Data Protection Authority: The cornerstone to implement data privacy
Countries across the world are finally recognising the value of their citizens’ data - and that recognition involves the establishment of laws and institutions to safeguard databases from misuse. As data privacy is being heatedly discussed by governments, businesses, data principals and academics, more consensus pertaining to protecting data is emerging on an international forum. Hence, the question-of-the-hour is - what is the best mechanism to ensure our country succeeds at protecting its personal data?
In order to enforce ambitious regulations such as the General Data Protection Regulation (GDPR), countries need a Data Protection Authority to supervise and assist in the process of compliance. European Union members have a national supervisory authority, and all these authorities together comprise the European Data Protection Board.
Whilst the GDPR clarifies the necessity of having a national independent authority which is vested with powers to protect the personal data of individuals and organisations, other countries are also keen to set up similar regulators. Since data protection is a relatively novel topic of discussion, there are important questions that countries should ask themselves at the time structuring their Data Protection Authority.
One such question is determining the scope of the authority - for instance, it is established that the authority will address security breaches in terms of the data protection laws in the country, but there is a lack of discussion around how the authority can prevent breaches before they happen, and incentivise the process for overall compliance with data protection rules.
India and data protection authorities
In India, the Draft Personal Data Protection Bill (2018) makes a distinction between personal and non-personal data, wherein personal data is that which allows an individual to become identified – either directly or indirectly.
Another category is that of ‘sensitive personal data’ – pertaining to data that falls under the ambit of religion, political views, caste, biometric and financial data, transgender status, sexuality etcetera.
Sensitive personal data has previously been highlighted in the Information Technology (Reasonable Security Practices And Procedures And Sensitive Personal Data Or Information) Rules, 2011 – in which rule 3 specifies sensitive personal data which relates to ‘passwords, financial information such as bank account or credit card or debit card or other payment instrument details, physical, physiological and mental health conditions, sexual orientation, medical records and history and biometric information’.
Ideally, the government can focus from preventing the misuse of sensitive personal data by setting up guidelines in terms of data sharing – when sensitive personal data of individuals is moved around and sold from one company to the other, it creates the problem of it being monetized to send users targeted ads.
Another point of discussion is the process of appointment of the Data Protection Authority. There is great skepticism because the process may be independent of the government to the point that the authority is appointed by members of the judiciary, but there is still a possibility of the Union Government interfering as they devise a pool of experts that the selection committee ultimately gets to choose from. In India, the Justice Srikrishna Committee recommended that the salaries of the Data Protection Authorities be determined by the Union Government. These determinants raise concerns regarding the level of “authority” the data protection authorities truly have.
Another question that India has to grapple with is compliance with Article 45 (2) (b) of the GDPR, which requires “independent supervisory authorities” to ensure and enforce data protection rules. Since there does not seem to be a clear ceiling on the re-employment of data protection authorities, it will be difficult for India to be entrusted with cross-border flow of data from other countries - as the Data Protection Authority will not be seen as independent and adequate.
Furthermore, it is unclear how the role of the adjudication officer will unfurl in the grand scheme of the Data Protection Authority. It seems that India can anticipate some stepping on toes by the division created within the DPA, with the adjudication of complaints being handed over to the adjudication officer, and the inquiries of the data fiduciary lie in the domain of the authority. The appointment of the adjudication officer is vaguely outlined, and awards powers of appointment to the Union Government solely.
It would be relevant for the Data Protection Authority to coordinate with his/her counterparts internationally. This would help India become part of a global community which collaborates to prevent data breaches, and learns from each other’s mistakes and successes.
Global challenges in the functioning of data protection authorities
In the Netherlands, there exists a comprehensive strategy for data breach notifications which has been worked upon by the country’s Data Protection Authority since 2016. The DPA had a long debate on where to set the threshold for the notification of a data breach - since it would be impossible for them to monitor each minor data breach. The time taken for review is immense and would require more trained professionals to be part of the review team. However, it was ultimately decided that all notifications would be considered and no threshold would be set.
In the following year, the number of notifications increased since there was greater understanding of the benefits of and ways to report data breaches. Interestingly, they noted that a majority of the breaches actually occurred in the public domain - translating to the fact that local authorities are not careful of how data is transferred; as well as in the health sector which faces a problem of arbitrary transmission of sensitive data (such as medical records).
A landmark instance was when the Data Protection Authority of Romania asking the RISE Project to reveal its sources on articles published related to corruption charges involving a road construction company and a politician. The Data Protection Authority declared that if the RISE Project failed to answer the set of questions posed to it, then it would be made to incur a heavy fine of up to €20 million. The European Data Protection Board (EDPB) responded to a letter by civil society organisations, stating that this is an internal national matter. Authors of the letter pursued the EDPB to clarify its position on Article 85 of the GDPR - which instructs member states to balance the right to protection of personal data with the right to freedom of expression and information, including processing for journalistic purposes, and the purposes of academic, artistic or literary expression.
China has a central internet regulator called the Cyberspace Administration of China, which was established only in 2014. It is headed by the chair, who is President Xi Jinping and Premier of the State Council, Li Keqiang, serves as the vice-chair. It handles all internet security-related matters, and participates in a series of strategic partnerships and roundtables with other countries. However, it is uncertain whether it will manage to establish relationships with the data protection authorities of other countries in the future, given that it is not an autonomous institution, and is operated by the government.
Ultimately, it is clear that data protection authorities need to be provided with the resources and space by countries in order to bring cyberspace security as envisaged in Data Protection Acts to fruition. Constant government interference and overburdening the appointed data protection authorities will only lead to greater security breaches, and a reduction in cross-border flow of data, since other countries will be distrustful of the authorities who cannot function independently.
In a future which respects privacy, and holds the protection of personal data in the highest regard, countries need to invest in creating and supporting offices of data protection authorities who will see the challenge through, and collaborate with their counterparts in other countries.
(Disclaimer: The views and opinions expressed in this article are those of the author and do not necessarily reflect the views of YourStory.)
(Edited by Suruchi Kapur- Gomes)