The how of data protection - The importance of autonomy and consultation - Hindustan Times

The how of data protection - The importance of autonomy and consultation

ByHindustan Times
Mar 08, 2023 09:50 AM IST

This article has been authored by Amrita Nanda and Shefali Girish, Research Analysts at Aapti Institute.

With increasing digitisation, and harms associated with it, it is unsurprising that there have long been calls for a data protection law in India. After the Puttaswamy Judgement recognising the right to privacy in 2017, the government has been trying to pass a data protection law with multiple attempts in 2019 and in 2022. The 2022 bill (the Digital Personal Data Protection Bill) differs in many ways from its 2019 counterpart (the Personal Data Protection Bill) such as its classifications of personal data, its consent frameworks and data localisation requirements. But perhaps the most striking divergence is the different approaches they take towards enforcement.

A democracy’s data protection framework is therefore only as strong as the empowerment, autonomy, expertise and efficiency of its enforcing authority.
A democracy’s data protection framework is therefore only as strong as the empowerment, autonomy, expertise and efficiency of its enforcing authority.

One of the most important aspects of a rights regime within any democracy is its enforcement framework. It is one thing to outline rights, duties and obligations in law, but the bedrock of effective laws is who or which body enforces them and how that body is constituted. This is particularly true for a domain like data protection, which calls for extensive technical expertise that can adapt to the swiftly evolving aspects of data processing, anonymisation and usage.

Unlock exclusive access to the latest news on India's general elections, only on the HT App. Download Now! Download Now!

A democracy’s data protection framework is therefore only as strong as the empowerment, autonomy, expertise and efficiency of its enforcing authority. Establishing such a body is no small feat, given the pace of development in the industry - it requires a process that is thorough and has consultation at its core. It is questionable whether the enforcement authority under the 2022 bill, the Data Protection Board (DPB), has these characteristics. In some ways, it has regressed from its counterpart in the 2019 bill, the Data Protection Authority (DPA). It is worth contrasting the two to examine what steps are still needed to ensure that India has an effective enforcement authority - to protect the digital and data rights of Indians from being exploited by emerging technologies.

The DPA in the 2019 bill was envisioned as an independent regulatory authority and was prescribed a wide mandate of responsibilities. The bill also contained many stipulations on the composition of the DPA, including its numeric strength, as well as specifications on the technical expertise and experience required. For example, the appointment of independent experts had to be “from the field of data protection, information technology, data management, data sciences, data security, cyber and internet laws, public administration or related subjects.”

However, under the 2022 bill, the DPB’s strength, expertise, qualification, or composition are not coded within law. Instead, these conditions, as well as those around appointments and dismissals, will be written as rules by the central government. This considerably dilutes the DPB’s independence, and is especially concerning given that it will be issuing and deliberating on sizable financial penalties. The lack of codified rules could also lead to lax qualification requirements that fail to ensure adequate technical expertise. It is therefore essential that the 2022 bill codifies qualification criteria for DPB’s members, and not leave it entirely to state appointments.

But perhaps the most important divergence between the DPA and the DPB is what they are enforcing. Under the 2019 bill, the DPA was to play an active role in building rules and regulations, by fleshing out interpretations of the bill’s provisions. The 2022 bill departs from this approach. The DPB is no longer a standard setting agency, with this role being reserved with the central government again. Instead, the DPB will only be responsible for enforcing compliance: by investigating non-compliance, directing remedial measures, and performing any other functions that the central government may prescribe. This dilutes both the mandate and the autonomy of the authority.

There are positives and negatives to discarding this rule making function of the enforcement authority under the 2022 bill. On one hand, the narrowing of the DPB’s mandate (which is accompanied by limitations of applicable sectors and data types) can serve to mitigate regulatory overlaps and overburden - a systemic issue in India. On the other hand, this approach may increase regulatory uncertainty - as the DPB will no longer be proactively rule-making, it is unclear how far it can support industries and other relevant stakeholders in the actual interpretation, instruction and on-ground implementation of the bill.

It is this relationship between those who make the rules and those who have to follow them that is often the most critical in any enforcement mechanism. There needs to be a systemic approach to ensuring a feedback loop to ensure that rules are both effective and not overly onerous. This is important given how diverse and quickly changing the digital economy is as it ensures stakeholder buy-in on regulations, builds trust across networks, and, perhaps most importantly, creates rules and standards that are truly reflective of the myriad challenges and processes existing across the field. Untangling highly technical questions around issues like anonymization standards, sharing purposes and modalities of harm reduction will require the inputs of those stakeholders that regularly engage with these processes as they will have a firsthand understanding of the ramifications of any potential regulations. The friction between the private, the public, the academic, the users and offline communities is necessary fodder for robust regulation.

To ensure that this level of consultation happens adequately, it is important that processes are outlined clearly. In India, public consultation before drafting subordinate legislation like rules is not mandatory unless that statute mandates it. Unfortunately, neither the 2019 bill nor the 2022 bill contain a clear process for or a commitment to consultation. In fact, the 2022 bill provides the central government with the power to issue binding directions without requiring consultation, allowing what may be some of the most important provisions of India’s data protection regime to be passed unilaterally. There is a need to codify deliberation and cross-stakeholder involvement into the bill itself. The wider affected ecosystem needs to come together to advocate for consultative deliberation.

There are many examples of consultation to draw inspiration from - a few regulatory authorities such as IBBI, IRDA and TRAI follow consultative exercises to some extent. TRAI in particular utilises an effective consultative process which most recently entered into public consciousness when the Save The Internet campaign sent automated mails to TRAI in response to Facebook Zero. The 2022 bill would also do well to follow the recommendations of the Financial Sector Legislative Reforms Commission (FSLRC) which contained detailed requirements that regulators could follow to create a transparent consultative process.

Data protection for India is a long term journey and a data protection law will be a crucial first step and a chance to build a robust regime with thought and care. Ideally, the 2022 bill should strengthen a fairly fractured and siloed data economy by bringing stakeholders together and setting the stage for a collaborative future. There is no room to sidestep the conversation on the state’s relationship with data protection authorities (and rule-makers) and the extent to which the final bill instils an autonomous, collaborative ethos can very well make or break how Indian data protection plays out in the coming years.

This article has been authored by Amrita Nanda and Shefali Girish, Research Analysts at Aapti Institute.

Share this article
Story Saved
Live Score
Saved Articles
My Reads
Sign out
New Delhi 0C
Saturday, May 25, 2024
Start 14 Days Free Trial Subscribe Now
Follow Us On