What are the shortcomings in India’s Data Protection Board in the new draft bill? #NAMA

Key Takeaways

• Rishab Bailey, an independent lawyer*,  said that India’s Data Protection Board should not just be an adjudicatory body but also have rule-making powers.
• There is a risk of polticial expediency if decision-making powers rest with the Union government as it can lead to a tussle with state governments.
• The board may not be able to prevent problems unless it has the powers to require ex ante compliance from data fiduciaries to fend off privacy harms.
• One of the recommendations called for a state-level units as a single body is not going to be enough for a country the size of India.
• The provision of voluntary undertaking needs to have guardrails so that entities are dissuaded from the misuing the provision in order to protect themselves.

“Now you need rule-making powers for an independent body like the DPA (Data Protection Authority) because if these powers rest with the government, as we have seen in this bill then it is difficult for the government to make rules and limit its own actions,” Rishab Bailey, an independent lawyer and a researcher, said during the discussion held by MediaNama on the new draft of the Digital Personal Data Protection Bill, 2022.

He elaborated that the decision-making powers of the government can be prone to political expediency, especially when state and central governments are answerable to the same body. Bailey was the speaker in the session dealing with the bill’s provisions on the Data Protection Board of India (DPBI).

“Some people have welcomed that because we lack the capacity to have a full-fledged regulator,” he said, adding that he did not agree with this position. He argued that the issue of capacity afflicts the government as it too lacks it but the DPA could utilise external expertise in theory.

Bailey also explained that a data protection authority performs four functions as one observes in Europe or in other jurisdictions— making rules, investigation, adjudication and advising on capacity-building. He explained that the board has been envisaged as an adjudicatory body in the bill.

The quotes have been edited for purposes of clarity and brevity. You can read the entire bill here. 

The Ministry of Electronics and Information Technology (MeitY) is seeking chapter-wise public feedback on the draft law until December 17th, 2022. The submissions will be held in a “fiduciary capacity” and will not be publicly disclosed. Click here for more of MediaNama‘s journalism on the DPDP Bill and India’s data protection laws.

FREE READ of the day by MediaNama: Click here to sign-up for our free-read of the day newsletter delivered daily before 9 AM in your inbox.

Here are some excerpts from the session

Regulatory uncertainty: “…there are so many provisions which require interpretation, and the fact that there is no body which can lay down the meaning of provisions, except through case law, is problematic. Ex post facto decision-making doesn’t prevent problems from arising in the first place,” Bailey stressed in his comments.

• He said that the bill should require ex ante compliance by entities so the aim is to prevent privacy harm, not just determine ex post facto whether a data fiduciary is liable for failure in compliance.

Access to file complaints: Bailey expressed concern over limited access to adjudication mechanisms in India given that few people bother to file a complaint and see the process through, even if the processes are digitised. He said that there was no compensation mechanism at the time when the GDPR came out with a report indicating that the number of complaints filed by people was low. “So, just these fines being imposed was not seen as sufficient incentive for enough complaints to be made which is also a problem (with this bill),” he said.

State-level bodies: One of the attendees said that he failed to understand how one single centralised body will do justice for a country like India. “Why can’t we have something at the state level as well? We are underestimating the problem and too much centralisation is not very effective,” he concluded. Nikhil Pahwa, Founder & Editor, MediaNama, said that it makes sense to have state-level adjudication and a centralised body for rule-making.

• There was a suggestion that data protection is an area which will intersect across sectors so it cannot be limited to one regulator. The attendee called for a healthy balance between centralisation and being nimble enough to decentralise certain things.

Need for investigative powers: “They are just giving people information in the form of notices and expecting them to protect themselves (but it) doesn’t work in the context of privacy. It helps to have an entity that looks out for your interests and can take action when they see things that aren’t okay. People are not well-positioned generally to examine privacy practices of companies in detail,” Bailey highlighted, terming the information asymmetry as ”huge”.

• He stressed the need for advisory powers as it helps to clarify the law by laying down best practices through “guidance or public statements”.
• Bailey also said that the new draft has no provision for a dedicated research wing within the board to help with capacity building and preserving institutional knowledge over time.

Lack of coherence: Bailey said that there could be an issue with case law not leading to a coherent body of rules about what is allowed and what is not allowed. “…fiduciaries are going to differentiate each individual case on facts and say that this ruling doesn’t apply to me. I have tweaked two words in my privacy policy; I have got consent. Therefore my case is completely different. So, you are going to have litigation on the nitty-gritty of every privacy policy,” he explained.

Lack of guardrails for voluntary undertaking: Another attendee pointed out that the idea behind voluntary undertakings was borrowed from Singapore but the government has ignored prescribing guidelines to evaluate these undertakings. “There is a guide on active enforcement that Singapore released in October 2022 wherein they have stipulated guidelines like incident reporting, mitigation, among other things. There are various aspects that you need to meet in order to get your voluntary undertaking accepted. Here (India) there is nothing,” she concluded.

No space for co-regulation: “It’s important to note that the bill does away with any attempts at co-regulation. So, for instance, the 2018 and 2019 versions allowed codes of practice to be created in a consultative manner,” Bailey stated, adding that it would have resulted in better regulations and improved regulatory certainty.

Absence of precedence: Bailey said that moving away from a full-fledged regulator goes against prevailing practice. He was also concerned about the lack of independence in the board since the Union government can appoint the entire board, lay down conditions for their appointment and removal. “…it’s not ideal because the government is regulated by this board. We should have an independent committee for selection,” he suggested.

No suo motu proceedings?: “It’s unclear if the DPA can initiate or has a power to initiate proceedings suo moto because (the bill) seems to say that it needs a complaint by a person, central or state government, a court,” Bailey said, explaining with an example of significant data fiduciaries which require an audit by data auditors. He elaborated that a person will file a complaint based on the audit presumably but there was a caveat: “You have to wait for the government to go and file a report because I don’t see individuals going and reading every data audit report,” he concluded.

Holding the government accountable: Bailey said that an individual can file a complaint against a government entity but it is not clear whether the board will decide against the government. He warned against the possibility of a battle between the centre and a state battle being played out at the board. “You can imagine the central government filing a complaint against a state government or someone filing a complaint against them (centre),” he said while pointing out that the board is a central government-based body.

• Fixing accountability: Bailey said that the board can direct the government to not do certain things or fine them which will be “pointless”. He also said that the government isn’t restricted by the provision.
  • One of the attendees said that the government may be inclined to exploit a loophole [Clause 21 (11)] in the bill where it can claim that an infraction was not significant enough to warrant attention.

Evaluating harm: One of the attendees said that compensation is awarded once liability is proven but in India, compensation is only for liquidated damages— damages that can be assessed and put a number to— broadly. “The harm caused by a data breach may not necessarily or couldn’t be very easily quantified…usual courts in India have not been good at quantifying damages historically,” he said.

• Bailey said that it is a question of whether people are being incentivised to go to court or whether people will go to court just to prevent certain forms of harm occurring to them. He concluded that research indicates that compensation is a significant factor in people not going to courts or the data protection agency.
• Vague definition: “The definition of breach includes unauthorised processing as well. Most data protection laws in the world, or even security laws, contextualise breach to security. A data breach typically would be a security-related breach. It seems to be a lot wider here because of the addition of “unauthorised processing” so would that mean any non-compliance will be a breach along with significant penalties?” Sreenidhi Srinivasan, Partner at Ikigai Law, said.

Working with other regulators: “…(it is a) relevant question if you have a full-fledged regulator which is laying down rules. There might be overlap of jurisdiction. It is an adjudicatory body here. It’s less likely that there will be a direct clash of bodies,” Bailey said. He said that there might be some “incongruence” but it will not be a “significant problem”.

Setting up the board: “…it should be a full-fledged regulator with separation of function between the rule-making power and the adjudicatory power,” Bailey said, while citing FSLRC (Financial Sector Legislative Reforms Commission) to suggest a proper selection committee for selecting people.

Reinstating regulatory pyramid: An attendee suggested that the government should consider bringing back the regulatory pyramid which was contemplated for the DPA. It involved the agency having the ability to ask fiduciaries to suspend certain operations, issue a warning, issue a notice, etc. “…the pyramid needs to be brought back so that a precedent can be set in individual cases which can serve as an example to other parties,” he recommended.

Skewed balance of powers: An attendee highlighted the fact that the board has the power to sit down and look at cases of non-compliance by data principals (individuals). “But it has no powers of its own when dealing with data fiduciaries. They can act when a complaint is filed by somebody else which means that the bill is pro-data fiduciary and does not take data principals into account,” she concluded.

Note: The headline was updated on December 14, 2022 at 12:35  for clarity.

• *The post was edited on December 15, 2022, at 15:55 to include key takeaways. 

This post is released under a CC-BY-SA 4.0 license. Please feel free to republish on your site, with attribution and a link. Adaptation and rewriting, though allowed, should be true to the original.

Also read:

• What’s missing from the Consent Manager framework in the Data Protection Bill, 2022
• Twelve major concerns with India’s Data Protection Bill, 2022
• Summary: India’s Digital Personal Data Protection Bill, 2022
• New Independent “Data Protection Board” To Evaluate Non-Compliance With Draft Data Protection Law