In Part 8 of the #DataProtectionTop10, we analyse the provisions in the Personal Data Protection Bill, 2019 which relate to the Data Protection Authority of India (DPA). The independence of the Data Protection Authority of India is being called into question by certain provisions in the Bill such as clause 42, wherein the Selection Committee which selects the members of the DPA are all members of the executive and clause 86 which states that the DPA shall be bound by the orders of the Central Government. We recommend that the constitution of Selection Committee be made diverse and clause 86 be deleted from the Bill.
So far, we have been discussing the issues with regard to the substantive provisions of the Personal Data Protection Bill, 2019, such as the rights, consent, data localisation etc., and in the last post (Part 7) we discussed how the provisions in the Bill act as an enabler of surveillance by the State and the need to have a chapter on surveillance reforms in the Bill. In today’s post, we will be delving into the issues with the regulatory mechanism created under the Bill for the enforcement of these substantive provisions.
The Personal Data Protection Bill, 2019 provides the users with certain rights and imposes certain obligations on the entities collecting and processing the data. However, a data protection regime should not end there. It should also provide for a competent enforcement mechanism to breathe life into the protections and guarantees available to the users under a data protection regime. The Bill therefore provides for the constitution of Data Protection Authorities. Having a Data Protection Authority is however not a guarantee that there would be effective enforcement of the provisions of the Bill. The strength of the regulator depends on its constitution, powers and functions. Hence, we need to examine how independent our Data Protection Authority is and what are it’s powers and functions.
Issue: Constitution of the Selection Committee and Lack of Independence of the DPA
Chapter IX contains the regulatory architecture proposed in the Personal Data Protection Bill, 2019. The regulatory body envisaged under the Bill is the Data Protection Authority of India (DPA). The DPA is entrusted with the function of monitoring and enforcement, policy framing and standard setting, research and awareness, and inquiry and grievance handling. Further, the DPA is not a sector specific regulator, every entity that handles data falls under the jurisdiction of the DPA, irrespective of the sector to which they belong.
Clause 42 deals with the constitution of the DPA. The DPA, as proposed by the Bill, shall consist of a Chairperson and not more than six whole-time Members appointed by the central government on the recommendation made by the Selection Committee. The Selection Committee in turn consists of the Cabinet Secretary, the Secretary to the Government of India in the Ministry or Department dealing with the Legal Affairs; and the Secretary to the Government of India in the Ministry or Department dealing with the Electronics and Information Technology. Evidently, the composition of the Selection Committee raises concerns as its members are all bureaucrats leaving the constitution of the DPA entirely to the discretion of the executive. This is a drastic shift from the structure of the Selection Committee that was proposed by the Report of the Committee of Experts under the Chairmanship of Justice B N Sri Krishna (‘A Free and Fair Digital Economy Protecting Privacy, Empowering Indians’) and the 2018 draft of the Bill.
The Report as well as the 2018 draft of the Bill had prescribed a Selection Committee composed of the Chief Justice of India (CJI) or another Judge of the Supreme Court, the Cabinet Secretary and a subject-matter expert appointed by the CJI and the Cabinet Secretary. Thus, it was a mix of executive, judicial, and external expertise. This diversity is essential for ensuring the accountability of the DPA and for preventing the DPA from becoming an extended arm of the executive. It is very important that the selection of members to the DPA happen in a fair and transparent manner as the government agencies are to be regulated as data fiduciaries under the Bill - a DPA that is subordinate to the government would allow the latter to ride roughshod over privacy concerns without any measure of accountability.
The most egregious drawback of the PDP Bill 2019, is perhaps manifested in Clause 86, where the Central Government is empowered to issue directions to the DPA. The result being that the DPA will be tethered down by this power of the government. This will significantly encroach on the independence of the DPA to function in a capacity that ensures it is free from undue governmental interference. A blanket provision such as Clause 86, will be detrimental to achieving the goal of a truly independent data protection regulator. This is especially important given the significant exemptions provided to government agencies.
Another concern regarding the constitution of the DPA is the lack of decentralisation of the DPA. The data principals contemplated under the Bill cover almost everyone and hence the number of anticipated data protection grievances are also expected to be huge. This will require the constitution of DPAs at State levels. However, the Bill envisages the creation of a regulator like the RBI or SEBI which are centralised regulators. Access to enforcement mechanisms is must for the effective realisation of the rights of users under the Bill.
The Bill provides under Clause 62 for the appointing of Adjudication Officers for adjudging penalties and compensations under various clauses in the Bill. While this appears to be a fair provision needed for the smooth working of the data protection regime, it has been diluted by clause 62 which states that the Adjudication Officers will be appointed by the DPA. Furthermore, clause 63 provides that Adjudication Officers can adjudicate enquiries initiated only on the complaints made by the DPA. Such provisions would inevitably affect the independence of Adjudicating Officers, and so there is a need to separate the adjudication wing from the investigation wing. Since the DPA, as we have seen above, is heavily under the control of the executive, bringing another office under the DPA would essentially affect the independence and working of the data protection enforcement mechanism.
Solution: Strong and Independent Regulatory Body
An independent data protection authority is one of the core principles of data protection. In the European Union (EU),Article 52 of the GDPR contains specific provisions to ensure the independence of the members of the supervisory authorities and mandates that all DPAs in the EU act with “complete independence” when carrying out their duties. Furthermore, the European Court of Justice has also emphasised on the importance of an independent Data Protection Authority in a robust data protection framework. For instance, in European Commission v. Germany, the European Court of Justice interpreted the term ‘complete independence’ of DPAs to mean ‘a decision-making power independent of any direct or indirect external influence on the supervisory authority’.
As we state in the third principle of the Indian Privacy Code, a strong and independent regulator for data protection is crucial to ensure that the data protection rights are put into practice and enforced. The first and most important step towards ensuring the independence of the DPA is changing the composition of the Selection Committee. The composition of the Selection Committee must be made diverse as was proposed in the 2018 draft of the Bill. Therefore, it must comprise of a judicial authority, an executive authority and external members. To ensure transparency in the process for appointment of the DPA Chairperson and Members, the process must include an open call for applications. Further, to bring transparency to the working of the Committee, the proceedings of the Committee must be a matter of public record. The subject matter of regulation: personal data is something in which both the State and private players have vested interests. Therefore, to ensure the independence of the DPA it is essential to keep persons with vested or political interests out of the DPA. Along with ensuring independence of the DPA it is equally important to put some measures in place to make the DPA accountable to the public.
DPA’s jurisdiction is very wide and it cuts across all the sectors. Hence, in order to make the DPA more accessible and avoid pendency, it is important that DPAs are set up at state and regional levels. Adjudicating Officers are an important constituent of the regulatory architecture under the Bill. Therefore, the Bill should provide for a transparent process for the appointment of the Adjudicating Officers. The appointment has to be done by independent bodies designed to select judicial officers. The power of the Central Government to give directions to the DPA will significantly dilute its independence. Hence, we recommend that clause 86 be deleted from the Bill. The provisions in the data protection law should be geared towards establishing the regulatory legitimacy of the DPA.
This is the eighth post in our series on the issues with the Personal Data Protection Bill, 2019. Read part 1 here, part 2 here, part 3 here, part 4 here, part 5 here, part 6 here, and part 7 here. Do join us next Tuesday (2nd June, 2021) as we analyse some other concerns with the Bill.
- The Personal Data Protection Bill, 2019 as introduced by the Minister for Electronics and Information Technology, Mr. Ravi Shankar Prasad (link)
- Essential Features of a Rights Respecting Data Protection Law dated February 28, 2020 (link)
- IFF's Public Brief and Analysis of the Personal Data Protection Bill, 2019 (link)
- The SaveOurPrivacy Campaign (link)
This post has been largely drafted by Fathima V N, who is a 2020 graduate of the National University of Advanced Legal Studies and is currently a Daksha Fellow interning at IFF with the supervision of our staff.