The Personal Data Protection Bill introduced in the Parliament on December 11 provides a framework to regulate the processing of personal data in India. It gives certain grounds for processing personal data along with obligations on those processing it. It creates and empowers a data protection authority to do the regulation. The success of such a law depends on how its purview is defined and how well it is implemented.
On purview, the Bill gives the government considerable discretion, on vaguely defined grounds, to exempt its agencies by issuing an order. Since the government processes a lot of personal data, the risks to data privacy from the government are no less than those from private firms. The law must limit the grounds, set suitable procedures, and ensure proportionality for the exemptions for government agencies.
But taming the Leviathan is just one challenge. Since this law also considerably expands the State’s regulatory powers, it is crucial to ensure its proper implementation. There are serious challenges relating to complexity, constraints, and the politics of implementation.
This will be a complex law. The goals of the law are varied. In banking regulation, the goals are common for all similarly placed consumers. In data protection, each person will choose processing of their data depending on their preferences, and the data protection authority will need to ensure this choice is implemented. Data protection regulation focuses on the means, and not on the ends. Further, since a lot of personal data is created in interaction, it is difficult to say who should have control over which data.
The subjective nature of the goals and the need for defining control on an ongoing basis make this a very discretionary form of regulation, not amenable to the application of simple rules. This also means that the outcomes of regulation cannot be easily measured for a general assessment of performance.
The scale of implementation will also be challenging. The law applies to anyone processing personal data using “equipment capable of operating automatically in response to instructions”. So, even a retailer storing computerised records of customers may be covered. The Indian economy has a large number of small enterprises. Add to that the large scale of data usage – the highest use of smartphones in the world. The scale will keep growing as data usage grows.
Protecting personal data requires prudence from consumers. So far, consumer behaviour does not give one much confidence that they are willing to exercise prudence. People use applications of unknown antecedents simply because they are free. They use a lot more data simply because it is cheap. When data is cheap, privacy is expensive. Perhaps these norms will change, but until then, the authority will have the challenge of protecting personal data in a context of insufficient consumer prudence.
Given these challenges, the authority will have to prioritise, perhaps by focusing on sensitive personal data, large firms, and the government. However, the authority’s choices will be shaped by its politics. Regulatory agencies are creatures of the politics that midwifed them and the politics that shapes them. As political scientist James Wilson noted long ago, the essential question in the politics of regulation is: who bears the costs and who gets the benefits?
The costs of this law are likely to be concentrated in large data companies, and if it is properly applied, on government agencies. The benefits will be dispersed among many individuals. This distribution of costs and benefits usually does not bode well for effective regulation. This law was made possible by a particular political moment. Judicial activism in the Puttaswamy judgment on the right to privacy essentially forced the government to come up with a law. Civil society activism may also have played a role.
The agencies that come out of such activism can easily lose their sense of mission after the “marching stops” and the activists move to other causes they find meaningful. Sustained engagement with the functioning of a bureaucratic agency does not have the same excitement as demanding a new law.
There are at least two ways in which things can go wrong. The authority may fall to industry capture. Once the law is made, the incumbents may focus on capturing it to impose costs on new entrants in their sectors. Another possibility is that the legal powers are used for purposes other than envisaged. State power is somewhat fungible. Power given for one purpose can sometimes be redirected for another purpose. The data protection authority will have powers to monitor the digital economy. This power can be misused for political purposes or for rent-seeking by the regulators.
The Bill does not have adequate checks and balances to guard against these potentialities. The authority’s board is not proposed to have independent members. Transparency of regulation-making processes is not mandated. Regulatory impact assessments have also not been mandated. It is crucial that the Parliament changes the Bill to improve the accountability mechanisms. Civil society groups and academics will also need to do continuous public advocacy.
The law is only the first step, and there is only so much a law can do. But it is essential that we get the first step right. The long journey towards reasonable data protection remains.
Suyash Rai is a fellow at Carnegie India. The views expressed are personal