While the Digital Personal Data Protection Act institutes the Data Protection Board of India as the country’s data privacy regulator, little is known about how its day-to-day operations of settling privacy complaints will be funded. The Act doesn’t specify much on these lines—and even the penalties the Board imposes on non-compliant actors will be deposited elsewhere, and not with the Board itself. Experts at MediaNama’s PrivacyNama conference exchanged notes on how the government may work around this gap to ensure that the state-appointed yet ‘independent’ Board operates smoothly.
“This [data protection] law says that penalties [for non-compliance by companies and people] will actually go to the Consolidated Fund of India, which is a good thing, because the agency [the Data Protection Board of India] should not have the incentive to keep imposing penalties to enrich itself,” Carnegie India’s Anirudh Burman pointed at while speaking during the “Data Protection Board” session of the conference. “But having said that, this law also does not have any provision for the agency, for the Board, to collect fees. It also does not have any provision in the law for the central government to make grants to the board for its functioning, for salaries and expenses.”
“When you set up a new board or an agency which is supposed to be at arm’s length [from the government], you are worried about three things,” Burman explained. “One is independence, the other is accountability, and the third is whether the agency will function properly. So, you are worried about the finances from all three points of view. What you typically do for a regulatory agency—and again, this is not a typical regulatory agency, it’s an independent body—is create a separate fund, which is a bank account where all the money collected by the regulatory agency gets deposited and is used for meeting its expenses. In addition, if the Central government wants to give money to the agency to support it financially—because not all regulatory boards are financially viable on their own—the Central government can make a grant. All of this is usually written down in the law very, very clearly and specifically, that the Central government can make grants to the body for salaries, expenses, etc. [Also, the law could mention] The regulatory body can collect fees and other charges for meeting its expenses and so on and so forth. [But] There is nothing like that in this [data protection] law.”
Chaired by PSA Legal’s Arya Tripathy, Burman was joined by Alok Prasanna Kumar (Vidhi Centre for Legal Policy), S. Chandrasekhar (K&S Digiprotect), and Meghna Bal (Esya Centre).
S. Chandrasekhar appeared clear that the Board’s funding would be a “line item” in the Indian government’s IT Ministry’s annual budget. “It’s a small board, I don’t think financing will be a problem at all,” Chandrasekhar said. “MeitY [the Ministry of Electronics and Information Technology] is going to fund this body.”
“On penalties and accrual of penalties, even if it did go to the Board, it will take a long time for the realization of any penalties given that you have so many stages of appeal,” Esya Centre’s Meghna Bal drily pointed out. “Take the example of the Competition Commission of India [India’s antitrust regulator], where collection of penalties is a problem—it takes about 10 years for a case to reach its conclusion.”
Could rules issued under the data protection law clarify the Board’s funding? MediaNama’s Editor Nikhil Pahwa posed this question—to which Burman responded that “even the rules have to be guided by the [parent] law, right? You cannot create a rule unless there’s no legal provision enabling you to write the rule.”
“Constitutionally you cannot appropriate money on the basis of rules,” added Vidhi’s Alok Prasanna Kumar. “It has to be something that parliament has to vote on.”
An appropriations bill could solve the funding quandary: “The government may make an appropriation bill, [it] doesn’t have to amend this law [on data protection to insert funding clauses],” Prasanna Kumar suggested. “It will have to pass a separate appropriations bill where it says ‘we’re going to give X amount of money to the Data Protection Board of India’, right? So that will bring the money in. [Also] There is no provision here mandating that the government spend a certain amount or give a certain amount to this particular body. So, each year, this body will be at the mercy of [the government, asking] what will be the amount that the government will give us, how much they will allow us to function and so on and so forth. It is not like, say courts, [where] their budgets are basically charged to the Consolidated Fund of India. It’s just parliament which…approves of it. [To sum up] This Board will be dependent on the government passing an appropriations bill, saying ‘this amount is going to go to the DPBI or that particular ministry’, which I think is going to be the Ministry of Electronics and Information Technology.”
You can watch the video of the discussion here:
This discussion was organised with support from Meta, PhonePe, Google, and Salesforce, and in partnership with CUTS and the Centre for Communication Governance.
STAY ON TOP OF TECH NEWS: Our daily newsletter with the top story of the day from MediaNama, delivered to your inbox before 9 AM. Click here to sign up today!
- Scope Of Data Protection Board Under India’s Digital Personal Data Protection Bill
- How Does India’s Digital Personal Data Protection Bill Address Data Breaches?
- Fifteen Major Concerns With India’s Digital Personal Data Protection Bill, 2023
- A Complete Guide To India’s Digital Personal Data Protection Bill, 2023