What’s the news: Harmonising allied laws, cooperating on jurisdictional overlaps, ensuring a uniform approach to new technologies and integrating grievance redressal mechanisms were the four challenges listed by The Dialogue and NASSCOM in a policy brief focusing on problems faced by the Data Protection Bill (DPB) 2021 in inter-sectoral regulation and coordination.
The brief is part of a series by the public policy think tank and non-profit association that analyses specific aspects of the DPB 2021. Here, they identified specific challenges of inter-regulatory harmonisation and cooperation and talked about gaps in the current approach of the DPB 2021.
Why it matters: An extensive amount of literature focuses on the ways in which DPB 2021 intends to protect people’s information, how it impacts the gaming companies, businesses, etc. This document now takes a look at how this law interacts with other sectoral regulation and overlaps with their mechanisms. For stakeholders, understanding these overlaps and ways to easing them is helpful in understanding how the regulatory mechanism of this law will work.
Never miss out on important developments in tech policy, whether in India or across the world. Sign up for our morning newsletter, with a “Free Read of the Day”, to experience MediaNama in a whole new way.
Synchronising existing and proposed laws: As many as 50 ‘allied laws’ that directly or indirectly dealt with personal data in India were identified in an analysis report by the Committee of Experts on Data Protection Framework for India under the chairmanship of Justice B.N. Srikrishna (Srikrishna Committee).
However, owing to its unique status as a personal data protection law, the DPB 2021 will prevail over these existing or proposed laws and policies in times of inconsistencies. As per the policy brief, this will lead to some complex issues.
For example, laws from the committee report that were analysed in view of the Aadhaar Act of 2016 and the Right To Information Act of 2005 will have to be revisited. This is because both the Aadhaar Act and the DPB 2021 have been modified since then.
Similarly, line ministries will have to arrive at a common understanding of the DPB 2021, remove overlapping and conflicting scopes and harmonise them within a single data protection framework for amending the rest of the laws. Doing so will create a scenario where existing laws in different sectors can coexist with the more advanced requirements under the DPB 2021.
“Regulated entities may find it challenging to meet both simultaneously. Addressing this would demand a coordinated inter-ministerial effort,” said the policy brief.
The brief pointed out that the DPB 2021 will bring in several relatively novel concepts with limited prior jurisprudence. Meanwhile, line ministries can unintentionally vary on the interpretations of details or granular issues such as definitions or different processing principles. This could undermine a comprehensive data protection law’s purpose to coordinate policies at a national level.
A structured process of harmonisation can also lead to a shared approach towards establishing a risk-based framework. In it, regulators can assess when higher standards are practically required and what specific additional obligations are required to mitigate specific risks.
To ensure such an approach, the brief suggested focusing on strategies proposed by the Financial Sector Legislative Reforms Commission (FSLRC), tasked with “consolidating and harmonising a fragmented regulatory architecture in the financial sector.”
One strategy recommended an ‘interim coordination council’ consisting of existing regulators and line ministries to ensure the smooth transition to a single unified financial law. The policy brief said that the government can explore a similar structure to align the DPB 2021 and various existing and proposed laws.
Further, relevant state government and municipal body frameworks will also have to be amended. The brief said that some state government have policies or laws on protecting personal data. Municipal governments also process personal data whilst discharging various functions like assessing properties for taxation, collecting tax payments or handling grievances or service requests.
If these are considered as well, the list of ‘allied laws’ that can be impacted by the DPB 2021 can expand significantly, “adding a horizontal dimension to the harmonisation problem.”
“If a structured approach to harmonisation is followed at the central government level, this could offer learnings into resolving similar concerns across different levels of government,” said the brief.
Navigating jurisdictional overlaps and enforcement actions: The policy brief anticipated a unique jurisdictional overlap of personal data protection with competition and consumer protection law. To address the threat of lower privacy protection for consumers, the DPB 2021 contains systems: of inter-regulatory references, of memorandums of understanding (MOUs), for sectoral regulation of ‘significant data fiduciaries.’
However, the brief points out that even these frameworks have problems like lacking definitions, ambiguities in MoUs’ functioning and uncertainties about who comes under ‘sectoral regulator.’
For strengthening this regulatory coordination framework, the brief suggested a policy option to spell out the elements that MoUs under Clause 56 (of the Bill) can contain. A review of relevant examples from the United Kingdom suggested that such MoUs usually include the following types of elements:
- Information sharing between regulators
- Cooperation in framing regulations and codes of practice
- Mechanisms for ensuring inter-regulatory discussions to minimise conflicting supervisory directions and regulations
- Mechanisms for disclosing and reporting breaches of personal data
- Processes for inter-regulatory references for sectoral regulations
- Coordination in conducting awareness-related activities
Another option is that of “interlocking directorates”. Here, representatives from one regulator (including from a ministry or department) sit on the board of other regulators who have connected mandates. This serves as a coordination and cooperation mechanism. For the Data Protection Authority of India (DPAI), the limitation will be the wide set of different regulators it would have to coordinate. It will be difficult to rely exclusively on interlocking directorates but the underlying idea of enabling representatives of different regulators to collaborate with each other closely can still be explored, said the brief.
Ensuring a uniform appreciation of new technologies: Many authorities in India “have sought to leverage ‘regulatory sandboxes’ to determine how to calibrate regulatory systems vis-à-vis technological developments within their domains.” The DPB 2021 also talks about the DPAI operating a sandbox mechanism to encourage AI innovation, machine learning or any other emerging technology in public interest.
However, the brief pointed out that the risks and regulatory difficulties with such ‘emerging technologies’ can only be fully appreciated once they are employed. Risks posed by a machine learning algorithm for a credit scoring system will be very different from those by a machine for traffic prediction.
“Thus, the DPAI may have to source sectoral or context-specific expertise to run a sandbox effectively,” said the brief.
Further, it said that there is a risk of duplication of efforts that will complicate the challenge of holistically examining risks posed by innovation.
“The DPAI seeks to evaluate specific innovations viewed through the lens of privacy and data protection, other regulators may also be exploring those innovations through their sectoral or domain-specific lens,” said the brief.
Operation of distributed and parallel sandboxing mechanisms by different regulators will also complicate matters for businesses seeking to explore new technologies. They may have to approach different regulators for exemptions under distinct regimes for the same technologies. For start-ups, this causes roadblocks regarding additional cost and hindrance to service/product development.
“The lack of uniformity in the framework and format of the sandbox mechanism adds to the compliance cost. Also, fragmented approvals of a cross-sectoral innovation could slow down market adoption,” said the brief.
Rather than working independently, the brief suggested the DPAI collaborate with different regulators and authorities to run integrated sandboxes. The DPAI can enter into specific MoUs with regulators and adopt a principle-based framework to establish and operate an integrated sandbox with a data protection dimension.
Integration of grievance redressal mechanisms: The brief suggested pooling all adjudicatory grievance redressal functions into the Adjudicating Officer (AO) system so that AOs act as single points of execution of such functions. This will better secure operational segregation between redress and regulatory functions and may lead to better outcomes for consumers, since those with judicial expertise best discharge adjudicatory functions.
Under the DPB 2021, there is a right to seek compensation by applying to the DPAI, who then funnels those applications to an AO. Meanwhile, the DPAI is tasked with other adjudicatory functions. The grievance redressal mechanisms once established will co-exist with several other such mechanisms under other current laws.
While welcome in principle, the brief said a fragmented approach can create challenges such as:
- Consumers may find it difficult to determine when to approach one channel over the other. There could also be differences in approach and processes, potentially creating stress for consumers as they navigate multiple mechanisms.
- Entities and regulators operating multiple redressal mechanisms in silos may not be the most efficient approach to resourcing. This can also diminish agility on resolution.
- Without mechanisms for knowledge and experience sharing across systems, different redressal systems could end up working in silos without learning from each other. For example, those handling e-commerce complaints could benefit those handling data principals’ grievances.
As such, it recommended that DPAI leverage MoUs with other regulators to set up a more integrated mechanism, where the different regulations align in terms of the approach and design. The brief suggested incorporating technology-intensive processes in grievance redressal mechanisms for easy access, harmonise obligations of entities to have such mechanisms, operationalise an online dispute resolution (ODR) and coordinate regulators of different systems.
“For example, an AO hearing a dispute involving matters under other laws could coordinate horizontally with the relevant judicial authority responsible for similar functions under those laws (such as a consumer court in the context of e-commerce or an ombudsperson in the context of financial regulation),” said the brief.
“As the envisioned DPAI is likely to have a crucial role in this digital age, we believe it is essential to address the aforementioned inter-regulatory harmonisation and coordination problems, as well as find solutions for the bottlenecks discussed,” concluded the report.
This post is released under a CC-BY-SA 4.0 license. Please feel free to republish on your site, with attribution and a link. Adaptation and rewriting, though allowed, should be true to the original.
- Deep Dive: How India’s Data Protection Bill 2021 Impacts Gaming Companies
- The Data Protection Bill 2021: A Missed Health Opportunity
- Deep Dive: What Will Be The Impact Of A Non-Personal Data Framework On M2M Communication?
- Why ‘Group Privacy’ Should Be Recognised, And How ‘Non-Personal’ Data Becomes A Regulatory Blindspot