“A neutered or slightly diluted regulator is not [necessarily] a bad thing,” responded the Esya Centre’s Meghna Bal when asked if the functions of India’s apex privacy regulator established under India’s newly-passed data protection law have been watered down from previous drafts of the law. Bal was speaking at the “Data Protection Board” session of MediaNama’s PrivacyNama conference last week.
“I’ll play devil’s advocate here because I’ve seen what a, let’s say, a very active and so-called independent regulator is like in action with the Telecom Regulatory Authority of India [TRAI],” Bal continued. “Part of my background is in broadcasting. And there you have a regulator [TRAI] which has issued something like 17 regulations across 17 years, perhaps more, actually more. And each of those has been challenged and gone to litigation.”
Chaired by PSA Legal’s Arya Tripathy, the session’s co-panellists S. Chandrasekhar (K&S Digiprotect), Alok Prasanna Kumar (Vidhi Centre for Legal Policy), and Anirudh Burman (Carnegie India) exchanged notes on how the Digital Personal Data Protection Act frames the role of India’s privacy regulator, the Data Protection Board. Previous drafts of the law envisioned India’s privacy regulator as having advisory powers, among others. The Board, however, only looks at determining non-compliance with the law.
Later on in the discussion, Bal noted that the watering down of the Board’s powers could impact the enforcement of India’s privacy law.
“Although I’m always in favour of not a super active regulator in this country, I think something that was missed—looking at the European Data Protection Supervisor [EDPS]—is advisory powers,” Bal noted. “The EDPS provides a lot of clarification about the implementation of the [European Union’s privacy] act and how you can adhere to it. Not only that, it [also] provides clarification on emerging technologies that may have certain constructs that are diametrically opposed or directly conflicting with the principles of data protection, where you wouldn’t understand what to do…They can issue opinions and that is missing over here [with the Board]. I think that is a huge missed opportunity because I don’t know who’s going to fill that role even in the context of standard contractual clauses. Again, the EDPS can do that over there [in the European Union], where they can give you a template of how to draft your agreements, etc. Over here, there’s no such clarification that is going to take place. So, I’m assuming that people will just model their agreements or their frameworks against what is already in the market.”
This discussion was organised with support from Meta, PhonePe, Google, and Salesforce, and in partnership with CUTS and the Centre for Communication Governance.
The board is more of an administrator than anything else: “The choke points start right from the structure,” said K&S Digiprotect’s S. Chandrasekhar. “I would not even call this a Data Protection Board, I would rather call it a data protection administrator, because very less powers have been given [to it]. They are basically going to administer; the government is going to decide everything—the government is going to tell the rules, they are only going to probably ratify it or ensure its administration.”
Capacity constraints may render the Board non-functional: “The Board is going to get overwhelmed very quickly because [of] the ease in filing…everyone will file complaints,” Vidhi’s Alok Prasanna Kumar noted. This body will suddenly have 30,000 cases on day one, [it’s] not going to be able to function, not going to be able to figure out how to do it”.
“There is one more choke point which we have not exactly highlighted here, which is this preliminary inquiry [into complaints],” Prasanna Kumar observed. “My fear is that the board may say [to complainants], ‘listen, you haven’t done enough homework to prepare this case. We are not going to do it for you, dismiss it’…So, it just practically becomes a post office, where somebody with good intentions comes to file a complaint, but because the body does not really know how to go about with this case, says, ‘okay, you haven’t made out a prima facie case’, and throws it out.”
“So, this is where I think one advantage of a state-level [data protection] regulator is,” Prasanna Kumar argued. “It’s not as if there’s a small elite of 3 million people in this country whose data is being collected. There are probably a billion people whose data is being collected. Even if a fraction of them, less than 1%, like 0.1%, have some grievance about it, and they file a case, there is, that’s about a million cases already into the system, right? So this is not a credibly designed body. Even if you implement it, you are going to overwhelm it and reduce it to be non-functional on day one.”
Bal pointed out the flip side of multiple state-level data protection authorities, citing the example of the European Union. “Germany has…about 19 data protection supervisors, and it’s both a good thing and a bad thing because these data protection supervisors don’t agree with each other,” Bal said. “So, there’s no consensus on how to implement the [privacy] law...On the other hand, of course, the converse is that this law says that you have to provide consent notices in the 22 languages that are under the [eighth] schedule of the Constitution. At the same time, will this Data Protection Board have the capacity to respond to disputes in those many languages?”
Little clarity on how the Board will enforce its orders: “There is nothing about enforcement [of the Board’s orders] in the law,” Carnegia India’s Anirudh Burman pointed out. “There is no provision which says, what happens if you fail to pay the penalty, what happens if you do not comply with some direction?…If you look at most regulatory authorities, [or] most quasi-judicial bodies, there are consequences for violating the order of the regulatory agency or the quasi-judicial body…[In this case] It’s almost as if you’re relying on the good graces of the firm to actually comply with the order of the Data Protection Board of India.”
“You will [eventually] have a particular category of firms who will comply because it just looks bad,” Burman continued. Maybe if you’re a foreign firm, then you’re required by your home country regulator to actually comply with domestic law in other countries and so on and so forth. But, there will be another category of firms who actually might not want to comply with this and there’s very little the Data Protection Board of India will be able to do, right? Then you again have to go to a civil court and try and enforce the order of the Board through the civil court mechanism, which makes the whole point of coming to the Board kind of pointless.”
The appellate forum for the Board’s data protection orders being the Telecom Disputes Settlement and Appellate Tribunal (TDSAT) raises concerns: “There’s a problem putting a telecom appellate tribunal on top of some data protection [law]—they are likely to not have any subject matter expertise,” Bal argued. “If you look at the TRAI Act, TDSAT looks at disputes between licensees, consumers and licensees, and licensor and licensees in telecom and broadcasting…Again, just the question of capacity overrides most considerations because I don’t know how they’re going [to] find a technical member for the board [the TDSAT] itself. I’m assuming they’ll want one.”
Bal added that a different problem with most regulators in India is there’s no legitimate testing of their decisions—which complicates challenging them. “Even in the context of TRAI, you have the TDSAT, but then you also have the High Court,” Bal explained. “TDSAT can’t look at disputes between TRAI and licensees in broadcasting or telecom, they have to take their matters to the High Court where you have non-specialized judges dealing with highly technical matters. This usually results in the regulator having its way because they [the courts] say, ‘there’s presumption of constitutionality, they have expertise in the subject’. They [regulators] usually do pretty well in courts, because courts are generally loath to get into the technicalities of regulation. So, considering all of that it’s going to be quite uncertain [the appellate process], it’s going to take time to settle, if at all.”
The Board has no suo motu powers, law contains few additional systems to enforce data protection: Responding to an audience question, Bal clarified that the Board only responds to complaints it receives. In effect, it has no suo motu powers.
Burman argued that this was a big concern with how the Board is structured. “The consumer has a very high threshold for coming to the Data Protection Board in the first place,” Burman explained. “[Point] A, it’s very hard to understand what’s happening with my data, right? [I can’t file a complaint] Unless I hear about a huge data breach, and I take the pain of figuring it out, and I go to the company and ask for information and so on and so forth. [Point] B, there is no compensation at the end of the process that I’m entitled to. So first, it’s a huge barrier for someone to come to the Board unless you’re sufficiently motivated. Then you add to that the problem that the Board has no suo motu powers of its own. So, you’re actually not creating enough systems through which data protection can be effectively enforced through this law.”
The government may act on behalf of affected data principals and approach the Board: “The government cannot be affected by itself, this is not a law to deal with government data breaches, it’s to deal with the violation of personal data of individuals,” said Prasanna Kumar. “[So] The government may on behalf of such individuals, who may not be in a position to approach the Data Protection Board, or may be too diffused a number to act coherently, make a reference that ‘such and such data fiduciary has committed a violation of the act’, or ‘we think they have committed a violation of the act, please undertake an inquiry’.”
However, Prasanna Kumar added that the likelihood of the government approaching the Board this way was limited—especially given that the data protection law is muted on who will be investigating the allegations.
“Let me just clarify two things about the legal process,” Prasanna Kumar continued. “Now, there’s an investigation, which is what the police does, which is also what the Competition Commission of India [the antitrust regulator] does, for instance. They take up [the case], they go out, they find out the facts, and they undertake the exercise [of investigating]…What happens in court, after an investigation is done, is an inquiry where somebody says, ‘okay, the police has said this, we believe them, therefore [we make] this argument’, or ‘we don’t believe you, therefore [we make] this argument’. Even if the government makes a reference, is the government going to be a party? Is the government going to do the investigation? If so, which wing of the government? If so, will it be the government of India versus such and such body? Are you just going to passively sit there as a Data Protection Board and let two parties decide this issue, provide the evidence and the arguments and decide this issue passively? I think that is what is not clear…In a sense, this reference, I’m not even sure if the government is going to use it as much because now it’s taking upon itself the burden of doing what an individual is required to do in this case, which is to show there has been some violation of their rights. Now the government may not be in a position to say, ‘okay, we can do all this investigation and produce it’ because where is that legal framework which says this [specific] part of the government will investigate, this is how they will present [the evidence]?”
Burman added that “even as a quasi-judicial body, if you compare the Board to say the provisions for inquiry and investigation given to the Securities and Exchange Board of India [the securities market regulator], or to TRAI or to any other financial regulator, the provisions here are pretty sparse. So, it’s basically [for now] that you come there [to the Board], you make a presentation, you have an inquiry, and then you just go. So, there is a huge gap in how we are thinking about how this entire process is going to flow.”
The ‘independent’ Board’s structuring may tie into India’s larger institutional approaches and circumstances: “If you look at it more broadly and step away from the structure of the Board, taking an analogue from India and trade policy, it really speaks to the way that India tries to balance pragmatism with some sort of value-based moralism,” Bal observed. “And unfortunately, or fortunately, or however you want to take it, that pragmatism is taken with a lot of suspicion because the state has done very little to imbue confidence in the public and build a relationship of trust with them. So, in that context, there’s a lot of uncertainty about how this board will operate. There’s a lot of suspicion, and I would say trepidation, about what it’s going to ultimately be used for. Is it going to, on the one hand, be fining people who may have some legitimate concerns? And on the other hand, entertaining inquiries from vested interests? That is a legitimate concern because it happens in courts all the time.”
STAY ON TOP OF TECH NEWS: Our daily newsletter with the top story of the day from MediaNama, delivered to your inbox before 9 AM. Click here to sign up today!
- Scope Of Data Protection Board Under India’s Digital Personal Data Protection Bill
- How Does India’s Digital Personal Data Protection Bill Address Data Breaches?
- Fifteen Major Concerns With India’s Digital Personal Data Protection Bill, 2023
- A Complete Guide To India’s Digital Personal Data Protection Bill, 2023