Why India’s Proposed Data Protection Authority Needs Constitutional Entrenchment

In its current form, the authority lacks the independence of a fourth branch institution and does not have strong safeguards against executive and political interference.

India’s data protection authority (DPA), as envisaged under the proposed Personal Data Protection (PDP) Bill, has been entrusted with the crucial responsibility of protecting and regulating the use of personal data of citizens.

The DPA is supposed to act as a bulwark against unconstitutional and illegal use of such personal data of citizens. Given its crucial role, the DPA is not merely an economic or sectoral regulator but plays the role of a ‘fourth branch institution’.

In its current form, however, the DPA lacks the independence of a fourth branch institution and does not have strong safeguards against executive and political interference or attempts at diluting its powers and functions with ease.

‘Fourth branch’ vs sectoral regulator

The constitution traditionally provides for three branches of state – the legislature, the executive and the judiciary. As the economy opened up, technical expertise became necessary. This gave rise to the proliferation of sectoral regulators such as the SEBI, IRDA, CCI or TRAI, which, while maintaining arm’s length, would continue to shape policy and develop the nascent sector-specific markets in close co-ordination with the executive governments. These were statutory bodies created under an Act of parliament, with the Central government having a large say in the appointment of its members, their conditions of service and removal.

Fourth branch institutions, on the other hand, play the crucial role of protecting core constitutional values such as democracy, transparency, impartiality, equality and equity, justice, freedom and human rights. They essentially have to maintain a character of complete aloofness, much beyond the arm’s length, from the executive as they have to hold the executive to account in specified ways. They do not perform traditional executive functions of economic development or financial regulation but ensure horizontal accountability of the other branches of government. They are often constitutional bodies such as the Finance Commission (FC), Election Commission (EC) and the Comptroller and Auditor General.

More recently, many bodies such as the Lokpal, information commissions (IC) and the National Human Rights Commission (NHRC) have also been set up conceptually as fourth branch institutions with regard to their independence in functioning, but through statutes in parliament.

The DPA has been entrusted the role of a fourth branch institution, primarily due to its overarching role in protecting the fundamental right to privacy of citizens against not only possible transgressions of such privacy by the private sector but also possibly by the government itself. As opposed to a sectoral regulator, it is a sector-agnostic body and has wide powers cutting across sectors and economic spheres. It is empowered to penalise both Central and state governments when they fail to protect an individual’s personal data. In fact, it is also empowered to monitor sensitive data processed by other fourth branch watchdogs such as the CAG and the EC and even more significantly, the Legislature and Judiciary itself. As such, the DPA carries out crucial fourth branch oversight and accountability functions against almost all institutions of governance in our system.

Increasing independence of DPA 

Why does the DPA, in its current form, lack the independence needed to be a strong fourth branch institution and ward off attempts of political interference?

This is primarily attributable to the fact that its structure and composition was inspired from sectoral regulators such as SEBI, IRDA and TRAI, based on the recommendation by the Financial Sector Legislative Reforms Commission as mentioned in the Justice B.N. Srikrishna committee report.

Union law minister Ravi Shankar Prasad receives the report from Justice B.N. Srikrishna. Photo: PTI

Even then, while the Srikrishna committee suggested inclusion of the Chief Justice of India or her nominee and one expert of repute in the Selection Committee, the PDP Bill introduced in parliament provides for a committee comprising entirely of members from the executive, i.e. secretaries from departments of the Central government, without a judicial member and an expert. The power and discretion to remove any member of the DPA are vested with the Central government without a method or procedure for such removal being explicitly prescribed. The protection of the salary of the members has also been diluted and it shall now be prescribed by the Central government.

A DPA appointed solely by the Central government runs a severe risk of being in conflict with its purpose, interest and decisions while being called upon to take action against Central or state governments for possible breaches causing harm to some citizens, especially in large subsidy and health programmes run entirely by the government. Similarly, it may also adversely affect the federal structure of the constitution if it acts against the interests of state governments in a partisan manner.

The need for constitutional entrenchment 

Thus, any data protection body must be abundantly independent, especially in the manner of appointment of its members, conditions of their service and the manner of their removal.

They must not be appointees of the executive alone but must be appointed on the recommendation of a committee having bipartisan legislative representation and representatives from the judiciary – as is the case with the information commissions, the Central Vigilance Commission and the NHRC. Their removal from office must only be allowed in the same manner as a judge of the Supreme Court and their salary must also be fixed similar to the CAG or an election commissioner.

Only a constitutionally entrenched body will be sufficiently protected from executive aggrandizement, political control and institutional capture, leading to a robust fourth branch institution – one which can act as an effective guardrail against violation of the right to privacy. Incorporation of a full-fledged Data Protection Commission through a constitutional amendment must be envisaged by the legislature as a replacement for the DPA in its current form.

Amar Patnaik is Member of Parliament, Rajya Sabha from Odisha and a former CAG civil servant. He is also a member of the joint parliamentary committee on the PDP Bill, 2019.