Shouldering the weight of India’s data privacy
The need for deterrence necessitates the setting up of an independent and effective Data Protection Authority
Following the liberalisation of India’s economy, there have been a number of momentous occasions where the necessities of the times have given birth to specialised regulators. With the release of the Srikrishna Committee’s draft bill and report on data protection, you may have noticed that there has been talk of an entity called the Data Protection Authority (DPA). The Committee’s recommendations outline the features of a body that has so varied a mandate that some would find its task almost insurmountable. We need to think carefully about the DPA’s design and functioning before we welcome it into our regulatory ranks.
The data protection law is impossibly broad: it covers every area in which personal data is used and defends against the unique ways in which harms can emerge in each of these. It also has to be cognisant of how different fields have peculiar uses for information, deriving diverse benefits appropriate to that sector. In this, data protection goes beyond the IT sector and ranges from various private industries to all forms of public bodies. Even in terms of the number of entities covered, it is arguable that there is no regulatory field of broader application. To make matters more complicated, the breakneck pace of technological innovation can make the best of experts dizzy. How can we achieve this mandate with the bureaucratic structures that our regulators are traditionally linked with?
Some might say that the field was always meant for self-regulation, where entities enforce rules on themselves. Unfortunately this has been tried in other jurisdictions with little success. The US is a prime example of this. Broadly comparable instances where the European Union permits entities to act on their own discretion have come to be criticised. Particularly, the European right to be forgotten allows entities receiving deletion requests to make their own determination on the matter. In view of the serious implications on fundamental rights such as free speech, the Srikrishna Committee eschews this approach in favour of regulatory checks. Similarly, private entities in Europe may process personal data without consent for ‘legitimate interests’ by balancing the rights and interests of all involved. Here too, the Committee points to the scope for abuse by requiring that the DPA must specify ‘reasonable purposes’ after a similar balancing exercise.
Further, in view of the bewildering diversity and complexity of technical considerations in different sectors, adequate room for adaptation is made through two prongs: one, a statutory baseline is created in broad terms in the draft bill, and two, codes of practices are envisaged to ensure that appropriate rules are put in place in different contexts while respecting the minimum standards. For instance, while the draft bill refers to “appropriate” security safeguards and data retention for “as long as may be reasonably necessary”, what this would actually mean has to be made clear through contextual regulations and codes which must be issued by the DPA after consultation with the relevant stakeholders.
Yet others may say that the regulatory scheme should have been based around existing sectoral regulators. This ignores the fact that these authorities already have their hands full with their existing mandates. More important, it also fails to note that a coherent data protection law requires a unified vision with strong baseline principles put into action by a well-coordinated mechanism. Given that entities operate across sectors and different sectors also interact with each other on data, avoiding piecemeal enforcement requires dedicated resources with specialised technical skills. International practice concurs with this approach.
The breadth, complexity and need for deterrence necessitates the setting up of an adequately staffed and trained DPA which is able to execute its mandate independently and effectively even when this might be against the myriad departments of the government that currently process personal data. The close link between the DPA’s functioning and the right to informational privacy in India is a unique aspect of this debate. The Puttaswamy judgment declares this right as fundamental to our polity and an effective watchdog is an attendant demand.
SOME SAY THE REGULATORY SCHEME SHOULD HAVE BEEN BASED AROUND EXISTING SECTORAL REGULATORS. BUT THESE AUTHORITIES ALREADY HAVE THEIR HANDS FULL WITH THEIR EXISTING MANDATES