The Data Protection Bill 2019 has proposed creation of a Data Protection Authority of India, a regulatory authority that will be responsible for enforcing the rule for both personal and non-personal data. The Data Protection Authority (DPA) was conceived as an independent regulator but the revised bill makes the government sole authority to determine DPA. The revised draft has drawn flak for a multitude of reasons especially for being heavily-loaded in the government’s favour.
During a panel discussion on Plunge Daily Twitter Spaces on Wednesday, Kazim Rizvi, founding director-The Dialogue; Arya Tripathy, partner at Priti Suri & Associates and Shefali Mehta, Programme Manager, The Dialogue and Ashutosh Bhattacharya, editor-Plunge Daily discussed the present structure of Data Protection Authority and its possible implications on India’s data governance.
Setting up the tone for the discussion, Shefali Mehta underlined the need for DPA to be an independent authority especially in view of the government’s growing impetus on technology.
“At the heart of this authority is the need for it to be independent, because effectively the role of this authority is to act as an independent arbitrator or a supervisor between all the stakeholders in this framework. And it becomes more important when the government is one of the largest fiduciaries of data,” she said.
“Budget 2022 was a good example to see the amount of data that the government is going to be dealing with in the upcoming years. We’re moving towards a tech and data driven industry and economy and that is where the importance of this authority will come into play. And especially to what extent that it can assert its authority in an independent and unbiased manner”
Referring to the composition of the selection committee in the revised bill, Kazim pointed out that it is still executive-heavy and more discussion is needed with respect to its independence.
“In the previous version of the bill, the DPA was not independent in terms of selection. It had members of the executive but it did not have any judicial or parliamentary representative, even an expert was also not included. The current version has the attorney general and director from Indian Institute of Technology. Although it’s a step forward, in core practise, AG will still be an officer from the government. So, we believe the selection committee is still executive heavy. The second aspect is on the funding aspect of the DPA. There is still not enough clarity when it comes to financial independence.,”
Arya Tripathy stressed that the DPB bill could have done much better in terms of building checks and balances on the scope of power.
“The recent draft has expanded the ambit. It has moved from regulating personal data to regulating the whole data ecosystem. But perhaps a better approach could have been that DPA’s powers had a guideline note to say that the EPA is authorized to follow a staggered or multi sectoral approach, that would have been very, very helpful which is currently missing. In terms of capacity building capacity should now be focused on sensitive data sectors where the risk or harm is more,” she said.
“The current bill has not exactly accounted for a DPA which is going to be a tech savvy, modern outlook and that is going to be a big setback. Independence is another important aspect. Despite several organizations making a recommendation that there should be judicial members, it continues to be an executive heavy Selection Committee, which is a big problem.”
Shefali Mehta also expressed concern over Section 86 of the bill which empowers Centre to issue binding directions to the DPA without any prior consultation with it.
“There’s a very particular clause in the bill that states that the central government’s decisions, in terms of policy matters, will be binding on DPA. Now, I think this dilutes the autonomy of the DPA in a very significant manner. The JPC in its recommendation has also added that the DPA needs to get the central government’s approval to sanction cross border transfer of sensitive data when it’s under contractual purposes,” she said.
Kazim sought more clarity in terms of internal harmonization between sectoral regulators and also brought out the aspects of interoperability which need more attention in the current bill.
“I want to focus on three broad-based areas-How will DPA work with other regulators such as RBI, TRAI or the Competition Commission of India. So, we need to observe the internal harmonization with regulators. Another key aspect is process, we need to have clear guidelines for example- when it comes to regulating payments data, which is already under RBI’s jurisdiction, how would it pan out. So, ensuring synergy will be a challenge. And if there is a breach and DPA has to penalise a data fiduciary, what will be the sectoral regulators role in that process. Those rules and SOPs have to be defined,” he said
“Interoperability is very important because we are now entering a stage where technology is going to be the foundation for the future economic growth. So, what we are also seeing is that the future of trade is going to be digital. It is imperative for the government to take into account these changes while entering into agreements with other countries. For India to participate in the Global data ecosystem, it is important that we have a law which is interoperable with other countries. DPA’s structure is not interoperable with GDPR standards that could be a sticking for free trade negotiations and future of internet economy.“
Speaking about the technical expertise of the members of DPA selection committee, Arya said, “we need to understand that if we get somebody who is a qualified software engineer on to the DPA, that’s not going to solve the purpose. It’s not just an engineering technology space. DPA has a broader mandate. So you would need somebody who is constantly willing and forthright and upcoming to interact with the ecosystem. Learn the pain points, the plus points, and be very keen to understand where it is headed.”
The panel also noted that the penalty of 4% of total turnover could be a deterrent for startups and MSMEs.
Penalty will be a deterrent to smaller companies, they brought back percentage aspect and caps on penalties, brought in central govt involvement, in terms of prescribing the penalties Earlier it was with adjudicator authority. If we go by the 4% penalty, it may look like a smaller number but for startups and MSMEs, it will be a deterrent.