The way forward for India's Data Protection Board 

The proposed Data Protection Board (DPB) within the Digital Personal Data Protection Bill 2022 (DPDPB 2022) will be the cornerstone of India’s data governance endeavours. It will function as the independent supervisory and adjudicatory authority for all relevant stakeholders, including the government. In its present form, questions about its independence, inter-regulatory coordination, and capacity are being raised due to certain foundational and structural issues.

The selection process for Data Protection Board, as prescribed in DPDPB 2022, is executive-driven; the Central Government will select the chairperson and members of the DPB. This is a matter of concern as the government may soon be one of the biggest data fiduciaries in India, keeping in mind the government’s aggressive push towards adopting digital measures. Therefore, the selection procedure for members and chairpersons of the DPB should be independent. To achieve this, the bill must provide that the President of India appoints the DPB’s members and chairperson, as followed in many jurisdictions like Brazil and France, as per the advice of the selection committee. As the independence of authority partially depends upon the selection committee, it is important to have a combination of the judiciary, executive, and legislative within the committee to ensure independence.

As per clause 19(2), the Centre will prescribe the strength and composition of the board, as well as the terms and conditions of the appointment and service of its chairperson and other members. However, it is critical to ensure that the lack of pluralistic and diverse representation from previous versions of the bill does not linger in the subordinate legislation on DPB compositions made under the bill. It must have diversity and technical experts on its board to deliver a wide range of functions, from compliance management to adjudication. In terms of members, a prescription for non-executive members to be part of the board would be crucial. Regulators in India and globally have non-executive members to provide nonpartisan inputs and oversight in the functioning of a DPB. In the absence of part-time members, the board could be precluded from the opportunity to involve experts.

Several provisions of the DPDPB 2022 bestow wide-ranging discretionary powers on the government to make rules and regulations consistent with the bill. While introducing the rules made under this bill with both houses of parliament is a welcome move, ensuring the agility of rulemaking is important as technological developments move rapidly. Therefore, the central government should involve the DPB in the process to make rule-making participatory in nature and involves stakeholders.

A feedback mechanism based on an analysis of the prevalence of complaints received by the DPB is one way of identifying gaps in current regulations and making the regulatory response proactive, a practice prevalent in the US. Once complaints are audited and data patterns emerge, newer technologies can be studied, recurring problems can be addressed, and any blockages in redressal mechanisms can be eased.

Many regulatory bodies are mandated by statute to include consultations in the process of rule-making. For instance, the Telecom Regulatory Authority of India (TRAI) and the Airports Economic Regulatory Authority of India are bodies mandated to conduct consultative processes. They diligently engage with the stakeholders through the consultation process, automate citizen feedback procedures, and dedicate time for notice and comment periods. DPDPB 2022 must include some of these best practices.

The DPDPB 2022 is not India’s first effort to regulate personal data. There are various laws and regulations that directly or indirectly apply to the handling of personal data in India. Given that DPDPB 2022 will prevail over other existing and proposed laws in case of inconsistency, this jurisdictional precedence is easier said than implemented in the Indian regulatory landscape.

To fully reap the benefits of some of the progressive measures suggested in the DPDPB 2022, it is important to harmonise legal frameworks and build coordination in implementing them. However, the removal of provisions related to striking an MoU across regulators from DPDPB 2022 for establishing inter-regulatory coordination is concerning.

It would be essential to bring back provisions for striking MoUs and to spell out the elements of the same within the DPDPB 2022. Besides, to enhance coordination and cooperation, it would be worth considering interlocking directorates where representatives from one regulator (including a ministry or department) sit on the boards of other regulators with connected mandates.

Alternatively, there is merit in setting up a formal body that would focus on building a unified understanding of data protection laws and encourage regulatory coordination.

(Shekar is Programme Manager and Rizvi is Founder, The Dialogue, a public policy think tank)