Ministry of electronics and IT (MeitY)’s June 29 decision to block access to 59 Chinese mobile apps – by invoking the exception clause relating to sovereignty under Section 69 of the IT Act – has been welcomed by most. But it is at best an ad hoc measure. Amongst other concerns, the MeitY order specifically refers to the mining, profiling and unauthorised use of personal data. These issues are a continuing cause of concern for any application or data system and need to be addressed systemically and dynamically.
Ad hoc measures act at best as a temporary Band-Aid, but may result in disproportionate responses instead of well-planned alternatives backed by law and a well-defined strategy. The instant ban is yet another call for having a functionally robust Data Protection Authority (DPA).
The Personal Data Protection Bill, 2019 entrusts the DPA with the mammoth task of protecting the right to privacy of 1.3 billion Indians by regulating approximately 600 million entities, including the proliferating digital ecosystem of both the government of India and the states.
As opposed to a sectoral regulator like SEBI, IRDA, TRAI etc, it is a sector agnostic body and has wide powers cutting across different sectors and economic spheres with powers to penalise not only both central and state governments but also other fourth branch watchdogs such as Comptroller and Auditor General of India and the Election Commission and even more significantly, the legislature and judiciary itself.
For impartial and effective discharge of its crucial role, there is a need for the DPA to have sufficient capability to discharge its functions. The EU shares its data only with countries which meet the ‘adequacy requirement’ under the General Data Protection Regulations (EUGDPR) and the OECD privacy guidelines. The independence of the DPA is the foremost criterion for meeting such a requirement and a necessary prerequisite for a free and fair cross-border transfer of data. Only with an independent DPA can India unlock its true potential in global digital commerce.
First, under the bill, the Centre has the power to notify categories of ‘sensitive personal data’ in consultation with the DPA and concerned sectoral regulators. Such powers should vest solely with DPA as it is the primary rule making body under the bill and must remain at more than an arm’s length from the government. Second, the Centre is empowered under Section 86 of the bill to issue binding directions to the DPA without any prior consultation with it. This may adversely affect the functional autonomy of the body.
Third, while the power to notify certain large data fiduciaries as ‘significant data fiduciaries’ rests solely with the DPA, the Centre has been given the power (in consultation with the authority) to notify social media intermediaries as significant data fiduciaries, thereby diluting DPA’s power.
Data fiduciaries at all levels of the government, ranging from the panchayat level to the Centre, will be regulated by the DPA. To design effective regulation, monitoring and enforcement mechanisms and create awareness of data protection rights at grassroots level, the DPA must be a decentralised body on the lines of the State Information Commissions or the Consumer Protection Authority and the Consumer Fora. A single centralised body as conceptualised now may not even be able to functionally discharge its responsibilities of safeguarding every citizen’s right to privacy and preventing any harm to him. But a decentralised body will pave the way for an efficient, agile and flexible DPA.
Further, given its cross-sectional mandate, the DPA may need to be constituted as a collegial body with a combination of full-time, part-time and independent members from judiciary, civil society and persons of ability, integrity and standing in the field of data protection, technology and regulation. Considering the brisk pace of change in the field of technology and data sciences, increasing DPA’s capacity, both qualitatively and quantitatively, in this area is a crucial imperative.
The bill adopts good practices of involvement of various stakeholders such as industry, trade associations, departments of the governments, other sectoral regulators and the public in the formulation of code of practices. However, the same transparent and consultative method is missing from the process of framing other rules and regulations. An opaque regulation making process has the potential of becoming the Achilles heel of the bill.
The DPA must also be required to publish results of inspections and inquiries that it conducts on data fiduciaries. Strong disclosure and reporting requirements must therefore be enshrined in the bill to gain much-needed public trust and make enforcement effective. The DPA has to subject itself to the requirements under the RTI Act.
Lastly, the bill confers absolute discretion to the Centre for deciding the number of adjudicating officers, the manner and term of their appointment and jurisdiction. The adjudicating officers preside on disputes under the PDP Bill. This unfettered discretion may create issues of independence, conflict of interest and bias. The appointment of adjudicating officers must therefore be vested in an independent DPA with benches established at the district and block levels to improve accessibility.
Any law or policy is as good as its enforcement. Efficacious and effective implementation and enforcement depends upon capacity and capability. With rapidly progressing technology in a global world, we must envisage a DPA which is able to meet contemporary challenges, so that it becomes a model worth emulating.
DISCLAIMER : Views expressed above are the author’s own.