Data Protection Board: Chance to bring regulatory agility or a miss hit?

Data Protection Board of India could play an essential role in bringing about regulatory agility and striking the right balance between regulation and innovation in a data-dependent digital economy

One common pattern in the technology sector, especially in consumer-facing businesses, is how these services scale up quickly in the absence of any regulatory oversight. This results in situations where it becomes difficult to undo unforeseen negative consequences of such businesses because of various factors, including heavy user dependence and difficulty in changing already-scaled business models.

Forced Aadhaar-based authentication of customers by private entities, data mining across industries in India and the unrestricted growth of the gig economy in the absence of social security measures are just a few such examples. There is also a need for an agile regulatory system that not only responds quickly to concerns arising from emerging technologies like AI and IoT, but also provides regulatory certainty to these industries, which attract significant investment and highly skilled talent.

 

Given the use of consumer data across industries such as healthcare, finance and education, there will be use cases with no apparent legal position in India, such as gene editing, commercial use of deep fakes (remember the Shahrukh Khan-Cadbury Diwali campaign from 2021?), facial recognition technology or the use of generative AI in educational institutes or creative industries. India would do well not to repeat what is currently happening with the online gaming industry or what happened earlier with the cryptocurrency industry— two sectors that grew uncontrollably big in the shadow of regulatory uncertainty.

The Data Protection Board of India (DPBI), as proposed in the recently passed Digital Personal Data Protection (DPDP) Bill, 2023, could play an essential role in bringing about regulatory agility and striking the right balance between regulation and innovation in a data-dependent digital economy. Unfortunately, the part of the DPBI has largely been restricted to a complaint resolution authority with very few powers.

Here are a few examples of regulatory innovations that could turn the DPBI into an effective regulator-

Advance rulings:

There should be a legal provision to allow businesses to seek written opinions from the DPBI on whether a particular business practice or business model they intend to follow concerning personal data usage is legally permissible under Indian law. In this context, India already has a precedent in the Authority on Advanced Rulings established under the Central GST Act, which allows businesses to seek legally binding opinions on determining their tax liability for proposed transactions. A similar proposal was reportedly considered previously for the Belgian Data Protection Authority.

Suo motu powers to investigate a digital product/service and issue directions:

A great example in this context is the USA’s Federal Trade Commission. Despite the lack of a national data protection law (though the USA has some sectoral laws), the FTC has investigated and issued directions/guidelines on a wide range of technology-related issues that impact consumers, including use of facial recognition technology and AI & algorithms, security measures by service providers dealing with sensitive personal data (such as health data) and data breaches. The FTC is an excellent example of what ‘agility’ in a regulatory body looks like, where the regulator can take effective steps on its own by exercising broad powers; both Securities and Exchange Board of India (Sebi) and Reserve Bank of India (RBI) also have such powers. Unfortunately, similar powers have not been given to the DPBI.

Issuing opinions and guidance on best practices:

Data protection authorities actively issue guidance documents and advisories on how businesses can comply with applicable legal obligations. For example, the European Data Protection Board has released exhaustive guidelines explaining how companies need to implement users’ right to access their personal data from service providers and its limits and restrictions. Similarly, the Personal Data Protection Commission of Singapore has released guidelines explaining how a data protection impact assessment (DPIA) should be conducted. While both these obligations of providing users access to their data and conducting a

DPIA is also present in the DPDP Bill. The DPBI does not have any powers to issue guidelines or advisories.

Regulatory capacity and legal requirements:

The DPBI will need sufficient resources and skilled manpower to perform all of its functions, especially considering India’s massive user base. For example, though Ireland’s population is approx. 5.2 million (as per Census 2022), the Irish Data Protection Commission had 196 staff members at the end of 2022. Compare this to India, where only Delhi’s population is estimated to be more than 20 million. The Telecom Disputes Settlement and Appellate Tribunal (TDSAT), which has been appointed as the appellate authority under the DPDP Bill, has a single bench of three members. It already hears cases related to telecom, broadcasting, AERA, cyber law and some Aadhaar-related matters. Unsurprisingly, it has 1,106 cases pending since January 2022, according to its website. Additionally, appointing the TDSAT as an appellate authority may not be sufficient to meet the composition-related requirements for quasi-judicial bodies as laid down in various Supreme Court judgements— something that does notseem to be addressed in the DPDP Bill with respect to the DPIA.

From the government’s perspective, an essential advantage of the above measures is that they will provide a sound legal foundation for implementing the DPDP Bill and for any decisions taken by the DPBI under the Bill. This can be especially helpful in Court cases on data protection-related issues and judicial review of the decisions of the DPBI.

While the DPDP Bill has already been passed in Parliament, this is just the beginning of a long journey; hopefully, these suggestions will be considered in future amendments to the DPDP Bill. India has enough regulatory experience and history to understand the limitations generally faced by regulatory and adjudicatory institutions. The rare instances where the government gets an opportunity to create a new regulatory institution through a statute should be utilised to not only address these limitations, but also create strong independent institutions with the required expertise and capacity to serve a nation of more than 1.4 billion people.

---

The author is a lawyer specialising in technology law and policy issues