P.S: This series of articles is an attempt to place some issues before the Government of India which promises to bring a new Data Protection Law that is futuristic, comprehensive and Perfect.
In our previous article we discussed the desired scope of the proposed act in the form of the Preamble. The Preamble recognized the need for the law to recognize all the stake holders including the commercial business, Government, besides the individuals whose “Right to Privacy” need to be protected.
Let us now continue the discussions on fixing the ” Regulatory Structure” of the Act.
The JPC on PDPB 2019 effectively muddied the process of creation of the law by trying to merge “Protection of Non Personal Data” into the data protection law. This reflected the failure of the JPC to understand the technology of “Anonymisation” which was meant to segregate “Personal Data” from “Non Personal Data” so that different laws could address the two segments of data.
Going forward, the Government could complicate matters further by merging the exercise of updating of Information Technology Act 2000 (ITA 2000) with the passage of the NDPAI. Further there are statements that Telecom Regulation and Non Personal Data Governance may also be combined into this same legislation.
While it is the prerogative of the Government to create a complex mesh of law that could actually render it in-effective , we shall try to identify different components of these laws as different Chapters so that some effort can be made to look at each law differently.
Currently ITA 2000 addresses both personal and non personal data in the following aspects:
a) “Legal Recognition” of electronic documents and authentication,
b) A support system for Digital Signature management
c) Legal System for addressing Contraventions leading to Civil Liabilities
d) Defining Cyber Crimes
e) Defining Cyber Security framework along with the role of CERT-IN and MeitY as the de-facto regulators
The Non Personal Data Governance regulation suggested by Kris Gopalakrishna Committee addressed the following aspects.
a) Adopting the definition of Non Personal Data as “Data” which is not personal under the PDPB 2019
b) Defining Data Business related to the processing of Non Personal Data and roles of different types of types of Non Personal Data generators and processors
b) Creating a structure for monetization of Non Personal Data and their trading
c) Creating a regulatory mechanism for governing the Act
In the process, the PDPB 2019 focussed on the following aspects.
a) Defining Personal Data
b) Prescribing norms for processing of Personal Data
c) Recognizing sub rights related to personal data processing for protection of the constitutional Right to Privacy.
d) Defining compliance measures required by the industry
e) Prescribing deterrent penalties
f) Creating a regulatory mechanism for governing the Act
Now if all these are to be combined into the same Act, we need to ensure that there is clarity for avoiding overlapping of regulations.
One of the main reasons for JPC to think of combining Non Personal Data and Personal Data into one regulation was that they did not want two centres of power in the form of two regulators. However, the role of PDPB was “Protection” while role of “Non Personal Data Governance Act” was “Commercialization of Data Business”. The two regulations required regulators with different mind sets and it was logical to have two different persons responsible for the same.
Just as in a company, the Chief Financial Officer, the Chief Marketing Officer, Chief Technology Officer has different mental attitudes and they contribute towards a balanced development of the company one with a cautious attitude, another with an aggressive attitude and yet another with an innovative outlook, the regulators of ITA 2000, PDPB 2019 and the Non Personal Data Governance need to combine together but maintain different outlooks.
If we try to bring these three different mindsets together into one regulator, then he is likely to skew towards one or the other responsibilities depending on his background and bringing harmony will be tough.
One alternative approach would be to create three sub regulators and a super regulator which if handled professionally could work.
We therefore suggest the Regulatory Framework as follows:
- Regulator for Personal Data Governance (R-PDG)
- Regulator for Non Personal Data Governance (R-NPDG)
- Protection of Personal and Non Personal Data (R-Protection)
In this model, the regulator for Personal and Non Personal data (R-Protection) would be a “Security Expert” and would not only address setting standards of Cyber Security for Non Personal Data but also the requirements of Security of Personal Data (as envisaged under Section 24 of PDPB 2019). CERT-IN can be provided this role and he can work under the Super Regulator.
The Regulator for Non Personal Data Governance is a marketing function and he would be responsible for the monetization of data which inter-alia will include the responsibility for defining the standard of anonymisation that segregates personal and Non personal data. He will be like the SEBI and regulate the “Data Exchange” and will work under the overall supervision of the Super Regulator.
This leaves the Regulator of the Personal Data which is the current function of the Data Protection Authority of India under PDPB 2019. In the new model, the primary role of this regulator would be ensuring that the “Principles of Processing of Personal Data and the Rights of Data Principles” are monitored in such a way that the “Right to Privacy” is protected in the information world. He will also work under the Super Regulator.
Currently there are some quasi judicial responsibilities which are entrusted to the “Adjudicators” both under ITA 2000 and PDPB 2019 as well as CERT IN outside the more formal judicial system of “Tribunals” which integrate with the High Court/Supreme Court system.
In the new model, it is recommended that a fourth regulatory position is created under the Super Regulator to focus on the “Adjudication ” alone. The adjudicator would adjudicate both on contraventions presently under the PDPB 2019 as well as under ITA 2000 and the emerging conflicts under the Non personal data governance. These will be set up in multiple cities and appeals go to a Tribunal with benches in different parts of the country and finally appeals landing with the High Court and thereafter the Supreme Court. The criminal justice system is left untouched and hence the regulatory authority for criminal offences would continue to be the “Police”, the legacy judicial system.
The Super Regulator would be like the CEO in a commercial organization and would be assisted by a group of experts like a Board of Directors. This structure would replace the current system of Data Protection Authority of India with a Chairman and Six Members.
The Super Regulator would be multi member body like the CVC or CEC and supported by a Super Governance Board with appropriate checks and balances. The Super Governance Board may have even broader representation than the current Six member Data Protection Authority of India.
The structure may appear as follows.
Though the regulatory structure looks too elaborate, it would be essential for the type of complex legislation presently planned.