Before Prime Minister Narendra Modi had announced the 21-day nationwide lockdown, we spoke to Member of Parliament Amar Patnaik, who is on the Joint Parliamentary Committee on the Personal Data Protection Bill, 2019. Patnaik argued that any Data Protection Authority (DPA) which is formed should be independent, perhaps through constitutional backing.

Citing the large amount of people who would be impacted by the bill, Patnaik said that a wider cross-section of people — especially at the municipal and rural levels — should be consulted before the Data Protection Bill is passed.

Here’s the entire interview:

Edited excerpts from the interaction follow.

Constitution of DPA: “My personal view is that the bill could have done a better job of it, in the sense that the selection of the people who will be in the DPA is still amorphous. The usual lines of who are the people could be there in the regulators’ guidelines is that people should be from law or administration background. So that will not apply here. The people who should be manning the DPA should be from a cross section of internet users. Which should be citizens or citizen representatives, companies, government officials… I believe there’s an over-dependence on the government officials deciding on how this should pan out by being part of the data protection authority, which is not really right. That’s my personal view”.

Constitution of DPA must include citizens: “What is important is that someone who takes interest in this, has a fair idea of the gamut of data, and how data flows happen, how they affect the economy… That should emerge. The biggest user is the citizen. The citizen should have a huge role in the appointment process and also the authority itself. How exactly that representation happens would have to be seen carefully”.

Lack of independence of statutory authorities in India, including DPA: “All regulators are supposed to be at an arm’s length from the executive. But if you see their budgets, they come from the Finance Ministry. There are several ways in which they exercise control over the regulator. Unless you are a constitutional authority like the CAG or the CEC, who have real independence, statutory bodies like the DPA or CIC are constrained to a large extent, and their functioning can be manipulated by the executive of the day, whereas a constitutional authority requires constitutional amendments. Statutory authorities can also be withdrawn with a simple legislative vote”.

“A situation may be there in which people have to debate whether this data protection authority should need a constitutional role as opposed to a statutory role, in which case government interference can be there, and would be there in the future. This is the larger issue, in my personal information. But since this is so key to a number of things, and the interplay with other regulators would also be to a large extent handled by this authority, one has to see how this arm’s length approach can be adopted here”.

Means of creating financial independence as a statutory authority: “There is a provision of getting charges, TRAI has revenue mobilisation as a part of its licensing. That could be there. But a statute is a statute which can be changed by the legislature. But if it’s a provision in the constitution, you can’t change it. I’m not even talking about the basic structure; even smaller changes would need great rigour in getting it passed by the Parliament and support from the states. This is something that will affect everyone, every state; different states may have different requirements — state governments’ access to personal data of individuals; it is very important that the DPA be the crux of this entire thing. They are the pillar of this bill. We have to think about a role for them, ensure their independence, not just financial. Besides that, you pass an order that nobody follows, for instance. Enforcement power needs to be there”.

“Very frankly, I feel that statutory regulators who have been created can have their decisions influenced by the government much more than a constitutional authority”.

Federated structure of the Bill: “The information that is being generated of individuals — a large amount of that information is not being kept just by the central government, but also by the state government, and most importantly by the local municipalities and panchayats. The people living in villages are probably not aware of the bill and their privacy, but a time will come when that will be central to how things are administered for them, in terms of giving them various kinds of benefits”.

“We can’t think of anything in our country, or anywhere else for that matter, while remaining completely divorced from the political economy as a whole. There are different kinds of people using that data at the village, rural and block level. I don’t think there has been enough consultation which has happened with the states in this particular issue”.

“There has been great work by civil society to spread the message about this issue, carrying out discussions and so on, but what is the view of the people? The person who is going to be affected most is the citizen. And the citizens won’t just be in the big towns and cities. They are in villages, small municipalities. How they are going to look at it, I don’t think that kind of consultation has been done”.

Multiple DPAs at lower levels: “The Act doesn’t say there will only be one DPA; like the CIC that every state has. Every state should have a separate rule and constitute its own DPA. I think that should be done. It’s not possible to do the entire administration, with all the interpretation issues that can come to one body with just six members”.

“If you have more number of people, then there is also a smaller chance of groupthink kicking in. If there are more members, there is scope for dissent, where a more considered view of a situation can be taken. The DPA will have to be set up in different places, because the situation will not be the same”.

Data localisation – difficult to implement: “Data localisation they have said is only for critical sensitive personal data. Now whether technologically in this world it is possible, I have my own views on that. If someone wants to do it, that is, only the storing data locally part, that’s possible. But if you say that you can’t process that data outside India… I really don’t know. It’s easy to prescribe public policy. But if you cannot implement it, then automatically there are rent coalitions that get formed — I use the term “rent coalitions” to refer to bribes or other situations like that. If you have this legislation, someone can go and threaten them that “Give me the evidence you are processing this data here” and stall the entire activity there. This is very difficult to implement.”

“Generally it is taught in public policy schools that you should supply public policy that can be implemented and monitored. When you supply something that cannot be monitored or implemented, unintentional consequences follow”.

Need for data localisation: “The other aspect was, from the public policy, why do you need it? Why do you need it? Gone are the days when you think that if you have data at a particular place and it is processed here, I physically have control over it. We are in the internet age, not in an age where physical possession or access to data is important for me to feel safe that I can take care of any kind of eventuality flowing out of that data”.

Where does data localisation come from: “Data localisation in India is something which is being propagated by the banking system more than law enforcement. It is the Reserve Bank of India saying that data localisation is needed more than the law enforcement agencies. But the law enforcement agencies came in later, saying we need it. The point is, we have encrypted data, encryption in different levels, data stored in clouds; how do you localise? Even if you get that data, if you can’t make use of it in time to take care of frauds or law agencies’ criminal cases, what’s the use? The intention should be more about how quickly you can get that information to aid your investigation into a crime or fraud”.

Data localisation not required to investigate crimes: “The entire US doesn’t have a data protection law. Does that mean that enforcement of laws or investigations into crime for either white collar or other crimes are less strong or less rigourous? No. If you need localisation only to improve your chances of success in criminal cases or fraud detection cases, then I think that doesn’t stand scrutiny scientifically, technologically or even conceptually”.