Scroll.in: New Delhi: Wednesday, August 01, 2018.
The draft
legislation and report of the Justice BN Srikrishna-led Committee of Experts on
Data Protection, released by the government on Friday, lays down a fairly
elaborate legal regime for protecting the privacy of Indian citizens vis-à-vis
the government and private players. It, however, delegates significant power to
the proposed Data Protection Authority and Central government to make rules and
regulations that would have an impact on how the proposed framework works in
practice. Section 107 of the draft bill gives the Centre 30 rule-making powers
while Section 108 gives the authority another 30 regulation-making powers.
Such a
delegation of powers is not unique for contemporary Indian legislation. The
bureaucracy that drafts most legislation likes retaining as much power as
possible and they do so by drafting skeletal legislation, which when enacted
into law by Parliament delegates significant powers back to the government.
Legally speaking, Parliament cannot delegate “essential legislative functions”
to the executive because law-making powers lie solely with the elected
representatives of the people. In theory, this should mean that Parliament
limits its delegation to simple procedural matters while retaining substantive
law-making powers for itself. For example, a procedural matter could be the
format of a form that has to be filed to get a service from the government,
while a substantive legal issue is the right of citizens to access a service
and possible exceptions to that right.
In practice,
however, Parliament ends up delegating substantial power to both the government
and statutory regulators. Whether it is net neutrality, or the Finance Act,
2017, that delegates powers on tribunal appointments, or the Anti-Profiteering
Rules, 2017, under the Goods and Services Act, it is the executive and not
Parliament that is creating the law because Parliament has delegated its power
to the executive and its regulators.
While most
such delegation including in the proposed Data Protection Bill, 2018 is likely
to be held as constitutional by the courts, its increasing width is troubling
because constitutional democracies are premised on the legislature making the
law, not the executive. Protests this month against the proposed RTI
(Amendment) Bill, 2018, are a manifestation of such concern: the government
wants to shift the provisions governing the tenure and salary of information
commissioners from the main legislation to the rules. This means that it can, in
the future, change these rules without Parliament’s approval. This has made
right to information activists nervous. While public protests can stall
parliamentary proceedings, it is tougher to stop the Central government from
amending rules.
The other
side of the coin is that such delegation increases administrative efficiency
because government can change rules faster than Parliament and that has its
benefits. The challenge is in drawing the right balance between administrative
efficiency and the ever-present fear of the executive appropriating too much
power.
Question
of independence, accessibility
In the case
of the proposed Data Protection Bill, some amount of delegation to the
government and the Data Protection Authority is obviously necessary. For
example, Section 107 (g) to Section 107 (o) delegates to the Centre the power
to draft rules to govern the manner and frequency with which the proposed Data
Protection Authority meets, submits its returns to the government, among
others. These are purely procedural matters that may be delegated to the
government.
But some of
the other provisions delegating legislative powers need a relook. For example,
Section 107 (u) to Section 107 (dd) delegates to the Centre the power to make
regulations dealing with qualification criteria, appointment and removal
procedures, salaries for adjudicators and the appellate tribunal which are both
key components of the draft legislation. The adjudicators are tasked with
hearing complaints and disputes regarding breach of obligations under the
legislation. All appeals against their decisions are, in turn, to be heard by
the tribunal. While the legislation does require the government to draft the
rules in a manner that ensures the independence of the adjudicators and
tribunal, to expect the Centre to do so is a tall order. I say this because the
Central government, over the last few decades, has shown a tendency to
appropriate more power over judicial tribunals. This is not surprising – the
executive arms of all countries try to take more power for themselves. But it
is the duty of democracy and constitutionalism to keep the executive in check.
We are not doing a very good job of it in India. Last year, the Finance Act
shifted the powers to appoint, remove and fix the salaries of judges on 19
tribunals from existing parliamentary statutes to rules that could be drafted
and amended by the government under the Act. The constitutional validity of
this law and the subsequent rules drafted under it have been challenged in the
Supreme Court for many reasons, one of which is that the process to remove
judges from tribunals can be initiated by the ministries whose decisions are to
be reviewed by the tribunals. There is a high likelihood those rules will be struck
down.
Apart from
independence of adjudicators and tribunals, there is also the question of
accessibility. By delegating to the government the power to fix the number of
adjudicators and tribunals and their seat of hearing, the bill implicitly gives
the government the power to control access to the adjudicators and tribunals.
This can have implications for access to justice. For example, the creation of
the National Green Tribunal severely shrunk access to environmental justice
because of the simple fact that the tribunal is limited to five cities in the
entire country. A possible way to avoid such a situation in the context of the
Data Protection Authority is to avoid the creation of a new judicial system
under it and instead harness the existing system of civil or consumer courts to
adjudicate disputes under the authority. The proposed data protection law is
not rocket science since most of it deals with subjects like contract law or
harm or calculation of damages, none of which are new concepts to civil or
consumer courts.
Very often
the debate on new laws and rights in India misses the woods for the trees we
spend all our time debating new rights and liabilities without concentrating on
the logistics and independence of the enforcement and adjudication mechanism.
It would be in everybody’s interest to focus on these while debating the new
data protection legislation.
Prashant
Reddy T is an assistant professor at the National Academy of Legal Studies and
Research, Hyderabad, where he teaches intellectual property law and
administrative law. He is co-author of Create, Copy, Disrupt: India’s
Intellectual Property Dilemmas (OUP).
.JPG)
.JPG)
