Protection from whom?
Basically, personal data is collected and processed by (i) state actors, ie central and state governments and their instrumentalities; (ii) non-state actors, ie private organisations providing services, social media intermediaries, e-commerce entities, big tech companies and employers; and (iii) other citizens.
The central and state governments are one of the largest data fiduciaries (who collect, hold and process data) in a wide array of state activities such as national security, welfare administration, subsidies, provision of municipal services and employment benefits etc. Similarly, in the age of big data, non-state data fiduciaries such as social media intermediaries like Facebook, Twitter, YouTube and giant e-commerce platforms also collect large amounts of personal data on a day-to-day basis. Citizens have also greater access to personal data of fellow citizens through the internet.
It’s well-known that the maximum number of cases filed in the SC or high courts for infringement of citizens’ fundamental rights is against the state. It’s only recently that citizens have run to courts to enforce their privacy rights against big tech companies, e-commerce platforms and retail marketing corporations. Hence, it’s quite likely that even in case of the proposed new data law, it’s the state against which citizens would approach the courts for enforcement of his/ her fundamental right of informational privacy.
Traditionally, fundamental rights adjudication has been the domain of constitutional courts. Now, with the proposed bill, a significant part of this judicial function, ie regulation of informational privacy of citizens, is proposed to be transferred to a Data Protection Authority (DPA). In the Puttaswamy case, the SC instructed the government to pass a law which would regulate informational privacy not only from non-state actors but also from the state parties and other individuals.
Maintaining a balance between informational privacy and the development of a strong digital economy is a truly challenging task, requiring a qualified and neutral body at the helm. A core judicial task with the DPA would be to penalise governments and even suspend their operations when they fail to protect an individual’s personal data.
In light of the critical adjudicatory role of the DPA to regulate not only private parties but also the central government itself, there’s a necessity to set up a DPA independent of the central government which can implement the Personal Data Protection Bill in an unbiased manner. It cannot appear to be under the direct command and control of the central government.
The current design of the Bill gives a wide range of powers to the central government, as if it’s the central government’s responsibility alone to safeguard the informational privacy rights of citizens. For instance, the members of the DPA are appointed by a committee comprising officers of the central government instead of a judicial or bipartisan parliamentary body or panel. The design of the Bill effectively leads to central government regulating itself.
This design will also adversely affect the federal structure of the Constitution. For instance, a complaint filed against the Chief Minister’s Office for data breach will be decided by a body appointed by the central government as to whether such a breach took place or not and if held to be so, what would be the punishment or quantum of fine/ other penalty.
Similarly, the Bill empowers the central government to decide if an event or incident arising in a remote location in a state is an issue of ‘public order’ or not and therefore, requiring ‘exemptions’ from application of the various safeguard conditions. This cannot be allowed as it creates fertile grounds for data hegemony by the Centre and a massive concern for federalism.
Similar central overhang is seen in Sections 15, 33, 35, 44, 86 and 91 of the proposed Bill. Such powers should vest solely with an independent DPA which must be the primary rule making body under the Bill.
The DPA must therefore be established not as a regulatory body appointed by the central government but as a quasi-judicial independent body having judicial representation and should be subjected to only judicial oversight and monitoring and not executive supervision as envisaged in the current Bill.
Similarly, there’s an overarching need for a decentralised DPA structure with state bodies and bodies at the district level like the Consumer Protection regime and to a certain extent, the Right to Information regime. Mere copying and pasting the regime paradigms of the Competition Commission of India, or the TRAI or even the Income Tax and Central Excise or GST Appeal will not do. In fact, given the overarching and overwhelming role of the DPA as an umbrella regulator over the sectoral regulators, there is a greater need to make it not only independent and competent, but also efficient and effective.
It’s important that the government heeds to these recommendations seriously. India can unlock its true digital potential as a data market only with an independent DPA, and not by a regime that irreparably harms our constitutional values and citizens’ right to informational privacy.
(The writer is BJD MP (Rajya Sabha) and a former CAG civil servant.)