Updated: July 9, 2020 8:11:15 pm
It has been almost three years since the process of drafting the Personal Data Protection (PDP) Bill was set in motion. Assuming that the current version of the Bill, which is being reviewed by a Joint Parliamentary Committee, were to be passed, what remedies would it offer to individuals who suffer privacy harms?
For instance, if an app collects an individual’s location data for the sole purpose of COVID contact tracing, but later uses it for monitoring quarantine restrictions, what recourse would the person have? Similarly, what happens if a website fails to safely secure their database leading to a breach of the customer’s credit card information with resulting financial loss?
The answers to these questions are closely tied with the design of the proposed Data Protection Authority (DPA) that is to be created under the Bill. One of the many important duties cast on the DPA is to adjudicate complaints received from data principals — individuals whose personal data is processed by others. In the above examples, the affected individual can, therefore, make a complaint to the DPA seeking compensation for the harm caused to her.
The DPA is set to function as what the Financial Sector Legislative Reforms Commission (FSLRC) termed as a “mini-state”. This refers to an agency that is entrusted with a mix of quasi-legislative (regulation-making), executive (supervision and enforcement), and quasi-judicial (adjudication) functions. It comes with the risk that, absent structural safeguards, the agency might end up abusing or, conversely, neglecting some of its functions. A carefully-crafted regulatory design and robust accountability mechanisms are, therefore, essential.
This is particularly true in the DPA’s case, given its broad mandate. Unlike other sectoral regulators that oversee specific businesses, the DPA’s authority will extend to anyone who deals with personal data. This may include individuals, private entities or any department or agency of the state. Further, since each data principal is party to multiple online and offline relationships, the universe of regulated transactions becomes even larger.
Let us suppose that every person above 15 years of age shares their personal data with at least three different entities. This adds up to over 2.6 billion transactions annually. Hypothetically, even if something as minuscule as 0.5 per cent of these leads to a complaint, that translates to 13 million cases per year. Some of these may be addressed directly by the concerned entity while the rest will find their way to the DPA. A caseload of this sort would be daunting for any agency, let alone one that is tasked with multiple competing responsibilities. As a consequence, the DPA may either be overwhelmed by the volume of complaints or may grossly under-prioritise this aspect, resulting in delays, erosion of trust and poorer outcomes.
Faced with limited capacity and resources, the DPA will logically have to prioritise some activities over others. Should it concentrate more on regulations and codes of practice, without which the new law cannot be operationalised, or on redress? Will the DPA’s adjudicating officers, who will oversee both compensation claims and the levy of penalties, be able to focus equally on both aspects? Could a large volume of complaints point to the DPA’s poor regulatory systems, hence creating a conflict of interest?
Motivated by these concerns, we had recommended that the DPA’s grievance redress function should ideally be moved to a stand-alone Data Protection Ombudsman (DPO). The structure, functioning, and accountability of this body should all be geared towards the single objective of providing efficient redress. At the same time, close interaction with the DPA will ensure that the intelligence gathered from the complaints process can inform the DPA’s regulatory and supervisory efforts.
Besides this structural reorganisation, the Bill also needs greater clarity on the implementation of the redress mechanism. The current draft requires the DPA to maintain a cadre of adjudicating officers and specifies their desired areas of expertise. All other important details, like the terms of appointment, jurisdictional scope, and procedure for hearings, are, however, left to be decided by the central government. The Bill doesn’t even specify whether the adjudication process can, or should, be preceded by mediation, which could help in the amicable settlement of many complaints.
The only guidance offered is that the rules framed by the government must respect “operational segregation, independence, and neutrality of the adjudication”. No doubt, these are all important factors. However, the law should also target making redress more accessible, affordable and efficient, including through the use of technology. For instance, while recommending the creation of a unified Financial Redress Agency, the FSLRC’s draft law proposed that the agency be statutorily bound to make use of modern technology. This included requirements of electronic filings, digital case management, and remote participation in hearings. Subsequently, a task force set up to review the operationalisation of this agency recommended the creation of a network of local facilitation centres. It aimed to make sure that technology-enabled redress becomes truly accessible to everyone, including in rural areas.
The COVID pandemic has once again highlighted the urgency of pursuing online dispute resolution mechanisms. Yet, it has also been a reminder that merely going online is not sufficient unless access to redress can also be made more equitable. Ultimately, the entire edifice of the data protection framework is built on the foundation of protecting individual rights. The right to efficient redress is a critical piece of this puzzle, solving which requires a rethink of the institutional and implementation structures proposed under the PDP Bill.
The writer, a researcher at National Institute of Public Finance and Policy, was a part of the FSLRC research secretariat. Views are personal
📣 The Indian Express is now on Telegram. Click here to join our channel (@indianexpress) and stay updated with the latest headlines
- The Indian Express website has been rated GREEN for its credibility and trustworthiness by Newsguard, a global service that rates news sources for their journalistic standards.