One Data Protection Legislation and One Regulator for 1.3 Billion People?

Such centralisation of power does not bode well for a country like India, particularly one which is likely to ignite regulatory turf wars and hand the government another instrument of coercive power.

After all the allegations by privacy activists against the committee of experts on data protection, that its composition was lopsided and that it was not transparent, the report and draft bill turned out to be quite the anti-climax.

The committee’s recommendations are broadly in line with the demands made by the privacy activists save for some minor quibbles. The committee has thus leaned heavily in favour of an European Union-style heavy regulatory framework which, as I’ve argued earlier in these pages, may not be in the best interests of the Indian democracy and economy. The main problem with the committee’s approach is that it seeks to tackle a humungous issue affecting 1.3 billion Indians and their $2.5 trillion economy through one legislation and one regulator.

Such centralisation of power does not bode well for a country like India.

Does the constitution permit a single data protection law?

First, the recommendation of the committee for only one legislation likely runs against the federal nature of the Indian constitution. As per Article 246 of the constitution, only parliament can legislate on those entries contained in List I of Schedule VII to the constitution, while only state legislatures can enact laws on entries contained in List II. Both parliament and state legislatures can enact legislation on entries in List III.

For example, only parliament has been given the power to enact laws regarding tax income (excluding agricultural income) while only state legislatures have the power to tax agricultural income. Of course, this delineation of power is not always that clear cut. Quite often there is litigation on whether parliament or state legislatures have crossed the boundaries of their powers. In these cases, India’s constitutional courts try to ascertain the ‘pith and substance’ of the disputed legislation to determine whether the essence of the legislation falls under List I, II or III. As I explained earlier, the issue of government records and the data contained within them has been a contentious issue. When parliament was debating the Public Records Act, 1993, some MPs made a demand that parliament extend the law even to state governments and not confine it to only records of the Central government.

In the decade that followed, several state legislatures enacted Right to Information-style laws on the assumption that only the state legislature could regulate the manner in which state government records could be accessed. In 2005, the UPA government decided that since none of the entries in Schedule VII mentioned the right to information specifically, it could be presumed that the RTI Act fell within Entry 97 of List I – this entry contains the residuary powers i.e. if a particular subject matter is not listed in any of the three lists it is presumed to fall under Entry 97 thereby bestowing in Parliament the power to legislature on the topic.

This logic put forth by the UPA at the time to push through the RTI Act is highly doubtful because the “pith and substance” of the RTI Act lies in regulating access to public records. The maintenance and manner of accessing these public records goes to the heart of an efficient administration. For example, the administration of land falls under List II and the maintenance of land records goes to the heart of administration of land. To argue that state legislatures are saddled with the burden of administering land while parliament can decide how these land records can be accessed under the RTI Act is absurd.

I give these specific examples related to public records because a potential data protection legislation, like the RTI Act, basically deals with the manner in which government records have to be maintained and accessed. It is only logical and desirable that state legislatures should have the power to set data protection standards for all areas of administration found in List II. This still leaves a considerable swathe of power with parliament because the bulk of this data protection legislation has to do with internet-based communication, which anyway falls under List I.

Credit: Pawel Kopczynski/Reuters

The logical conclusion of this argument is that parliament does not have the power to extend either the RTI Act or a potential data protection legislation to those areas that follow within the sole purview of state legislature.

I’m aware that federalism is hardly an issue of interest these days but let us not forget that the more centralised administration becomes in India, the further away we travel from the ultimate aim of decentralisation of power. If we were to look at Europe, countries like Germany have different data protection legislation for the federal government and state governments. There is no reason for India to not follow such an approach. Given that state governments are investing significant sums in creating vast digital databases called State Resident Data Hubs (SRDH) they need to consider whether they want to be able to regulate these data hubs under their own laws or submit to the centre’s diktat.

The possibility of regulatory turf wars

The second significant objection to the committee’s report is its recommendation to create a single data protection legislation and data protection authority (DPA) to regulate data protection across multiple sectors of India’s $2.5 trillion dollars economy. Once created, the DPA, like any other regulator, will have the power to make binding rules, non-binding codes of practice for different sectors like telecom, banking etc. The DPA will also have the power to enforce these rules.

The obvious problem with this arrangement is the centralisation of immense regulatory power. If data is going to be the new oil of the fourth industrial revolution, do we really want to vest the power to regulate data across crucial sectors like banking, telecom, medical service providers with one regulator?

Apart from the political issues associated with centralisation of such regulatory power, there is also the question of efficiency and turf battles. Given the centrality of data to the digital economy, sectoral regulators like TRAI, RBI & CCI will inevitably end up taking decisions related to data in order to ensure competitiveness and consumer welfare. This will most likely lead to regulatory turf wars with the proposed DPA and in India such turf wars lead to prolonged litigation.

Would it then not make sense to structure the law in such a way that sectoral regulators are vested with the power to regulate the data protection aspects of their respective sectors? Thus, the RBI would set and enforce data protection standards for the banking and payments sector, while TRAI would set the standards for the telecom industry. This approach may require separate sectoral data protection legislation rather than one omnibus standard. 

Does the Indian state need yet another regulator with coercive powers?   

The third significant objection is the creation of a single DPA whose tentacles spread across every sector of the economy and with the power to investigate, search and punish. The average Indian business and citizen is already subject to the tyranny and arbitrariness of multiple government agencies and regulators and this can impact crucial sectors like journalism. Let us not forget that when Atal Bihari Vajyapee was upset with Outlook for its reporting, the finance ministry unleashed the IT department on the Raheja family that owned the magazine. Do we really want to create one more authority i.e. the DPA and give the government another instrument of coercive power? Would it not be a better idea to vest existing sectoral regulators with the power to regulate even data protection rather than create a new expensive behemoth?

Taking on too many lobbies at the same time?

Last, but not the least, is the issue of whether the legislation drafted by the expert committee steps on too many feet, thereby risking an early death. In its present form, the draft legislation is going to upset three powerful lobbies: the intelligence community which has tripped earlier attempts to enact a privacy law will oppose this draft because it curbs their ability to conduct surveillance until authorised by law; the Silicon Valley lobby will oppose the new draft bill because of the data localisation requirements and finally, the bureaucracy, which will now have to rework their record keeping practices failing which department heads will be liable for offences.

The issue with upsetting three heavily entrenched lobbies is that the draft bill will face so much opposition that it will never move beyond the drafting stage. Would it not be better to have different sectoral data protection laws? In case one lobby blocks one particular sectoral legislation the remaining sectoral legislation can still move ahead. 

Prashant Reddy T. is an assistant professor at the National Academy of Legal Studies and Research (NALSAR), Hyderabad where he teaches intellectual property law and administrative law. He is co-author of Create, Copy, Disrupt: India’s Intellectual Property Dilemmas (OUP).