Data Protection Bill series: Steps for Data Protection Authority to run smoothly

The foremost recommendation is to set up a single, centralized Data Protection Authority of India.

Editor's note: The Data Protection Bill series carefully examines the various sections of the draft Personal Data Protection Bill, 2018 as laid down by the Justice Srikrishna Commission and submitted to MEITY for approval. This is Part IX of the series.

The biggest drawback of India’s existing privacy laws, in terms of Sections 43A and 72A of the Information Technology Act, 2000, was the complete lack of enforceability. The IT (Sensitive Personal Data) Rules, 2011, which were issued under Sections 43A, in fact embodied many of the privacy principles. However, without proper powers of enforcement backing the rules, they became largely recommendatory in nature. The result was that for many Indian companies, the requirement for reasonable security practices and other privacy-related rules went unimplemented.

 Data Protection Bill series: Steps for Data Protection Authority to run smoothly

Representational image.

To have this replaced with a full-fledged enforcement mechanism and a Data Protection Authority under the Personal Data Protection Bill, 2018 is thus a welcome step forward. More provisions, however, are required under the Bill to ensure transparency in the establishment and functioning of the DPA.

Setting up a DPA in India

The foremost recommendation is to set up a single, centralized Data Protection Authority of India (DPA) under Section 49 of the Bill. The DPA has been granted a wide range of powers, including in relation to monitoring and ensuring compliance with the law; dealing with legal affairs, policy and setting of standards; and conducting research and promoting awareness. It is good to note that promoting awareness among data principals as to privacy and their rights has been made a priority. In particular, a Data Protection Awareness Fund is to be created for this purpose under Section 77.

The DPA will be taking a number of crucial decisions, such as establishing lawful grounds of processing, determining when a data breach should be notified to the people, determining if the law has been violated, classifying entities as significant data fiduciaries, identifying new categories of sensitive data, and awarding data trust scores. This will, thus, play the most significant role in ensuring the proper implementation of the data protection law and thus in upholding the people’s right to privacy.

Ensuring transparency and accountability

Given the significance of the DPA’s role, ensuring transparency in the establishment and functioning of the DPA is thus essential. It is for this reason that several persons raised issues with the constitution of the DPA, to ensure that its members would represent a wide range of stakeholders. The Bill, however, provides no clarification on thisit merely specifies the qualifications of the persons to be appointed.

Further, more provisions in the Bill are required to establish transparency in the decision- making process of the DPA. The current requirements include, for instance, the need to file reports of accounts and audit to the government, the requirement to furnish returns to the Government on proposed programmes for the development of data protection, requiring rules framed under the law to be laid before Parliament and so on. These provisions largely ensure the accountability of the functioning of the DPA to the government. Such provisions need to be backed up with provisions ensuring accountability of the DPA and the government to the public.

Need for public consultations and publication of reasons

For instance, under the requirements for cross-border transfer of data under Section 41, the Authority has the power to approve the standard contractual clauses required for the transfer. The Central government and the Authority together can also determine countries or sectors in other countries to which transfers are possible. However, the reasons behind these decisions have not been required to be made public. The Bill, under Section 60(2) only gives the DPA the option to make such information public, when it deems it to be necessary in public interest.

Better transparency needs to be ensured through the publication of (at least) the important decisions of the DPA. Further, public consultations should be required, allowing greater public participation and an opportunity to judge public sentiment before decisions are taken.

Public consultation and DPA approval for new laws

Additionally, the Bill, in several places, allows processing of data and sensitive personal data in compliance with the law. Under Section 60(2), the Bill requires the DPA to advise the Parliament and the Central and State governments on measures required to ensure the protection of the data. This needs to be backed up by requiring laws that have important implications for privacy to be approved by the DPA as well. This approval must also include a public consultation.

Consider, for instance, the DNA Technology (Use and Application) Regulation Bill, 2018, which was recently introduced in Parliament and has major implications for privacy. Governmental programmes which have major privacy implications must also undergo the same process. This can ensure some security before mandatorily enrolling people into a process with major privacy implications, as was done for Aadhaar.

Enforcement mechanism and adjudication procedures
In order to support the DPA in its adjudicatory functions, the Bill sets up the following process. In case of a complaint, the data principal must first directly approach the data fiduciary for remedying his issue. Data fiduciaries are required to establish grievance redressal mechanisms under Section 39 of the Bill for this purpose.

As discussed in Part VII of the series, there is a limit to the rights granted to a data principal, thus preventing him from requiring the fiduciary to take certain actions like deleting his data. Despite this, the ability to file a grievance allows the data principal to require the data fiduciary to comply with the law. However, if his grievance is not redressed properly, a data principal can approach the adjudication wing of the DPA, consisting of Adjudicatory Officers to be appointed under Section 68 of the Bill. Thereafter an appeal will lie to the proposed Appellate Tribunal constituted under Section 79. Appeals from the Appellate Tribunal lie directly with the Supreme Court.

The Bill does not clarify if the adjudication wing can be approached directly for any complaints, indicating that all complaints must first go the data fiduciary directly. A key factor that was brought up in the White Paper but did not make it to the Bill was possibility of filing class action suits. Permitting class action suits would have been a welcome step, given the scale at which data breaches can happen today.

Achieve public trust in the DPA
Despite the flaws in the enforcement process which need to be addressed, to have a formal Data Protection Authority set up in India is a welcome step. Hopefully, changes will be made to the final Bill to ensure greater transparency and accountability to the public. Particularly in relation to privacy, the trust of the people in the DPA is essential, and such provisions can go a long way in achieving that.

The next part of the series will deal with the penalties and offences under the Bill.

Part I: Quick overview of India's draft data protection law

Part II: Understanding jurisdiction within and outside the country

Part III: The importance if defining personal data

Part IV: Data protection obligations on data fiduciaries

Part V: Standard of consent and processing of data

Part VI: Non-consent based processing by state and non-state actors

Part VII: A person's right over data is compromised in the bill

Part IX: Transparency and accountability required for data fiduciary.

The author is a lawyer specializing in technology, privacy and cyber laws. She is also a certified information privacy professional.

Welcome to Tech2 Innovate, India’s most definitive youth festival celebrating innovation is being held at GMR Grounds, Aerocity Phase 2, on 14th and 15th February 2020. Come and experience an amalgamation of tech, gadgets, automobiles, music, technology, and pop culture along with the who’s who of the online world. Book your tickets now.