The Personal Data Protection Bill, 2019, was introduced in Parliament in December 2019, and was referred to a 30-member Joint Parliamentary Committee for review. The Bill is the first legislation that focusses on privacy of citizens, and could potentially result in significant overhaul of digital businesses and companies. The Committee is expected to submit its report to the Parliament before the Budget Session concludes on April 3, 2020.
Earlier this month, MediaNama held discussions in Delhi and Bangalore on the main aspects and impact of the Bill with a wide set of stakeholders. The discussions were held with support from Facebook, Google, and STAR India in Delhi, and with support from Facebook and Google in Bangalore. The discussions were held under Chatham House Rule, so quotes have not been attributed. Quotes are not verbatim and have been edited for clarity and brevity. Read our full coverage of the discussions here: #NAMA India’s Data Protection Law – January 2020.
The following is Part II of our notes from the session on data protection authority. Read Part I here.
Does the DPA have the necessary capacity? Can it regulate for 1.3 billion people?
An audience member pointed out that while other regulators like SEBI and RBI deal with only limited entities, the DPA’s regulated entities cut across sectors, and are many more. So will the DPA have this capacity, what does history tell us?
Regulation for a population is only indirect: Taking the example of an existing regulator, a speaker pointed out that SEBI regulates listed entities, even though those impacted by it could be half the country’s population, whoever holds shares or has invested in mutual funds, etc. SEBI is not trying to solve every one person’s problem, they’re only concerned with the entities that they are regulating.
There won’t be a flood of complaints, there’s a natural barrier to access: Even though users can go to the DPA with complaints, but it still doesn’t mean that existing regulators such as the CCI has to set up an office in every last taluk and district. There is a natural barrier to access, only somebody who has the resources and ability to make a complaint will make one. The DPA is not going to be flooded by too many complaints, because it requires certain high level of knowledge and resources to even make a complaint to the DPA.
Finally, a speaker pointed out that, it “can’t be the DPA’s job to keep everyone who comes to it happy” and we will have to wait and watch the further regulations that the DPA drafts, which will be the “real meat and bones of this regime”.
Users can always go to the High courts and Supreme Court: If the DPA does not act on a user complaint, the user can approach the High courts and Supreme Court, both of which are Constitution rights and cannot be curtailed by any law. The bill only restricts users from approaching a civil courts regarding matters that come under the the Appellate Tribunal’s matters. Users will have to exhaust the remedy they have under the bill, but they can always approach the higher courts.
Should there be state-level DPAs?
It could be worth considering, but you could have four equally incompetent DPAs, and that may be worse. “I don’t know if there’s any regulator that has successfully managed to address the fact that they have to regulate for the 1.3 billion people, or if they regulate for the immediate body of influencers, companies, and government bodies that surround them,” said a speaker.
Yes, but that ship has sailed: “I’ve always maintained that every state needs its own data protection authority in India, and the bill should have allowed for this” said another speaker in disagreement. “The Bill leaves very little space for the state to take any different or independent view. If Karnataka government said that, ‘this is too onerous, our start-up sector is going to die. We want to come up with a better data protection regime for startups located in Karnataka’ — they can’t do that.”
On government exemptions under the bill
According to a lawyer and public policy professional, the exemption to the government is not a blanket exemption; “it’s fairly wide-ranging, and also specific and fairly limited; individual applications of that power can and will be challenged”. If Section 35 — which allows for exemptions to government agencies — was giving an exemption to too wide a set of government bodies, that could have been challenged, the speaker said, “but if Section 35 is challenged in its current form, the court could say that the Puttaswamy principles were never not absolute and there were always restrictions”.
- Rather, each restriction on privacy — or exemption given to each government agency — will be tested on its own merits. It’s difficult to judge whether or not the government should have any overall exemption powers, because that’s a very difficult framework to answer this question. But it can be tested for each exemption.”
The interaction between central government and DPA is crucial when it comes to the requirement to share non-personal data, and on cross-border data flows in that the central government has the power to decide any country as adequate, the speaker further added that:
“This is lifted from the GDPR under which the European commission (arguably) has the power to decide adequacy. But the provision under Section 34 does say that the government will consult the authority and then deem another country adequate for cross-border data flows. It’s important for the DPA to lay down exactly how far it will have a say in what the central government does in its sovereign powers.”
What kind of people should the DPA consist of? Who should lead it?
Unfortunately, there’s a tendency in government to pick government servants, although the Supreme Court has been trying to convince them not to do that, explained a speaker.
Private sector people or within government? “Initially, it will be very difficult to get a person from the private sector to set up the DPA, it will be somebody from government. What the government has tried with having Raghuram Rajan as the RBI governor, that is, somebody from the outside – should be applied across regulators, the DPA should also do this. The government usually an individual who is a good administrator, and another individual who is an expert. But it’s possible to find somebody who can meet both these requirements, the government just does not exercise its imagination often enough,” the speaker added.
How about retired judges? “We should just stop putting retired judges in any official government post. It’s destroying the judiciary, and destroys the post also,” one of the speakers declared.
Who should it be? It needs to be someone with a mix of administrative experience and substantive merits of it. Say somebody who has been say head of tech company in India or somebody who has worked at a very high level who understands the business practices. In a field like this where the practice is changing on a day-to-day basis, you can’t expect that somebody who has had like hoary administrative experience will be able to respond in a day-to-day basis.
The DPA is ripe for setting the practice that regulators can come from the private sector, we shouldn’t just be looking for retired or serving bureaucrats. For the initial years, the agency will have to have government servants for work to be set up, but over a period of time, it will be healthy to get private sector people to be part of this regulator.
DPA and other sectoral regulators: the bill tries to talk a little bit about it and process around that, “but it’s going to be a big battle on things which are already in place because that the voluntary MOU between regulators that the bill refers to is not even mandatory, which in my view should have been,” said a speaker.
Recommendations on DPA’s functions, structure, and practices
On DPA’s powers, structure, functioning:
- Bring back the structure of the DPA as in the 2018 draft. Divest the government’s powers, and reinvest them in the DPA.
- Have some part-time members: The DPA only has full-time members, but part-time members can bring technical and external expertise. India has regulators with both structures, and there also needs to be a review of which design works better. Under its law, TRAI has a chairperson, two whole-time member, two part-time members. “Although I have no internal knowledge of how well the part-time structure works, it has clearly worked for TRAI. TRAI has had part-time members who have been academics and professors,” the speaker explained. The benefit of part-time members is that they are “not too embedded into the system, and the chances of dissent and debate in meetings of the regulator will be higher.”
- The selection committee’s composition needs to radically change to have more independent experts, and fewer government nominees.
- Some important rules should not be left to the DPA’s discretion: Other decisions which have been left to delegated legislation by the DPA, such as procedures for meetings of the DPA and selection committee, how nominees there will be, how long will they spend on recommending members, will voting process of DPA meetings be public, all of these are too important to be left to the DPA’s discretion and need to be embedded into the rules.
- The bill says that processing of a user’s data must be “fair and reasonable”, but the trouble with both these concepts is that they’re endlessly litigable, they set no baseline meaning, they don’t necessarily direct you to the privacy enhancing outcome or the innovation enhancing outcome, or an outcome that’s deferential to the state. It doesn’t give any sort of normative, prescriptive, idea. Frame fair and reasonable processing to be more defined, this would foreclose a lot of litigation on what those words mean.
- Hive off the adjudicatory and decision-making functions from the others. If that’s not possible, then at least specify the types of procedure this body will follow. It’s good to do the specification beforehand rather than, making it up as you go, as some regulators have done.
- The DPA should be mindful that data is capable of creating significant economic value, as data protection authorities across the world have realized. It’s important for this to be reflected in the way cross-border data flows are handled. For instance, portability can be monetized, data breaches can be penalized in such a way that the funds from the penalties go to the DPA and bolster it financially.
- The DPA should also not forget that the centre of the Bill is the user and their rights. State surveillance has often taken centre stagein the bill, even though Puttaswamy was clear that no law should sidestep privacy, while enriching the government and leaving the citizen behind. The DPA needs to be mindful of this, especially given Section 91, and the fact that it shares powers only with the Central and not State governments.
Best practices from other regulators that the DPA can adopt
- Make consultative process part of the DPA’s organisational DNA: every time the DPA wants to do something on the legislative or advisory front, they should involve the public and specific stakeholders.
- Transparency: The DPA should not wait for anybody to file an RTI, instead it should make the RTI redundant by saying that any question people have is on the website.
- Open up hiring: Too many of our regulators hire almost exclusively from the government or from the geographic area in which they are located. The DPA should be ready, willing, and able to tap the best talent across the country, both at the top and mid levels. It’s going to need quality researchers, quality lawyers, and people capable of framing privacy issues properly. A lot of people are happy to offer the government given the kind of importance that the work has, the meaningfulness it has. Maybe the DPA’s top official can be retired bureaucrat for the first two years, but it can try and get outside talent later on, and it would be able to create a much more robust and effective body.
Read Part I of our notes on the Data Protection Authority here. Read our coverage of the discussions here: #NAMA – India’s Data Protection Law – January 2020.