Data protection and a regulatory crossroads

It is not clear whether the proposed Data Protection Board is a repudiation of India's recent regulatory experience or an improvement on the present arrangement

The Digital Personal Data Protection (DPDP) Act, 2023, came into effect two weeks ago. This is an Act “to provide for the processing of digital personal data in a manner that recognises both the right of individuals to protect their personal data and the need to process such personal data for lawful purposes”. This latest development in the Indian regulatory apparatus needs to be located in the Indian experience and regulatory theory.

In the field of data protection, there are two sources of threat to the individual: The state and the corporations. In India, there are no protections vis-a-vis the state, and that is a separate debate. The term “data fiduciary” is used to designate entities that have data about individuals and are expected to be fair in their dealings. Embedded in this is the danger of a market failure that is called “asymmetric information”, where the individual is unsure and unable to ensure that the data fiduciary will not use the data in ways that cause harm to the individual. The DPDP Act is established to coerce firms to not inflict harm upon individuals.

In this analysis, there were three choices for policymakers. The first idea is to do nothing, and accept a certain amount of market failure, in exchange for having no state failure. The second pathway is to lead with regulatory interventions in this field by a government department. The third pathway is to set up a full-blown regulator to engage in detailed regulation of the activities of firms that have data about individuals.

Early drafts of this law had envisioned a full-blown regulator, with powers to make binding regulations; executive powers of supervision and enforcement of actions; and quasi-judicial powers to assess compliance with the law by regulated entities. That regulator had jurisdiction over lakhs of consumer-facing firms having databases with information about their customers. This proposal was widely criticised as there were criminal sanctions in the law, and as the Indian experience on building regulators has been mixed. Regulators worldwide (“Type 1 regulators”) are problematic in that they violate the “separation of powers” doctrine in fusing legislative and executive functions. Some regulators in India are “Type 2 regulators”, they carry this one step further, fusing all the three branches of the state — the legislative, executive and judicial branches — with predictable consequences.

The final DPDP Act provides for the establishment, powers, functions, and procedures to be followed by the Data Protection Board (DPB) of India. A significant feature of this law is that the DPB is primarily an adjudicatory body. This is a restrained design, which is more respectful of the separation of powers.

It is interesting to glance back into the Indian journey on these questions. Recognising that the normal working of the executive branch (i.e. within a department of government) faces constraints and limitations in speedily addressing market failure, in a conscious departure from the doctrine of separation of powers, the Indian parliament decided in the early 1990s to create a new type of agency empowered to legislate as well as enforce the legislation. Thus was born the idea of a Statutory Regulatory Authority (SRA). The establishment of SRAs, distinct and separate from the government, was an integral part of the economic reforms in India until now. Numerous SRAs have sprung up, which exercise oversight over a range of sectors including finance, infrastructure, competition, insolvency & bankruptcy, food, and real estate. These SRAs are entrusted with responsibilities and empowered to intervene ex-ante.

India’s experience with these SRAs has created an enormous body of knowledge that has understood their failings and has proposed solutions. The big takeaway from this experience is that improving conventional SRAs is a superior solution compared with placing functions in the traditional government department.

While section 28(1) of the new law provides that the Board shall function as an independent body, this is not reflected in the rest of the Act. The chairperson and members of the Board as per the statute will only have a (renewable) two-year tenure. Moreover, as per Section 24, the Board requires the previous approval of the Central government to appoint officers and employees and can do so on terms and conditions as prescribed by the Central government. There is no statutory system for selecting members of the Board in a fair and transparent manner. There is no legislative requirement, for instance, that the Central government has to be aided by a professional search and selection committee for the purposes of selecting the Board. In effect, the Act gives the Union government full power to control the Board.

There is a useful analogy, for the DPB, with the Competition Commission of India (CCI). The CCI, unlike other regulators, largely performs ex-post adjudicatory functions alongside advisory and advocacy roles. The first version of the law had envisaged that the CCI would conduct judicial proceedings. This law was challenged on the ground that the executive branch had powers to appoint members of this judicial body, which violates the settled principle of independence of the judicial branch. The government then amended the rules so that these appointments were by a committee headed by a nominee of the Chief Justice of India. Similar legal challenges may well arise in coming days with the new DPB.

The DPDP Act is thus an interesting moment in the evolution of Indian regulation. Is it better to remain on the incremental journey of trying to build independent SRAs while recognising their weaknesses and addressing them through the 140 sections of law that get a regulator going in the draft Indian Financial Code (that was drafted by Justice Srikrishna's Financial Sector Legislative Reforms Commission)? Or is it better to abandon the journey to independent SRAs to keep functions in government departments, with appeals going to specialised tribunals? The performance of the DPB, and the approach of the courts on separation of powers and judicial independence will shed light on these fundamental questions in the coming months.

 The writer is an honorary professor at CPR, member of a few for-profit and not-for-profit boards, and a former civil servant