“I think there are other problems here that make that entire process [of the Data Protection Board of India’s functioning] pretty problematic,” said Carnegie India’s Anirudh Burman at the “Data Protection Board” session of MediaNama’s PrivacyNama conference last week. “For example, is the DPBI going to sit as a Board for every single matter, or are there going to be individual members of the Board who are going to handle matters separately?”
Among other issues, the session examined how the Data Protection Board of India—the apex data privacy regulator established under the recently passed Digital Personal Data Protection Act—should be best staffed to handle a large volume of privacy complaints.
Currently, the “independent” Board will be staffed by members directly appointed by the Indian government, raising concerns over Executive influence in privacy disputes. The government will notify the number of members, and how they will be appointed, on currently unspecified grounds. At least one of its members should be a legal expert, while the others may have experience in “data governance, administration or implementation of laws related to social or consumer protection, dispute resolution, information and communication technology, digital economy, law, regulation or techno-regulation, or in any other field which in the opinion of the Central Government may be useful to the Board”.
“If you have only individual members who are going to pass orders, shouldn’t every member then be qualified in a certain way so as to be able to pass orders?” Burman continued last Friday. “The point of a board works where the entire board collectively sits in on a decision and passes an order. And [within it] there are some legal members, or some quote-unquote judicial members and some members who are technical experts, right? But, if you’re going to have a system where the chairperson can basically depute [privacy complaints] saying, ‘you take up these categories of matters and I’m going to handle these categories of matters’, then that entire rationale for having that Board breaks down, and that variety in qualifications and expertise breaks down [too].”
Burman was joined by Alok Prasanna Kumar (Vidhi Centre for Legal Policy), Meghna Bal (Esya Centre), and S. Chandrasekhar (K&S Digiprotect). The session was chaired by Arya Tripathy (PSA Legal).
This discussion was organised with support from Meta, PhonePe, Google, and Salesforce, and in partnership with CUTS and the Centre for Communication Governance.
The qualification requirements of the Board’s members may not be precise enough: “Speaking a little bit about the composition of the board, and going back to the example of the Copyright Board [established under the Indian Copyright Act, 1957], it basically became defunct because there wasn’t a technical member,” recalled the Esya Centre’s Meghna Bal. “If you ask anyone on paper, an IAS officer, an economist, and a judicial member is kind of an ideal troika in the context of a regulatory body. But over here, given that it [the Data Protection Board] is quasi-judicial and there’s only one legal member, who doesn’t even have to be a judge, that is somewhat questionable.”
Vidhi’s Alok Prasanna Kumar added that the requirement of a ‘legal’ member need not imply that they would be good adjudicators.
“Training in law does not necessarily mean you’re trained in adjudication,” Prasanna Kumar pointed out. “This is something which lawyers have realized when they’ve gotten elevated to the high courts, that simply knowing the law well doesn’t mean they have the temperament, ability, and training on how to decide [matters]. So, nowhere does this [data protection law] say somebody with some experience in adjudication [will be appointed to the Board]…The government thinks somebody who’s been a secretary in the law department is good enough to be a judicial member. That’s not true. There have been some members who have been good judicial members, but you need that training in adjudication. These are complex areas.”
The tenure of Board members may be too short—by the time they gain expertise, their term would be up: “They have kept the tenure [for Board members for] only two years,” K&S Digiprotect’s S. Chandrasekhar pointed out. “It’s such a complex topic, a complex subject, that by the time they build their capacity, they would be out and then somebody else would come [in]. So, probably, the tenure should be lengthened. And…they should have a bigger board or maybe some kind of a regional board or some kind of a gradation so that they’ll be able to handle the huge number of penalties [and complaints coming in]. So, going forward, I see a lot of choke points which need to be thought through. Otherwise, there is a possibility of this mechanism having a lot of teething troubles at the initial stages.”
Notably, both the Chairman and the Board’s members are eligible for re-appointment under the data protection law.
STAY ON TOP OF TECH POLICY: Our daily newsletter with the top story of the day from MediaNama, delivered to your inbox before 9 AM. Click here to sign up today!
Read more
- Scope Of Data Protection Board Under India’s Digital Personal Data Protection Bill
- How Does India’s Digital Personal Data Protection Bill Address Data Breaches?
- Fifteen Major Concerns With India’s Digital Personal Data Protection Bill, 2023
- A Complete Guide To India’s Digital Personal Data Protection Bill, 2023