The Joint Parliamentary Committee must take cognisance of the far-reaching impact of these issues and lay the foundation of a robust institution that is transparent, competent, independent, predictable and not-overzealous in its rulemaking

Authors: Aparajita Bharti & Nikhil Iyer
Published: October 12, 2021 in the Hindustan Times

The Joint Parliamentary Committee (JPC) on the Personal Data Protection Bill, 2019 is back in action. Twenty-one months after it was set up, the JPC is reportedly drafting a fresh report under the newly appointed Chairperson PP Chaudhary.

This is an opportunity for the JPC to relook at the proposed Data Protection Authority (DPA) under the Bill, whose structural independence and functional competence will be central to India’s data governance and will have huge ramifications for the growth of India’s digital economy.

According to the 2019 draft of the Bill, the DPA is proposed to be a seven-member body appointed by a “Selection Committee” composed solely of three top-level central bureaucrats. The Centre has a virtual monopoly on appointments to the DPA and can also remove any member on various grounds. The absence of any representation either from the judiciary, as the Justice Srikrishna Committee had suggested, or from the Opposition, in the Selection Committee, exacerbates the influence of the central government. Most worryingly, the central government can issue binding directions to the DPA under clause 86, which many have rued as eroding any semblance of independence enjoyed by the DPA.

From an industry perspective, the potential for the central government’s interference does not bode well for policy certainty and ease of doing business. Given the present structure, the government’s political dispensation is likely to influence rulemaking by the DPA which will affect stakeholder confidence and investor sentiment over time.

This becomes even more relevant as the DPA is charged with functions which can change the scope of data regulation significantly through executive action, without bringing these debates to the Parliament. For instance, the DPA can issue regulations specifying “reasonable purposes” for processing of personal data without consent, mechanisms for taking consent, codes of practice to promote compliance, security safeguards and transparency requirements to be implemented by businesses, and so on. In addition, it will also conduct inquiries upon receiving complaints and take appropriate action under the Bill, in effect acting as a quasi-judicial body.

While this delegation of power is necessary to ensure regulation keeps pace with technological innovation, the Bill lacks clearly defined consultation procedure for issuing new regulations and directions. Clause 50 in the Bill mandates that the DPA holds consultations with sectoral regulators and other stakeholders before specifying codes of practice; however, no such corresponding requirement exists for other regulations and directions.

Also, since consultations can be sometimes performative in nature, we need a well-defined procedure to make consultations more transparent, such as publishing the inputs received. DPA should also provide detailed rationale for new rules and directions and publish its orders to record its reasons and develop data governance jurisprudence over time. This will help organisations in the data ecosystem to bake these aspects into their “Privacy by design” principles over time.

Finally, DPA in its current form is expected to micro-manage the implementation of the Bill and is overburdened with routine functions. For example, one of its key functions is to monitor cross-border transfers of personal data. Each transfer of sensitive personal data outside India by a data fiduciary must be approved by the DPA, even if the data principal consents to such transfer and processing. These transfers may be done pursuant to a contract, an intra-group scheme, or otherwise be allowed by the DPA for any specific purpose. This oversized role for the DPA is anachronistic in today’s globalised world, where businesses regularly transfer data across jurisdictions to innovate and develop their products. It also downplays the vitality of individual consent, which is seemingly the bedrock of the PDP Bill, 2019.

Instead, the DPA can publicise and encode best practices in the Codes of Practice for intra group cross border data flows, which can organically become an industry practice, and take action only in cases of violations.

In 2019, India was in the 48th percentile out of 214 countries in the World Bank’s Regulatory Quality Index, posing questions on its ability to “formulate and implement sound policies and regulations that permit and promote private sector development”. A weak Data Protect Authority, a likely super-regulator, given the size and scale of data usage across industries, can risk India’s reputation in this regard further.

The Joint Parliamentary Committee must take cognisance of the far-reaching impact of these issues and lay the foundation of a robust institution that is transparent, competent, independent, predictable and not-overzealous in its rulemaking.