it will evolve. (Renuka Sane)
- There are various metrics based on which you can define if the DRA is an independent organisation. Based on few of them, it could be independent, but based on others, it could not be. (Renuka Sane)
- I think that there are several exceptions given to the state and perhaps that will make it more difficult to define whether there has been a violation by the state. (Renuka Sane)
- I predict that the DPA will treat NPCI as any other fiduciary, even if the data it processes will be marked as critical. (Manasa Venkataraman, Associate Fellow, The Takshashila Institution)
- In the EU, they have had the luxury of spending 10 years (on GDPR) because they already had a data protection law. But for us, we never had one, this is the first one. So, in that sense, it is definitely much more urgent for us. We have to get it right, we can’t rush it but there is much greater urgency in our jurisdiction. (Amber Sinha)