The Personal Data Protection Bill, 2019, was introduced in Parliament in December 2019, and was referred to a 30-member Joint Parliamentary Committee for review. The Bill is the first legislation that focusses on privacy of citizens, and could potentially result in significant overhaul of digital businesses and companies. The Committee is expected to submit its report to the Parliament before the Budget Session concludes on April 3, 2020.
Earlier this month, MediaNama held discussions in Delhi and Bangalore on the main aspects and impact of the Bill with a wide set of stakeholders. The discussions were held with support from Facebook, Google, and STAR India in Delhi, and with support from Facebook and Google in Bangalore. The discussions were held under Chatham House Rule, so quotes have not been attributed. Quotes are not verbatim and have been edited for clarity and brevity. Read our full coverage of the discussions here: #NAMA India’s Data Protection Law – January 2020.
The following is Part I of our notes from the session on data protection authority. Read Part II here.
DPA’s independence: why, how much, and what now?
The DPA’s independence is crucial given that its core functioning includes regulating government bodies, not just private entities, pointed out a speaker. In fact, what’s unique about the DPA is the degree to which it will have to contend with the State as an antagonist, said another speaker. This is not the case with the Competition Commission of India (CCI) or with the Insolvency & Bankruptcy Board (IBB), s/he added.
How independent is the DPA currently?
The current selection committee consists of a cabinet secretary, secretary of legal affairs, and MeitY secretary. According to one of the speakers, this makes it a “government committee and an in-house affair”. The speaker pointed out that this is a deviation not just from the 2018 draft, but from many other Indian laws and regulatory setups. “The CCI allows external experts on the selection committee, who suggest names for vacancies, although the government appoints the members. Even the IBB allows outside experts,” the speaker said.
When asked about how independent the DPA is, our speakers made the following points:
- The DPA’s independence falls short structurally given the kind of shadow that the Central government casts on the working of this body, in terms of budgetary controls and the power to make directions. But it also falls short functionally; we don’t know the DPA’s processes, transaction of business; what they will are left to the rules, so we will have to see what they are.
- The DPA is certainly less independent and less transparent, when compared to TRAI. Regulators that have come after TRAI have gone further steps, while the TRAI Act only says that TRAI has to transparent in functioning, other regulators such as the Airports Authority of India, and the IBB have gone a step further and have said that they need to consult the public. The PDP Bill only does this for codes of conduct where it says the DPA needs to consult the public, stakeholders, and even other regulators, but it doesn’t say anything for the other regulations.
- What we can learn from TRAI: A lot of TRAI’s ability to be somewhat independent is because the public is involved with its functioning; people send in comments, all stakeholders feel they have a say and an opportunity to oppose. So when TRAI wants to take an independent stand, it can say that a certain stakeholder is saying so.
- There is a divestment of powers from the DPA, and an investment of those powers in the Central government. This points to an intent to politicise data protection and to make critical decisions relating to users and companies’ political decisions. This goes against a global trend and it’s something to worry about.
Another speaker disagreed stating that while the DPA’s level of independence under the current bill is a cause of concern, “that doesn’t mean it’s doomed for failure”. “We should also look at how the DPA would build up its reputation for independence. Even with its current structure, it may be able to stand up to the government, or may annoy the government; that may still show independence,” the speaker said.
Piping in on the general disagreement, one of the speakers warned that data issues are being increasingly politicised in India, but also globally. “Power is taken away from expert regulators and given to governments and legislatures who are not trained to handle them. This might be because the value of data is becoming increasingly clear, or because international trade negotiations, or other reasons – but none of this spells any benefit for users.”
We don’t have an ideal regulator, let’s start afresh
Do we have an effective DPA anywhere in the world? It’s too early to comment given that the world is still grappling with the GDPR, and each country has their own way of regulating personal data, said a speaker, citing that “while GDPR adopts a more generalist approach, Australia and the US have tilt towards sectoral regulators”.
“If we want to think of an ideal regulator, we need to search outside of what exists, especially in India,” said another speaker. “People have admitted in courts that no regulator passes the muster, in cases where constitution of tribunals and other agencies have been challenged in the Supreme Court. We are much better served in not looking at precedent and starting afresh, and think about the objectives we want to meet and how we would get there.”
Where did all our regulators come from? What insights do they give into the DPA?
“Independent regulators came about as the private sector came into the picture” and functions shifted from state monopoly to the private sector, explained a speaker. “Apart from making sure that the industry behaves, regulatory agencies started to need technical experts with domain knowledge, and those from outside the bureaucratic setup,” The private sector’s development gave rise to the need for independent regulatory agencies “which could both operate at arm’s length from the government and have technical expertise. The broad objective was to regulate market failures and to have an oversight mechanism,” said the speaker.
There are three constituencies the DPA is going to have to mediate or at least cater to: the government, the private sector, and individuals and users, ordinary citizens, which is probably the most important constituency.
The accepted wisdom currently is that the DPA is going to be a market regulator, pointed out a speaker. “We haven’t been able to solve what the role of a market regulator is, and is still an open question. Our best market regulators haven’t successfully mediated between the competing interests of these three constituencies. Besides, market regulators by themselves are relatively new, they aren’t more than 20-30 years old, and before that commissions or government-created agencies that were meant to exercise expert jurisdiction over a particular issue did so primarily to protect the interests of users,” the speaker said.
There are now two kinds of market regulators, one which have greater powers over their markets such as SEBI and TRAI, and the other kind which shares powers with the central government. But “we don’t know which route the DPA will go”.
The issue with India’s market regulators: There is a challenge pending in the Supreme Court around the constitutionality of the CCI, which would be baseline for what a constitutionally compatible regulator should look like. The case is being argued on a separation-of-powers plank, the idea being that regulator is a delegate of the State’s power.
The CCI case in the Supreme Court reflects that an issue with today’s market regulators: that the new-age regulator of the post-1990s is an extremely hybrid body that investigates, prosecutes, decides disputes, sets standards, makes laws at two levels — for everyone, and for specific actors — it’s way too hybrid. “Given this, how are you going to control that the DPA functions efficiently, and that the laws it framed are enforced with rigour?” the speaker asked.
In fact several speakers pointed out that the Bill envisions a dual function and objective of the DPA — to protect user privacy and also to promote economic growth, goals which seem to be inherently in conflict. As one speaker pointed out in Delhi, this is like drafting a law against domestic violence against women, the objectives of which are to prevent such violence, but preserve family values at the same time. Our speakers weighed in on this:
- This regulator should have a one-point agenda: the commitment the government made to the court that it will protect privacy by this law. “This law has one objective only and that is to maximise privacy,” said a speaker.
- Another speaker disagreed, stating that the DPA’s objective doesn’t have to be either. “I think there is a nuanced way in which both can live together, both can thrive together. I guess the moral of the story is data is capable of economic growth either way. It’s up to us to do that in a privacy-centric manner.”
- Seal DPA from other courts: “We also need to seal the regulator from the judiciary, not just from the government. For instance, the Patents Act has a compulsory licensing power that asks a judge, not a market regulator, to have regard to certain principles when applying his power, and one of principles is the general benefit of India. Should it be a court duty to protect a country’s interest? This is a larger question of cleavage in laws in all developing economies, but this is not the duty of the regulator, their duty is to protect the market and users in the market.”
DPA’s powers and functions
Is the DPA being asked to do too much, or too little?
It’s being asked to do a lot, and it’s good that the DPA’s roles have been narrowed down previous draft, where it had to carry out 26 functions. Now it has to carry out 14 functions, the speaker said, reminding everyone that “being India’s first Data Protection Authority, it will have to lay a lot of the groundwork for future sectoral regulations to follow suit”.
Should it be up to the whims of the DPA chair to choose whether to toe the government line or not? Isn’t it risky? “We take that risk all the time with every regulator,” one speaker declared, going on to explain the following:
- There’s always risk of regulatory capture: An existing regulator, whose appointment process is supposedly well-structured – the Chief Vigilance commissioner. The CVC is appointed by the Prime Minister or Finance Minister, and the Leader of Opposition – the idea being why should the government have monopoly over this appointment. But we still see in CVC who are effectively non-functional.
- We will simply have to see how much of a public-facing role the DPA will have in its functioning. TRAI invites public comments, takes people’s suggestions, CCI holds its hearings.
- A DPA cannot just be this body which sits and makes its regulations, rules and policies, and so on. That’s ripe for capture, and regulatory capture can be done by the government, private entities, or by vested interests. You prevent capture, not just by robustness, but also by subjecting it to public scrutiny.
What should the DPA prioritise? The DPA has an adjudicatory function, a legislative function (drafting the regulations), an executive function (enforcing the regulations), and an advisory function (making recommendations to the government). The DPA will have to prioritize what it has to do on Day 1, on Day 365, Day 3650.
On Day 1, they should start with making the regulations and maybe handle some of the disputes according to one speaker. Agreeing with this, another speaker said that the DPA should set down norms on Day 1, since it’s going to “form the basis for industry practice”. An audience member said that while “the regulator doesn’t need to say the regulation it will draft each month, it can give a roadmap and logical explanation around it”.
Should the complaints redressal function be separate from the DPA’s other functions?
Not necessarily, instead primary problem is how to get the right complaints before the DPA, according to one speaker. This includes what access users have when they’ve suffered a privacy violation, and what procedural and substantive safeguards do they have.
Yes, absolutely, complaints redressal should be separate. “Our [entity redacted] submission ever since the white-paper came out was that the law should create two agencies, one the DPA, and another called the Data Protection Redress Agency, an ombudsman-like scheme whose only job is to carry out the specialized function of complaints redressal. It’s a very different function from regulation making.” The speaker added that there’s also a potential conflict of interest, if one body is doing both functions:
“If a lot of complaints are coming on some issue, it could mean that the industry is performing badly, but it could also mean that the regulator is doing really bad supervision and regulation. If the regulator is responsible for both, its incentives could be to downplay complaints that point to the flaws in their own regulatory system. It’s important to have someone else looking at complaints the regulator should not be controlling both process.”
Maybe not. The DPA needs to take some time, the RBI could do it because its experienced: Other regulators do have an complaints body or adjudicating wing: the RBI has created an Ombudsman for consumer complaints, while RERA, SEBI, and CCI have an adjudicatory division, pointed out another speaker. “But it would be better that at least in the first few years — until the law is stable and clear — to not have a separate complaints body. Otherwise, there is a risk of the Ombudsman becoming a little to panchayati, and the user won’t know whether he’s going to get relief, and nobody would know if what the DPA or possible complaints body is doing is in accordance with the law and regulation,” the speaker said, adding that:
For instance, the RBI has got years and years and years of practice for what can and should not be done. So it makes sense for the RBI Ombudsman to direct banks to do or not do something. We may want an ombudsman later on depending on how you know, the DPA handles disputes and how the DPA balances all its functions.
Read Part II of our notes on the Data Protection Authority here. Read our coverage of the discussions here: #NAMA – India’s Data Protection Law – January 2020.