In many ways, the draft Personal Data Protection Bill, 2018 proposes to introduce concepts that were thus far non-existent in the sphere of data protection in India. One of these is establishing a specialised authority, viz. the Data Protection Authority of India to act as a watchdog for the overall supervision and administration of the data protection regime in India. On the face of it, this is a rather palatable proposition. However, a deeper review of the role of the authority reveals several pitfalls and raises numerous questions, which this article aims to highlight.
The bill appears to delegate numerous powers and functions to the data protection authority. There are almost 26 items listed in the bill, which includes functions such as (i) monitoring and enforcing provisions of the Act, (ii) specifying various standards, criteria and categories that are currently uncertain, (iii) monitoring the cross-border transfer of personal data, (iv) issuing codes of practice, (v) receiving and handling complaints and (vi) conducting inspections of data fiduciaries. On close scrutiny of these items, it appears that the authority is vested with wide-ranging powers that are broadly legislative, administrative and judicial in character.
This is not the first time when an authority has been vested with abundant powers and functions at the very outset. When the Telecom Regulatory Authority of India Act, 1997 (TRAI Act) was enacted, the Telecom Regulatory Authority of India (TRAI) was also entrusted with both regulatory and adjudicatory functions. However, with the passage of time, it was felt that due to this reason, the regulatory functions of TRAI were being compromised, and accordingly, its judicial power was curtailed by amending the TRAI Act in 2000, which was passed through the ordinance route by the government. As a result, an independent body known as the Telecom Disputes Settlement Appellate Tribunal was established to adjudicate disputes.
In its white paper, the expert committee on the data protection bill had deliberated on the roles performed by similar authorities in different jurisdictions. It noted that the authorities in several countries including the United Kingdom, Canada, South Africa and Australia chiefly perform the functions of generating awareness, providing advisory services and setting standards. However, it finally adopted the position under the European Union’s General Data Protection Regulation that inter alia empowers the authority to impose administrative fines.
As a separate matter, a provision in the bill also empowers the Central Government to issue directions to the authority from time to time on questions of policy and the authority is bound by such directions. While the bill enables the authority to express its views before any such direction is issued, it is uncertain whether this can happen at a practical level. Will the government consult the authority before it intends to pass a direction? The bill is silent on these aspects. It also states that the government’s decision on the question of policy shall be final. This single provision may jeopardise the very independence of the authority as well as the objective that the bill intends to achieve.
In our view, the scope of the authority and the activities it performs need to be reconsidered from the standpoint of the ‘doctrine of separation of powers’ as enshrined in the Constitution of India. If the bill is enacted in its present form, the authority will have to consistently strive to carefully ensure a demarcation between its regulatory and judicial functions. Considering that the public consultation with respect to the bill is currently underway, there is an opportunity to make suitable amendments to it before it is enacted.
This is the second in a five-part series that analyses the latest data protection bill.
Harsh Walia is an associate partner at law firm Khaitan & Co. based in Delhi.