The Wire: New Delhi: Tuesday, July 31, 2018.
After all the
allegations by privacy activists against the committee of experts on data
protection, that its composition was lopsided and that it was not transparent,
the report and draft bill turned out to be quite the anti-climax.
The
committee’s recommendations are broadly in line with the demands made by the
privacy activists save for some minor quibbles. The committee has thus leaned
heavily in favour of an European Union-style heavy regulatory framework which,
as I’ve argued earlier in these pages, may not be in the best interests of the
Indian democracy and economy. The main problem with the committee’s approach is
that it seeks to tackle a humungous issue affecting 1.3 billion Indians and
their $2.5 trillion economy through one legislation and one regulator.
Such
centralisation of power does not bode well for a country like India.
Does the
constitution permit a single data protection law?
First, the
recommendation of the committee for only one legislation likely runs against
the federal nature of the Indian constitution. As per Article 246 of the
constitution, only parliament can legislate on those entries contained in List
I of Schedule VII to the constitution, while only state legislatures can enact
laws on entries contained in List II. Both parliament and state legislatures
can enact legislation on entries in List III.
For example,
only parliament has been given the power to enact laws regarding tax income
(excluding agricultural income) while only state legislatures have the power to
tax agricultural income. Of course, this delineation of power is not always
that clear cut. Quite often there is litigation on whether parliament or state
legislatures have crossed the boundaries of their powers. In these cases,
India’s constitutional courts try to ascertain the ‘pith and substance’ of the
disputed legislation to determine whether the essence of the legislation falls
under List I, II or III. As I explained earlier, the issue of government
records and the data contained within them has been a contentious issue. When
parliament was debating the Public Records Act, 1993, some MPs made a demand
that parliament extend the law even to state governments and not confine it to
only records of the Central government.
In the decade
that followed, several state legislatures enacted Right to Information-style
laws on the assumption that only the state legislature could regulate the
manner in which state government records could be accessed. In 2005, the UPA
government decided that since none of the entries in Schedule VII mentioned the
right to information specifically, it could be presumed that the RTI Act fell
within Entry 97 of List I – this entry contains the residuary powers i.e. if a
particular subject matter is not listed in any of the three lists it is
presumed to fall under Entry 97 thereby bestowing in Parliament the power to legislature
on the topic.
This logic
put forth by the UPA at the time to push through the RTI Act is highly doubtful
because the “pith and substance” of the RTI Act lies in regulating access to
public records. The maintenance and manner of accessing these public records
goes to the heart of an efficient administration. For example, the
administration of land falls under List II and the maintenance of land records
goes to the heart of administration of land. To argue that state legislatures
are saddled with the burden of administering land while parliament can decide
how these land records can be accessed under the RTI Act is absurd.
I give these
specific examples related to public records because a potential data protection
legislation, like the RTI Act, basically deals with the manner in which
government records have to be maintained and accessed. It is only logical and
desirable that state legislatures should have the power to set data protection
standards for all areas of administration found in List II. This still leaves a
considerable swathe of power with parliament because the bulk of this data
protection legislation has to do with internet-based communication, which
anyway falls under List I.
The logical
conclusion of this argument is that parliament does not have the power to
extend either the RTI Act or a potential data protection legislation to those
areas that follow within the sole purview of state legislature.
I’m aware
that federalism is hardly an issue of interest these days but let us not forget
that the more centralised administration becomes in India, the further away we
travel from the ultimate aim of decentralisation of power. If we were to look
at Europe, countries like Germany have different data protection legislation
for the federal government and state governments. There is no reason for India
to not follow such an approach. Given that state governments are investing
significant sums in creating vast digital databases called State Resident Data
Hubs (SRDH) they need to consider whether they want to be able to regulate
these data hubs under their own laws or submit to the centre’s diktat.
The
possibility of regulatory turf wars
The second
significant objection to the committee’s report is its recommendation to create
a single data protection legislation and data protection authority (DPA) to
regulate data protection across multiple sectors of India’s $2.5 trillion
dollars economy. Once created, the DPA, like any other regulator, will have the
power to make binding rules, non-binding codes of practice for different
sectors like telecom, banking etc. The DPA will also have the power to enforce
these rules.
The obvious
problem with this arrangement is the centralisation of immense regulatory
power. If data is going to be the new oil of the fourth industrial revolution,
do we really want to vest the power to regulate data across crucial sectors
like banking, telecom, medical service providers with one regulator?
Apart from
the political issues associated with centralisation of such regulatory power,
there is also the question of efficiency and turf battles. Given the centrality
of data to the digital economy, sectoral regulators like TRAI, RBI & CCI
will inevitably end up taking decisions related to data in order to ensure
competitiveness and consumer welfare. This will most likely lead to regulatory
turf wars with the proposed DPA and in India such turf wars lead to prolonged
litigation.
Would it then
not make sense to structure the law in such a way that sectoral regulators are
vested with the power to regulate the data protection aspects of their
respective sectors? Thus, the RBI would set and enforce data protection
standards for the banking and payments sector, while TRAI would set the
standards for the telecom industry. This approach may require separate sectoral
data protection legislation rather than one omnibus standard.
Does the
Indian state need yet another regulator with coercive powers?
The third
significant objection is the creation of a single DPA whose tentacles spread
across every sector of the economy and with the power to investigate, search
and punish. The average Indian business and citizen is already subject to the
tyranny and arbitrariness of multiple government agencies and regulators and
this can impact crucial sectors like journalism. Let us not forget that when
Atal Bihari Vajyapee was upset with Outlook for its reporting, the finance
ministry unleashed the IT department on the Raheja family that owned the
magazine. Do we really want to create one more authority i.e. the DPA and give
the government another instrument of coercive power? Would it not be a better
idea to vest existing sectoral regulators with the power to regulate even data
protection rather than create a new expensive behemoth?
Taking on
too many lobbies at the same time?
Last, but not
the least, is the issue of whether the legislation drafted by the expert
committee steps on too many feet, thereby risking an early death. In its
present form, the draft legislation is going to upset three powerful lobbies:
the intelligence community which has tripped earlier attempts to enact a
privacy law will oppose this draft because it curbs their ability to conduct
surveillance until authorised by law; the Silicon Valley lobby will oppose the
new draft bill because of the data localisation requirements and finally, the
bureaucracy, which will now have to rework their record keeping practices
failing which department heads will be liable for offences.
The issue
with upsetting three heavily entrenched lobbies is that the draft bill will
face so much opposition that it will never move beyond the drafting stage.
Would it not be better to have different sectoral data protection laws? In case
one lobby blocks one particular sectoral legislation the remaining sectoral
legislation can still move ahead.
Prashant
Reddy T. is an assistant professor at the National Academy of Legal Studies and
Research (NALSAR), Hyderabad where he teaches intellectual property law and
administrative law. He is co-author of Create, Copy, Disrupt: India’s
Intellectual Property Dilemmas (OUP).
.JPG)
.JPG)
