Asheeta Regidi

This article is Part 12 of a multi-part series explaining the recently issued white paper on data protection in India. The responses to the white paper will help in the formulation of India’s future data protection laws. You can read Part 1, Part 2, Part 3, Part 4, Part 5, Part 6, Part 7, Part 8, Part 9, Part 10 and Part 11.

The last part of the White Paper discusses the establishment of a robust, independent and technically sound data protection authority, along the lines of the Information Commissioners or Privacy Commissioners found in other jurisdictions. The ever-expanding range of privacy concerns and the technical expertise required to deal with them make this a very important aspect for the implementation and efficacy of the new law.

A data protection authority (DPA) will be granted the powers and discretion to take a number of crucial decisions regarding all data related activities in India. Establishing its independence and transparency are key considerations, along with ensuring access to the people for remedies. The White Paper also raises certain interesting questions such as whether class action suits should be permitted for data protection, and whether judicial impact assessments are required.

Models of DPAs

The White Paper looks at different models for the set up of a DPA, such as the EU, which permits the Member states to set up multiple ‘supervisory’ authorities; the UK, which has set up a single, independent Information Commissioner’s Office (ICO) or Singapore, which designates an existing body, the Info-Communications Media Authority, as the Personal Data Protection Authority. At present in India, there is no such data protection authority (DPA) under the Information Technology Act or other laws.

Role of the DPA in the digital age

A DPA will have numerous functions, duties and powers under the law. Provisionally, the White Paper has recommended its functions to be along the lines of those assigned internationally. These include allowing monitoring, enforcement and investigations, setting standards, conducting Data Protection Impact Assessments and audits, advisory powers and generating awareness.

The DPAs, in the exercise of these powers, play a huge role in protecting, controlling and allowing the use of data in the digital age. For example, Google’s Street View was allowed to remain only after the UK’s ICO ruled that the blurring of faces and number plates led to it being within data protection laws. At the same time, the accidental collection of Wi-Fi data by the Street View mapping cars was ruled to be a major privacy violation by the Privacy Commissioner of Canada.

DPAs thus decide on data processing that is permissible. Internationally, they also act as a register for data controllers, where only those registered can process data. The extent of permission granted to process the data will depend on the DPA’s categorisation of the data controller. Even in the case of cross-border transfers, the DPA will have the authority to decide which nations grant an adequate level of security to allow the transfer and processing of data.

For example, concerns with the surveillance practices of the US have led to national DPAs in the EU threatening to file legal challenges against the EU-US Privacy Shield, if their concerns are not addressed. The DPAs have demanded further evidence or legally binding commitments that the US would not, for instance, exercise its authority under the US Foreign Intelligence Surveillance Act to collect communications from foreign-based suspects.

Role of the DPA in adjudication

In order to ensure that data processing activities are within the law, DPAs are granted powers to investigate suspected violations, review complaints and activities, and adjudicate and award penalties. These powers allow the questioning of any practices which the DPA feels violates privacy laws. Due to the power to take suo moto notice, ie, to act even without receiving a formal complaint, the DPA does not need to wait for an actual violation of privacy and can take action to prevent a privacy violation before it occurs.

For example, UK’s ICO, much like other Commissioners elsewhere, did not approve of WhatsApp’s sharing of data with Facebook, finding that the people had not been adequately informed of the data sharing practices and that their consent for the new practices had not been taken properly. This forced WhatsApp to cease the sharing of the data until it met the requirements of the ICO. Questions were also raised against new technologies like Google Glass by the Privacy Commissioner of Canada and against Apple’s FaceID, though these concerns were raised by a senator.

Single, centralised DPA considered in the White Paper

India’s specific circumstances need to be taken into consideration while deciding on a suitable model for a DPA. For example, it has been argued that a single data protection authority will not be appropriate in the Indian landscape, leading to too much centralisation of power in the hands of a single body. Even with the framing of the Sri Krishna Committee to frame the law, concerns were raised with the composition of the Committee, asking for wider representation from various stakeholders.

At present, the White Paper is leaning towards the framing of a single, centralised body as a DPA. A separate, independent body has been suggested, though comments have been called for on other models as well. Views have also been sought on the need for separate state-level DPAs. Whether centralised or in the form of a multi-agency authority, some factors must be ensured to address the concerns raised. One is to establish transparency in the functioning of the DPA. At the same time, the DPA must be kept independent from the influence of various actors to enable its impartial functioning. A system of checks and balances must, therefore, be established.

Adjudication process should not go the CyAT way

The White Paper also looks at the set up of an adjudication process in India. One concern is that it recommends a system similar to that under the IT Act. It suggests the appointment of adjudicatory officers by the DPA to hear complaints, and the Cyber Appellate Tribunal (CyAT) be appointed to hear appeals. An individual’s complaint would, therefore, go first to the data controller’s grievance redressal officer, then to the adjudicatory officer of the DPA and last the CyAT.

While setting up the DPA, the failure of the CyAT must be kept in mind. The Tribunal was non-functional for several years, without even a chairperson, which led to the transfer of its powers to the Telecom Disputes Settlement and Appellate Tribunal. The failure of the CyAT needs to be looked at, and steps need to be taken to avoid a repeat of those mistakes with the DPA’s system.

Class action suits in India

An interesting issue raised in the White Paper is on whether class action suits should be permitted under the new law. Class action suits are more common in western countries, and in India have taken the occasional form of public interest litigations. The new Company law in India allowed class action suits, after Indian investors in the Satyam scam, were left high and dry while foreign investors could get compensation.

Class action suits for privacy violations are seen very commonly, such as the recent class action suit against Google for tracking iPhone Safari users, suits against Facebook for tracking users on other websites, or the potential suit against Uber for its data breach. Given the huge number of people likely to be affected by a privacy violation, the ability to file a class action suit in India is very welcome.

Key questions raised in the White Paper

In view of these issues, the White Paper has presently sought comments on the following key questions with respect to the setting up of a DPA in India:

Is a separate, independent DPA required to ensure compliance in India?

Is there a possibility to confer the powers of a DPA on an existing body like the Central Information Commission?

For the DPA, what should the composition, qualifications, tenure and appointment procedures of the members be?

Should there be additional state-level DPAs given the volume of complaints that are likely to arise?

How should the independence of a DPA be ensured?

What should its functions, duties and powers be?

Should the DPA retain a portion of the fines?

How will standards be set by the DPA through consultation, or should there be different sets of standards by different entities?

Should the DPA have the power to adjudicate and hear complaints? What should the qualifications and expertise of the adjudicatory officer appointed for this purpose be?

Should appeals lie with the TDSAT? If not, what should the constitution of the appellate tribunal be?

When should the appellate authority be conferred with original jurisdiction, such as in case of disputes between two data controllers?

How can digital mechanisms of adjudication and redressal be incorporated?

Should the DPA have the power to grant compensation? Can an appeal from such order lie with the National Consumer Disputes Redressal Commission? Can a large claim for Compensation lie directly with the NCDRC?

Should class action suits be permitted?

How should judicial capacity be assessed? Would judicial impact assessments be useful?

Any other views?

Seize the chance to participate

The Data Protection White Paper, on the whole, contains a very comprehensive, though preliminary look at the privacy laws around the world, and possible form of the privacy regulation in India. It must be kept in mind that the White Paper has not taken the form of TRAI’s Consultation Papers, which involve a complete discussion of the issue before asking for comments. The discussion in the White Paper gives a brief overview of international practices with privacy laws, and the provisional views expressed are extremely basic. It is the people’s responses to the paper that will pay a definitive role in the next stage, ie, preparing the first draft of the law.

The White Paper gives the people a rarely seen before chance of participating in the framing of this significant law. Given the widespread ramifications of this law, participation by the people is crucial. It is chance to actually participate in the framing of the law, and any concern, be it as an individual who feels data analytics are too invasive, a rights advocate supporting fines as a percentage of the global turnovers or a start-up wanting their needs to be kept in mind, need to seize this opportunity to draw the attention of the Committee to their issues.

The last date for responses to the Paper is 31 December, 2017.

Part I of the series explores the definitions of personal data and sensitive personal data

Part II of the series examines the jurisdiction and territorial scope of data protection laws

Part III of the series explores cross-border data flows and data localisation

Part IV deals with exemptions to data protection law

Part V deals with notice and consent

Part VI deals with the big data challenge to privacy principles

Part VII deals with processing of sensitive personal data

Part VIII deals with ensuring data quality

Part IX deals with new rights against discriminatory AI decisions, marketing, etc.

Part X deals with adopting a co-regulatory approach

Part XI deals with establishing deterrent consequences.

The author is a lawyer and author specialising in technology laws. She is also a certified information privacy professional.