Since the release of the Justice BN Srikrishna Committee’s recommendations on data protection, much has been said about the substantive elements of the draft bill. This includes discussions on key issues like consent, data localisation and surveillance.
While these are important debates that must continue, it is also time we start thinking about some of the procedural elements of the proposed law.
Ultimately, it is the structure of the law and the functioning of the Data Protection Authority (DPA) created under it that will determine the effectiveness of our data rights. The Committee has proposed that the DPA should be a body corporate with four sets of functions: (i) monitoring and enforcement; (ii) policy and standard setting; (iii) research and awareness; and (iv) grievance handling and adjudication
Independence of DPA
Within each of these heads lie a host of activities ranging from registration of significant data operators to laying down codes of practice; from awarding compensation to aggrieved individuals to making recommendations to the government. Will the DPA actually be capable of handling these enormous responsibilities? The answer will depend on the strength of the DPA’s institutional machinery, including its independence and accountability mechanisms. Independence, specifically from the government, is a key feature in the functioning of any regulatory body.
This becomes all the more relevant in the present context because unlike many other regulators, that oversee only businesses, the DPA’s authority also extends to the government and its agencies. In fact, given the nature and volume of data handled by the government, many of its agencies would also qualify as significant data fiduciaries, hence attracting enhanced scrutiny by the DPA.
This accentuates the need for independence in the composition and functioning of the DPA.
The draft bill has suggested some protections in this regard. Notably, it does well in delegating the task of nominating the chairperson and six whole-time members, who will collectively constitute the DPA, to a selection committee headed by the Chief Justice of India. This will reduce the government’s discretion, and therefore scope for arbitrariness and bias, in the appointment process.
A Weak Foundation for the Draft Bill
The bill also restricts the re-appointment of the DPA’s chairperson and members, hence minimising the incentive to take decisions that curry favour with the government. As is the case with most statutory regulators, the bill provides the DPA with the freedom to determine the selection process and remuneration for it employees. This is an essential requirement given the breadth of the DPA’s functions, which will require it to build a competent cadre of employees, including those from the private sector.
While doing a decent job of creating these structures, the bill begins to falter when it comes to creating the underlying processes needed to support them.
For instance, both in case of the selection committee’s procedures and meetings of the DPA itself, the bill leaves it up to the government to specify the processes that need to the followed. The draft law should ideally have gone a step further to include some basic requirements like public disclosure of the meeting agendas, views expressed by members and the rationale for any particular decision. By failing to do so, the bill misses an opportunity to ensure a minimum level of transparency in the running of the DPA. It is also curious to find that there is no discussion on having non-executive (or part-time) members as part of the DPA.
Accountability Mechanisms in Draft Bill Lacking
The Financial Sector Legislative Reforms Commission (FSLRC) , another expert body headed by Justice Srikrishna, had emphasised the importance of having such members on financial regulators. As per the FSLRC, non-executive members would bring in specialised knowledge and expertise, while also serving as neutral observers who can draw attention to any regulatory mismanagement. The Committee’s report does not offer any explanation as to why this element, which is also seen in laws governing agencies like the Securities and Exchange Board of India and the Telecom Regulatory Authority of India (TRAI), was not considered relevant in case of the DPA.
If the requirement of having only full-time members was supposed to take the DPA closer to being a “commission”, as opposed to a regulatory body with a governing board, the Committee has not spelt out this distinction. Along with questions of structure and independence, let us also assess the sufficiency of the accountability mechanisms in the bill. In general, one clear path to accountability comes from having an overarching requirement of transparency in the law.
We see such provisions in the TRAI Act, the Insolvency and Bankruptcy Code, and the Airports Economic Regulatory Authority of India Act.
This clearly reflects in the relatively more transparent processes of these bodies compared to other Indian regulators. Unfortunately, the data protection bill misses out on this front.
Two Welcome Moves in Draft Bill
The bill lacks an overarching mandate of transparency in the DPA’s functioning and in most situations also fails to spell out such requirements in its specific provisions. There are, however, two notable exceptions to this. First, the draft bill calls upon the DPA to adopt an open and consultative process in formulating any codes of practice for data fiduciaries.
Second, it makes a welcome move in putting the DPA under an obligation to coordinate with other regulatory bodies.
Areas like health, finance and telecom, where sector regulators have already begun to focus on data protection issues, are some obvious sites for such regulatory interplay. Interestingly, when it comes to the framing of binding regulations, the bill does not bother to adopt the same standards that it does for non-binding codes of practice.
Given the principles-based nature of the bill, the DPA will enjoy a wide discretion in setting out the nuts and bolts of the legal framework.
To place this in context, there are about thirty broad areas that are reserved for regulation-making by the DPA. This extensive scope of the DPA’s powers and significant consequences of non-compliance with the law make it all the more important for the DPA to follow greater transparency in its regulation-making. We therefore need statutory requirements compelling the DPA to engage in public consultations, conduct cost-benefit analysis and provide a reasoned explanation while framing its regulations.
Two Other Elements for Accountability
Finally, there are two other elements for accountability in the draft bill. These relate to (i) the creation of an Appellate Tribunal to hear challenges against the DPA’s orders; and (ii) the reporting requirements cast upon the DPA. Here again, the bill would stand to gain from a more nuanced position in terms of setting out exactly what is expected from the agency. For instance, the bill just provides that the DPA’s annual report should offer a summary of its activities in the previous year.
However, for the annual report to really serve as a tool of accountability, it needs a more granular description of what is it that should be in the annual report.
Referring again to FSLRC’s recommendations, this would include items like details of the deliberations held in the agency’s meetings; reasons for non-compliance with any statutory functions; and list of major activities proposed for the subsequent year.
In sum, the present draft takes only tepid steps towards building the DPA on strong foundations of sound agency design. Having an authority with tremendous powers, but minimal structural safeguards, would only lead to sub-optimum outcomes for all stakeholders. It is therefore imperative that we recognise these gaps and collectively work towards addressing them in subsequent versions of the bill.
(Smriti Parsheera is a consultant, National Institute of Public Finance & Policy. She tweets at @SmritiParsheera. This is an opinion piece and the views expressed above are the author’s own. The Quint neither endorses nor is responsible for them.)