Deconstructing the complexities and contradictions of PDP Bill’s Data Protection Authority
The Personal Data Protection Bill (PDP), first presented to the Parliament in 2019, is a landmark legislation meant to regulate how companies and organisations utilise an individual’s data in India. The 2019 draft of the bill proposed the formation of the Data Protection Authority (DPA), an apex body with wide-ranging, discretionary and ambiguous powers. These include expanding the parameters and defining what “sensitive personal data” is; creating and enforcing codes of practice to facilitate compliance with the Act; and issuing any directions to data fiduciaries which will be binding in nature.
Thus, the DPA represents an interesting conundrum. On the one hand, its powers are almost legislative in nature. This gives it oversight and control over all compliances expected of companies. On the other hand, given its composition, selection procedure of its members, and lack of financial autonomy, there is a risk that it may be trapped by the Central Government in political considerations and cross currents. Constant consultations with the Central government will hamstring the independent nature of this body.
With the Joint Parliamentary Committee (JPC) scrutinising the bill and its provisions, the time is ripe to deconstruct this bill and examine its implications. The Quantum Hub (TQH), in partnership with YourStory, is holding a series of panel discussions titled Reshaping India’s Data Landscape: The Data Protection Bill, 2019. The first panel discussion, held on August 7, featured keynote speaker Dr Amar Patnaik, MP – Rajya Sabha and Member, Joint Parliamentary Committee on the PDP Bill, 2019. The speakers were Nikhil Narendran, Partner, Trilegal; Arpit Gupta, Senior Associate, Ikigai Law and Suyash Rai, Deputy Director, Carnegie India. The session was moderated by Aparajita Bharti, Co-founder, TQH. You can watch the discussion here:
Here are some of the highlights from the discussion.
Composition of the DPA
The DPA will consist of six members, including one member with a legal background. However, Dr Patnaik pointed out that the proposed size of the DPA is insufficient to handle the vast powers that the DPA is envisaged to have, especially given the size of our country. Furthermore, the task of creating codes of compliance and then monitoring them would be a herculean task even if the members were doubled.
Flaws in functionalities
With the introduction of the 2019 draft bill, questions have arisen over its functional competence. Not only does the DPA have to exercise law-making power, but also has to monitor compliance, receive complaints and resolve these disputes. It also has various burdensome administrative duties, such as to approve each contract or intra-group scheme for cross border transfer of sensitive personal data by data fiduciaries. The panellists suggested that business-as-usual cross-border transfers which companies engage in can be instead settled through industry codes of practice over time, however it may cause delays and disruption before things settle. A more relaxed regime is required for these routine transfers of data to ensure smooth functioning of global firms.
The panellists also discussed a significant flaw in the powers of the DPA – defining what sensitive personal data might be, in consultation with the Central Government. Suyash stated that actions like these make the DPA more powerful than many other regulators (such as RBI, TRAI, CCI), allowing it to set or stretch the boundaries of how the PDP Bill could be applied.
Another flaw discussed by panellists was the significant lack of transparency in the DPA’s processes. Panellists opined that the Bill should mandate consultation procedures before the DPA issues any directions or regulations. Similarly, it should proactively publish annual reports on enforcement actions and the rationale for decisions taken. This would help the DPA build credibility and earn the trust of the various stakeholders.
Ikigai Law’s Arpit spoke about the complicated processes of the DPA, wherein there are two different adjudicatory processes – filing a complaint to the DPA which is then referred to the Adjudicating Officer and where the complaint is directly filed with the Adjudicating Officer. This can cause problems as people may initiate complaints through both routes.
Role of the Central Government
The bill proposed in 2018 stipulated that the selection committee (who would create the DPA) included the Chief Justice of India (CJI). The current version does not include the CJI.
This cuts to the very heart of the matter – the contradictions of the DPA. Although the body is endowed with legislative powers, it is also hampered by its dependence on the Central Government. This closely intertwined relationship may also influence the decisions taken by the DPA. Trilegal’s Nikhil pointed out that the salaries of the committees will be decided by the Central government, creating a significant conflict of interest for members of the body. He also stated, “a Central government dispensation that wants to go after a tech company can do so through the DPA. This will bear in mind any investor coming to India.”
The panel went on to discuss the inclusion of the judiciary and members of the opposition to balance out the skewed nature of the DPA.
Suggestions and potential reforms
In addition to addressing the complexities and contradictions of the bill, the panel also put forth potential solutions to mitigate these issues. For instance, the DPA should mandatorily consult with stakeholders, before notifying any regulations under the bill. Dr Patnaik also shared that he has submitted to the JPC that Clause 86 (binding orders by the Central Government) be deleted. Suyash shared that the number of functions that the body had to handle was overwhelming. One solution would be to publicise and encode the best practices, which would organically become an industry practice. He also suggested the DPA may involve consent managers and data auditors in implementing the provisions of the Bill.