A blueprint for an effective data protection authority

India’s Data Protection Authority (DPA) must adopt technology to manage the high volume of privacy violation complaints and data-breach notifications. The DPA needs experts in technology, law, and privacy to balance privacy protection with technological innovation, requiring members beyond the traditional pool of bureaucrats and retired judges.

This article was first published in The Mint. You can read the original at this link.

The announcement last week of the items of legislative business for the winter session of Parliament caused a mild furore in some of the policy circles that I inhabit. Twenty-fifth on the list of new bills scheduled for “introduction, consideration and passing" was the Personal Data Protection Bill, 2019, and many took this to mean that we would finally get to see the draft of India’s privacy law that the government has been working on. This excitement is a bit premature given the Union cabinet is yet to approve the draft. However, what seems clear is that we have moved into the endgame. Once the draft has been green-lighted by the cabinet, the bill would be placed before Parliament and, in due course, become law.

That is when the real work would begin. What most people don’t seem to realize is that unlike most other Indian laws, the Personal Data Protection Bill only lists a set of broad principles that lays down the contours of privacy in the country. That in itself offers neither a clear road map for governance nor any of the details that data principals, and fiduciaries alike, would need in order to understand their rights and obligations. A lot has been left for the incoming Data Protection Authority (DPA) to flesh out.

For instance, the draft law specifies that there are various grounds other than consent under which personal data can be processed. The DPA is expected to provide clarifications as to how those grounds might be invoked, details that are critical to anyone seeking to collect and process data. The law requires businesses to establish age verification mechanisms in order to ensure that if they are processing children’s data, they adopt a higher standard of care. It is critical that the DPA prescribe what sort of age verification mechanisms would be appropriate and how children’s data should be safeguarded. Since the law will only apply to personal data, anyone collecting personal data will need to know what steps, if any, can be adopted to de-identify the data collected, thereby taking it out of the purview of the legislation. None of this will be possible unless the DPA prescribes anonymization standards that they are expected to comply with.

But this is only one part of the responsibilities of the incoming data regulator. Last week, I had the opportunity to co-chair a workshop that looked into what it would take to set up an effective data protection authority in India. In attendance were data regulators from around the world who weighed in with suggestions that the yet-to-be-formed Indian regulator should consider.

At the outset, they made it clear that no matter what we do, no regulator is ever going to have enough resources to deal with all the challenges that are thrown its way. Therefore, they recommended that in order to be effective, the Indian regulator should learn to be selective. This might mean finding some way to club complaints together or issue rulings carefully so that precedents are carefully established and the regulator is not overwhelmed by complaints.

They also emphasized that all privacy regulators play three distinct roles. They are teachers, policemen and ombudsmen, all at the same time. In a fast-changing sector, it is often up to the regulator to provide guidance, steering the industry in the desired direction. A regulator that proactively guides industry away from unhealthy practices is likely to be far more effective than one that only responds when things go bad.

That said, if the law has been violated, punishment must be swift and effective. It is here that the regulator needs to assume the role of the policeman, punishing those who transgress the law. Finally there are bound to be disputes and differences in views between parties over how they should behave in specific instances. Despite efforts at guidance and regulation, there would remain some areas of grey. It is here that the regulator should act like an ombudsman, mediating disputes in order to arrive at a fair resolution.

Unlike any other sector or industry, data touches everyone’s life today. In a country with a population of over 1.3 billion people, the number of complaints of privacy violation and the quantity of data-breach notifications that a regulator would need to process will be staggering. There is no way it can ever hope to be effective unless it adopts appropriate technological measures to deal with the volumes it is going to be called upon to process. That said, the DPA will need to ensure that it is not over-reliant on technology, given that most of the violations that it will be called upon to regulate would likely have come about due to technology shortcomings in the first place.

Above all, it is essential to staff the DPA appropriately. While most Indian regulators tend to comprise bureaucrats and retired judges, it is essential that the data regulator be filled with experts well acquainted with technology, law and privacy. Much of what they are called upon to do will be to strike the balance between protecting privacy and furthering technology innovation. To be truly effective, they will need to come up with determinations—sometimes entirely de novo — that achieve what the law requires by pushing the edges of what technology can do. No ordinary bureaucrat, however smart and tech savvy, is likely to be able to do that.

If the country’s data regulator is to make a real difference as envisioned, we will need to find members from beyond the traditional pool of candidates.