Will India's proposed data protection regulator have enough powers as global peers?

Representative image

The powers of India's Data Protection Board (DPB) proposed under the draft Digital Personal Data Protection (DPDP) Bill "seem to be very limited and vague" when compared to legislations like the European Union's General Data Protection Regulations (GDPR) and the UK's Data Protection Act, said legal experts.

In the draft DPDP Bill, the DPB is proposed to be the first regulatory body responsible for protecting the privacy of citizens. The board will have the power to determine non-compliance and impose penalties. However, the power to make rules regarding the bill's provisions will remain with the Union government.

"The skeletal nature of the DPB is in sharp contrast to the EU-GDPR where the role of the supervisory authority is clearly laid out and which goes beyond the mere imposition of penalties for non-compliance," said Avimukt Dar, partner at IndusLaw, adding that since the central government is empowered under the DPB to prescribe further powers to the board, a more holistic comparison will only be possible once the law is notified.

“The DPB is less independent than comparable regulators in Europe and the US. They are appointed by the government and serve at the government's will. However, they are required to comply with natural justice and in my view, DPB might be a quasi-judicial body. High Courts would have supervisory jurisdiction over it," Mathew Chacko, partner at Spice Route Legal told Moneycontrol.

Dar from IndusLaw explained that in EU-GDPR, the board has the power to monitor and enforce the application of the law, investigate complaints of breach of the provisions of the EU-GDPR; monitor relevant developments in context to impact on the protection of personal data and so on.

The supervising authority in the EU also has the power to issue warnings, reprimands, and impose bans on the processing of data etc, in addition to the imposition of penalties/ fines for non-compliance, Dar said.

The powers of the regulator in the UK's Data Protection Act are also similar to that of the EU-GDPR and are laid out clearly.

"Further, the Protection of Personal Information Act, 2013 (“POPI”) of South Africa, also clearly lays out the role of the regulator (supervisory authority) leaving very little scope for any ambiguity," he added.

In the previous versions of the bill, the regulatory authority responsible for dealing with the provisions of the data protection bill was referred to as the Data Protection Authority. However, in the DPDP Bill, the name has been changed to Data Protection Board.

Moneycontrol asked legal experts whether the change in name holds significance. The opinion is divided.

"While the DPB has been vested with a few additional powers, particularly in connection to breaches involving personal data, the powers and duties are largely unchanged compared to its predecessor – Data Protection Authority," Rishi Anand, partner at DSK Legal said.

"Given that the powers and functions are broadly the same in substance and the government still has the authority to determine its composition, the name change may not be notably significant from a governance perspective," he added.

However, Dar of IndusLaw disagrees.

"While seemingly innocuous, the change in the name of the Board from the Data Protection Authority (as stated in the earlier draft data protection bills in India) to the Data Protection Board, may indicate a shift in how the Executive views the Board," he said.

In the previous drafts of the data protection bill such as the Personal Data Protection Bill 2019 or 2021, the composition of the proposed data protection authority was laid out clearly.

However, in the current DPB, the composition of the Board, process of selection, terms and conditions of service of appointment and service of members of the Board etc, are to be prescribed by the government.

"Given the simple drafting of the DPDP Bill, further clarity on the composition and powers will come by way of rules which may be prescribed once the DPDP Bill is enacted," Anand of DSK Legal said.

"So long as the proposed data protection board is composed of technical and legal experts and functions in the ‘digital by design’ manner envisaged under the DPDP Bill, it is unlikely that the composition of the board will hold any specific concerns," he said.

Dar called for transparency in the process of selecting and appointing the members to the Board.

Comparing the selection process in other countries, Dar said, "This principle (of transparency) has been laid out in the EU-GDPR, and also guides the appointment of the members to the regulator under the POPI (South Africa).

"One of the ways in which such transparency in the context of the DPB can be achieved is by provisioning for some involvement of the Parliament in the affairs of the Board, (such as fixing the salaries of the members of the Board may be entrusted to the Lok Sabha) and ensuring that there isn’t an over-concentration of powers in the hands of the central government," he added.

"The global counterparts, especially the EU DPAs, have been notably tough on data fiduciaries for unlawful processing of personal data and have taken a proactive approach to safeguard the citizens' right to data protection. The Board should also discharge its duties while keeping in mind the principles on which the DPDP Bill has been framed and citizens' right to the lawful processing of their personal data," Anand of DSK Legal said.

Dar of IndusLaw said that the Board must keep itself abreast with the technological developments relevant to the field of data protection, given the ever-increasing sophistication with which data breaches occur.

"Global best practices can also emerge with deep engagement with experienced regulatory bodies. For instance, both the SEBI and the CCI are active in international regulatory conferences where they learn from and influence their global counterparts," he said.

He also called for speedy identification of data breaches. "To this end, the Board should have powers of sending warnings in the event of any non-compliance, recommending urgent remedial measures etc, instead of just being restricted to imposing penalties on individuals and businesses," he recommended.

"This will also reduce any unnecessary intimidation of businesses at the hands of the Board and send out a positive message to the industry that the Board is not a punitive body, but a corrective body, whose ultimate goal is to ensure lawful and sustainable processing of personal data in India," Dar added.