India seems increasingly ready to enact a comprehensive privacy legislation to protect its consumer data. The Joint Parliamentary Committee set up to examine the Personal Data Protection Bill, 2019 is likely to release its report by the winter session of Parliament in December this year. The Narendra Modi government is expected to try and ensure the Bill is passed in the next budget session. It is therefore important to consider the regulatory and bureaucratic apparatus that will protect the data of Indian consumers for the next few decades.
The enactment of the Bill will create the Data Protection Authority, which will be one of the most powerful independent regulators in India. This is significant since Indian government bodies traditionally suffer from low capacity. While a number of independent regulators have been set up in the Indian economy since the 1990s, their functioning in most cases has left a lot to be desired. In order to ensure that the Data Protection Authority (DPA) is a successful regulator, we need to carefully consider how it can effectively operationalise different aspects of its mandate with the least amount of state capacity.
The DPA differs from other regulators because it has been given the mandate to regulate the use of data across multiple sectors like banking, capital markets, social media companies, and even local grocery shops. The DPA will have to prioritise and optimise its resources effectively in order to perform its functions efficiently. In this article, we outline a few strategic choices by which the DPA can do so.
Also read: How countries can keep their Covid vaccines safe from hackers
First, the Data Protection Authority should follow a risk-based approach that is implicitly present in the Bill. For example, in many places, the Bill requires the DPA to consider the risk of harm to consumers while framing regulations. Additionally, the Bill categorises data into personal data, sensitive personal data, and critical personal data to differentiate the varying levels of risks that emanate from the misuse of data. Finally, the Bill creates a differential level of regulation between ordinary firms that use data, significant data fiduciaries, and small entities. These point to the fact that risk-based regulation must be inherent to the DPA’s strategic approach.
Within this overall framework, the DPA can prioritise its resources by focusing on processing sensitive and critical personal data, and by overseeing significant data fiduciaries. This will allow the DPA to first build capacity in areas that pose the greatest threat to consumers, rather than expending its limited resources to regulate all sectors of economic activity. The DPA can further sharpen its focus by having a low threshold for exempting small entities. This will allow the DPA to focus its regulatory capacity towards firms that pose a larger risk to consumers by collecting and processing large volumes of data.
Also read: Why India needs to modernise its copyright laws for the digital era
Harnessing existing resources
Second, the DPA must rely on existing sources of expertise within the government and industry. While this applies to all regulatory authorities, the wide mandate of the DPA makes this imperative. Relying on pre-existing expertise for setting standards and formulating codes of practice — on issues such as notice and consent requirements — will allow the DPA to focus on its oversight and enforcement functions. For example, the bill allows the DPA to enter into a memorandum of understanding with sectoral regulators. The memoranda should include provisions that allow the sectoral regulator to provide periodic information and inputs on privacy standards, data protection concerns, emerging risks from the use of personal data in their sectors, and sectoral best practices for data protection. The memoranda should also provide for a consultative mechanism for all DPA regulations and codes of practice that will apply to firms regulated by the sectoral regulator.
In addition to this, the DPA can seek the existing expertise of sectoral regulators in formulating its monitoring and enforcement strategies for such sectors. The DPA could also work with sectoral regulators in discharging its statutory duty to spread awareness related to data protection.
In addition to other regulatory bodies, the DPA must also rely on industry and experts for formulating codes of practice. Instead of formulating these on its own, the DPA can devise mechanisms through which it ensures that the formulations are developed by relevant stakeholders. The DPA should optimise its resources by ensuring that all relevant stakeholders are involved in this process, and that this process of formulation is evidence-based and deliberative. In order to do so, it can create advisory bodies for different sectors of the economy. These should consist of members from the industry, academics, and other stakeholders, appointed on a rotational basis.
While the DPA can build the technical expertise to perform these functions itself over time, relying on stakeholders and experts would free-up capacity for following global best practices in other aspects of the DPA’s work, such as oversight and enforcement. This would greatly add to its efficiency and consequent success.
In order to be an effective regulator, the DPA must ensure it optimises its limited resources strategically so as to harness existing capabilities for protecting consumer data. It should consider some of the strategic choices discussed above while it develops the skills and capacity for regulating the use of data across the Indian economy.
Shivangi Tyagi is a research analyst at Carnegie India. Anirudh Burman is an associate fellow at Carnegie India. Views are personal.
This article is part of a series examining The Geopolitics of Technology in partnership with Carnegie India, leading up to its virtually held Global Technology Summit 2020 from 14-18 December 2020. More details about the summit are available here. ThePrint is a digital partner.
Read all the articles in the series here.