- JPC has not put much thought into the role and functions of the Data Protection Authority (DPA)
- The DPA doesn’t inspire confidence among citizens in its current form
- DPA will be more powerful than any other regulator and should hence be modelled differently and with proper checks and balances
- Selection Committee for the DPA needs more subject experts
- Arrangements should be made between regulators to minimise possible clash over jurisdiction
These were some of the many suggestions made by panellists speaking at MediaNama’s Decoding India’s Data Protection Bill event held on January 19-20. Kicking off the session on the Powers of the Data Protection Authority, moderator S. Chandrasekhar, Head of Digital and Cyber Practice at K&S Partners, said:
“It would not be an exaggeration for me to say that getting this piece [the Data Protection Authority] right is probably the key to getting the entire regulation right.”
In this session, Renuka Sane, Associate Professor at National Institute of Public Finance and Policy, Alok Prasanna Kumar, Co-founder and Lead at Vidhi Karnataka, and Nikhil Pahwa, Founder and Editor of MediaNama, shared their views on how the DPA can be improved from the current form that’s in the Bill.
This discussion was organised with support from Google, Flipkart, Meta and Star India, and in partnership with ADIF. To support future MediaNama discussions, please let us know here.
How should the DPA be set up
1. DPA doesn’t inspire confidence in its current form: Pahwa said that his core concern was whether the DPA can inspire confidence in citizens that if they go and file a complaint with the DPA because their privacy has been violated, they will get justice. Will the DPA have the capacity to respond to complaints especially ones that go after big entities like the UIDAI or a large tech company. “By the looks of it, given the kind of control that the government has over the DPA, both in terms of policy and directions, I don’t think so,” Pahwa remarked.
- Transparency in the making of the Bill: Pahwa recommended that there should be more transparency in getting the Bill together, maybe similar to TRAI, which functions with openness when it comes to consultations.
- State-level DPAs for more capacity: Another way to inspire confidence is giving the DPA more capacity perhaps by having state-level DPAs, Pahwa recommended.
- Separate the privacy and economic goals of the DPA:
“We also need to, most importantly, separate the privacy goals of the DPA with the data economy goals of the DPA. And perhaps junk the data economy polls altogether, because this is essentially meant to enforce the fundamental right to privacy. So drop NPD, drop the economy goals, and just focus on enforcement of privacy to guarantee users their rights,” Pahwa suggested.
- Budgetary independence: Pahwa recommends that the DPA needs to have a guaranteed setup and annual budget which is reviewed periodically for increases but is never reduced.
- Appointment of a technical committee: Since a lot of the role of the DPA is going to be technical in nature, there should a Technical Committee of Advisors, Pahwa recommended.
2. Can the DPA be modelled after another regulator? If the DPA is modelled along the lines of another regulator like SEBI or CCI, then all the problems that pervade the existing regulators in terms of how they function will also pervade the DPA, Sane said in response to Chandrasekhar’s question if we can model the DPA after another regulator or do we have to reinvent the wheel. Secondly, in terms of codification of regulatory processes in the law, I don’t think any regulator in India comes close, Sane added. Agreeing with this, Prasanna Kumar added that the list of regulators that are doing well and can be emulated is a very small one. “I would say perhaps, maybe we have a list of what not to do, rather than a list of what should be done,” he remarked. Since the DPA will have all three functions: lawmaking, executive, and judicial, it has a broad mandate and not many regulators to be modelled after, Prasanna Kumar added.
“While there are costs of bad functioning at the RBI or the SEBI, or any other regulator that you might think of. The costs of doing, this is much greater in the DPA space because the mandate is much bigger.” – Renuka Sane
Recommendation: DPA should not be modelled after any current regulator, but we can borrow the structure in terms of what division sits where, Sane said. But in terms of manpower, the process of hiring, in terms of codification of these processes, and in terms of regulation-making or enforcement, we have to start afresh, Sane added. The DPA can emulate certain aspects such as the consultation process of TRAI, Prassana suggested.
3. Regulating the regulator: The DPA is far bigger than other regulators India has seen, which makes the chances that the DPA may misbehave either intentionally or unintentionally a lot higher.
Recommendation: “There should be constraints and obligations that you place on the DPA itself in terms of how it should behave because this has implications for the welfare of the regulated entities and cost of doing business,” Sane recommended. One way this can be done is to codify a lot of the processes of the regulator within the law, Sane suggested.
“I think we need to codify ex-ante mechanisms, such as how will the regulator make regulations, what is the process through which the regulator puts out its regulation? What is the cost benefit analysis that the regulator will do? What is the kind of comments seeking that the regulator will do? How is the regulator addressing the comments of the people who actually take the trouble, and whether the decision of the regulator, for example to regulate something in the first place, to ban something is proportionate to the problem at hand. Is it the least cost way of resolving the problem, is the problem statement being identified correctly or not? ” –Renuka Sane
4. Selection Committee does not have experts in the field, cannot fathom why the director of IIM is on it: One of the problems with the Selection Committee that appoints members to the DPA is that it is limited to only three secretary-rank officers, Prassana commented. Although the latest version expands the selection committee to include a director of the IIM and IIT, Prasanna Kumar opined that it doesn’t solve the problem.
“I’m not mistaken, now it has just been expanded in a somewhat bizarre way. And I say bizarre because I cannot for the life of me fathom, and no disrespect to anyone, I cannot fathom what the director of the IIM will bring into this discussion. If we want any academic to be involved, I can imagine the IITs, they may have something to add.” – Alok Prasanna Kumar
Recommendation: Prasanna Kumar recommended widening the scope of people who are in the DPA appointment committee and choosing people by the qualification for the job and not the designation. Rather than choosing people like IIM/IIT directors and the Attorney-General for India, who are already swamped with work and are not necessarily doing cutting edge research in the field of data science, identify experts who bring value to the table, Prasanna Kumar said.
5. Is the adjudicating officer independent if appointed by the DPA: Pahwa asked if the DPA should be appointing the adjudicating officers, or should they be appointed by a distinct process to ensure a better separation between the DPA and the adjudicating officers? The position of adjudicating officer has plagued other tribunals because it is a quasi-judicial function, and right now, only SEBI is somewhat effective on this front, Prassana Kumar said.
- Appoint a “youngish lawyer”: To avoid the pitfalls of other regulators, Prasanna Kumar recommends that the Bill should clearly set out who should be adjudicating officers and that it should be some “youngish lawyer with a lot of deep experience in that area […] not just some retired judge.”
- Focus on competency over independency: Commenting on if the DPA should be able to appoint the officer, Prasanna Kumar said:
“I’d say if the DPA can find competent people with legal training to be adjudicating officers go for it, because any failures in terms of you know taking too much of the view of the DPA and so on, you have an appellate tribunal, which is not appointed by the DPA, and you have the Supreme Court.” – Alok Prasanna Kumar
- DPA should not be appointing the adjudicating officers: Sane differed with Prasanna Kumar and said: “While having an appellate mechanism or a Supreme Court, it’s great that it is there, very often, the regulator is so powerful, that in many instances, the regulated entities are so scared that they will not go to the appellate body or the Supreme Court.” Even if they do it can take time to seek redressal, Sane added.
6. Other recommendations for setting up a DPA:
- Will need experts from all fields: Sane said that DPA will need all kinds of expertise because it is a complicated body with a complicated set of functions. For example, you will not only need some from tech but also people from law and ethics to judge aspects like the principle of proportionality and quantifying harm, Sane explained.
- DPA should have an entrepreneurial spirit: “With all the resources and the best people, this body will fail, if at the top there is a culture of we will wait and see what happens,” Prasanna Kumar remarked while advocating for an entrepreneurial spirit for the DPA. And although the government is not necessarily known for that, there is the talent within the government which is capable of this, Prasanna Kumar said.
“Nikhil [Pahwa] gave me a great example the other day when he was talking about the Philippines Data Protection Authority. Like how it was set up. That person basically said, I’m not going to wait for them to give me a building, and an office, and a car and a staff, I’m going to start in a coffee shop if I have to, which is what they actually did. You need somebody who will have that entrepreneurial ability. It just can’t be someone looking for a nice post-retirement security, or just can’t be someone who ticks enough boxes in terms of half the “qualifications.” – Alok Prasanna Kumar
What functions should the DPA have
1. The focus of the DPA is not clear: Prassana pointed out that the Bill has 15 different functions given to the DPA but no regulator is going to be able to perform these from day one. “There needs to be a serious conversation on what should be the main focus or where should the Data Protection Authority focus its energies,” Prassana added.
Recommendation: There has to be some level of prioritisation in the functions allotted to the DPA.
“Government should sort of say, listen, these are the five things we want a DPA to do. Maybe your focus might be to take complaints from people, to catch hold of data breaches, to set up, basic norms which companies have to follow when they’re transferring data, whatever it is. What do you think is the most important problem that the DPA is supposed to solve, that is something that the governments should sort of lay out for them.” – Alok Prasanna Kumar
DPA’s power over the public sector is half-baked: The Bill is not clear on how the DPA should handle the public sector, Prasanna Kumar said
“Half measures don’t work. If the government doesn’t want this DPA to go after government agencies that might be misusing data or causing a breach and so on. They should come out and say it, what’s the point of this halfway measure by saying, okay this will also apply to government departments. But for them, we will allow the action to be done internally, and then if it doesn’t work, we’ll think about external action and so on. Because what that does to me is to sort of leave this authority in a very confused place on day one.” – Alok Prasanna Kumar
- Take a stance: The government should come out and say if they really want the DPA to address the public sector and not just include half-baked measures, Prasanna Kumar implied.
- Government should be governed by DPA: Meanwhile, Pahwa recommended that the “government should be governed by the DPA and have absolutely no say in the functioning of the DPA once the appointments are made.”
“Whether it’s a policy direction or it’s a directive, the DPA should ideally be independent, but in order to, it needs to have transparency and accountability by design. So that it’s not like the Reserve Bank of India, which seems to be a black hole when it comes to how it comes up with its decisions.” – Nikhil Pahwa
3. Should DPA govern both personal and non-personal data (NPD): Many have objected to NPD being included in the ambit of the Data Protection Act and the Data Protection Authority in the latest version of the Bill. In another session, Ulrika Dellrud, Chief Privacy Officer of PayU, said that thinking about NPD regulations at this stage is premature because India’s privacy regulations have to evolve more. Alok Prasanna Kumar, however, noted that he understands NPD has some impact on personal data and therefore some basis for this inclusion.
“I would see the non personal data discourse as an extension on the personal data discourse, where you see where you see that something to do with personal data, is in fact, something which needs to be solved at the non-personal data level.” – Alok Prassana Kumar
Recommendation: Despite seeing the connection between personal data and non-personal data, Prassana recommended that regulations for NPD should be put on the backburner and should not be an immediate priority for the DPA. Meanwhile, Sane recommended that the NPD regulation requires a complete rethink and should not be under the jurisdiction of DPA at all.
4. Not much thought has been put into the regulator by JPC: While the Joint Parliamentary Committee on the Personal Data Protection Bill has spent significant time deliberating and explaining the various other provisions of the Bill, it has not put much thought into the DPA, Prassana said.
“Whereas [the JPC] has at least some thoughts and some thinking about the role of data and the economy, the importance of data protection and so on in the first 40-50 pages or so, when it comes to the question of what we should do with the regulator, it jumps straight into we should do this, we should not do this. And to me, it highlights a lack of serious thought behind some of the changes that it proposes.” – Alok Prassana
Recommendation: As Uthara Ganesh, Head of Public Policy at Snap India, said at another MediaNama discussion, fresh consultations involving various stakeholders are needed because the Bill has over a hundred changes from the 2019 version and deals with a lot of new issues. This will also allow the JPC the opportunity to examine issues pertaining to the DPA in more detail.
Issues that are unavoidable but can be managed better
1. The problem of regulatory capture: Regulatory capture is a problem where regulatory bodies come to be dominated by the industries they are charged with regulating because they are constituted by people who used to work for these industries. This is a very real problem that regulators around the world are grappling with, Prasanna Kumar said. But there’s a paradox here because it will be hard to find someone in the field of data science who is someway not involved with profit-making companies, Prasanna Kumar explained.
Recommendation: It might be possible to eliminate those who have obvious conflicts of interest, but we will have to sort of compromise somewhat because there isn’t a large pool of people with the legal expertise on data protection from whom you can draw to staff the DPA on day one, Prasanna Kumar said. Meanwhile, Sane said that this is not necessarily a bad thing because generally, the private sector builds expertise faster than the government sector.
“I don’t think that revolving doors is a bad thing just because somebody has had experience in the private sector, and is now coming in government. I think in fact that’s a great thing. Because then it exposes the people in government to what being in the private sector is like, to what issues are like. And there may be other ways of ensuring that there isn’t regulatory capture.” – Renuka Sane
2. Possible clash between different regulators: “So the same data, there is a place where the telecom regulator can act, the health regulator can act, the banking regulator can act, and then you have this umbrella authority. Now, how will these function, the sectoral regulator, vis-à-vis the central regulator,” Chandrashekhar asked the panellists. Prasanna Kumar replied that sectoral regulators are likely to have a bigger say based on past judgements given by the Supreme Court. “If we take, for instance, the Competition Commission of India, the Supreme Court of India in 2017-18 passed this judgment, which sort of said when it comes to telecom issues, TRAI being the sectoral regulator, gets the so-called first bite of the cherry. And they will be the ones who will be responsible for the, even the competition aspects of the telecom sector,” Prasanna Kumar explained.
“If the Supreme Court’s first bite of the cherry doctrine is to be extended, then the Data Protection Authority will have to take a backseat to pretty much every other regulator, except maybe the Competition Commission of India. So when it comes to RBI, when it comes to SEBI, when it comes to IRDAI, when it comes to even maybe the UIDAI in the context of Aadhaar data. Or you could even say Election Commission, which has all of our data.” – Alok Prasanna Kumar
Recommendation: Sane recommended that we should get into arrangements between different regulators on who does what and who looks at what. “So what is the jurisdiction of one regulator over something versus another, and which regulator has precedence,” Sane said. Meanwhile, Alok Prasanna Kumar opined that conflict between regulators is inevitable given out current jurisprudence and that “we have to be comfortable that in certain occasions, the concerns of privacy may not be the only way to look at a particular issue.”