Data protection bill: The problem isn’t just the proposed law – it is also who will enforce it

The draft legislation and report of the Justice BN Srikrishna-led Committee of Experts on Data Protection, released by the government on Friday, lays down a fairly elaborate legal regime for protecting the privacy of Indian citizens vis-à-vis the government and private players. It, however, delegates significant power to the proposed Data Protection Authority and Central government to make rules and regulations that would have an impact on how the proposed framework works in practice. Section 107 of the draft bill gives the Centre 30 rule-making powers while Section 108 gives the authority another 30 regulation-making powers.

Such a delegation of powers is not unique for contemporary Indian legislation. The bureaucracy that drafts most legislation likes retaining as much power as possible and they do so by drafting skeletal legislation, which when enacted into law by Parliament delegates significant powers back to the government. Legally speaking, Parliament cannot delegate “essential legislative functions” to the executive because law-making powers lie solely with the elected representatives of the people. In theory, this should mean that Parliament limits its delegation to simple procedural matters while retaining substantive law-making powers for itself. For example, a procedural matter could be the format of a form that has to be filed to get a service from the government, while a substantive legal issue is the right of citizens to access a service and possible exceptions to that right.

In practice, however, Parliament ends up delegating substantial power to both the government and statutory regulators. Whether it is net neutrality, or the Finance Act, 2017, that delegates powers on tribunal appointments, or the Anti-Profiteering Rules, 2017, under the Goods and Services Act, it is the executive and not Parliament that is creating the law because Parliament has delegated its power to the executive and its regulators.

While most such delegation – including in the proposed Data Protection Bill, 2018 – is likely to be held as constitutional by the courts, its increasing width is troubling because constitutional democracies are premised on the legislature making the law, not the executive. Protests this month against the proposed RTI (Amendment) Bill, 2018, are a manifestation of such concern: the government wants to shift the provisions governing the tenure and salary of information commissioners from the main legislation to the rules. This means that it can, in the future, change these rules without Parliament’s approval. This has made right to information activists nervous. While public protests can stall parliamentary proceedings, it is tougher to stop the Central government from amending rules.

The other side of the coin is that such delegation increases administrative efficiency because government can change rules faster than Parliament and that has its benefits. The challenge is in drawing the right balance between administrative efficiency and the ever-present fear of the executive appropriating too much power.

Question of independence, accessibility

In the case of the proposed Data Protection Bill, some amount of delegation to the government and the Data Protection Authority is obviously necessary. For example, Section 107 (g) to Section 107 (o) delegates to the Centre the power to draft rules to govern the manner and frequency with which the proposed Data Protection Authority meets, submits its returns to the government, among others. These are purely procedural matters that may be delegated to the government.

But some of the other provisions delegating legislative powers need a relook. For example, Section 107 (u) to Section 107 (dd) delegates to the Centre the power to make regulations dealing with qualification criteria, appointment and removal procedures, salaries for adjudicators and the appellate tribunal – which are both key components of the draft legislation. The adjudicators are tasked with hearing complaints and disputes regarding breach of obligations under the legislation. All appeals against their decisions are, in turn, to be heard by the tribunal. While the legislation does require the government to draft the rules in a manner that ensures the independence of the adjudicators and tribunal, to expect the Centre to do so is a tall order. I say this because the Central government, over the last few decades, has shown a tendency to appropriate more power over judicial tribunals. This is not surprising – the executive arms of all countries try to take more power for themselves. But it is the duty of democracy and constitutionalism to keep the executive in check. We are not doing a very good job of it in India. Last year, the Finance Act shifted the powers to appoint, remove and fix the salaries of judges on 19 tribunals from existing parliamentary statutes to rules that could be drafted and amended by the government under the Act. The constitutional validity of this law and the subsequent rules drafted under it have been challenged in the Supreme Court for many reasons, one of which is that the process to remove judges from tribunals can be initiated by the ministries whose decisions are to be reviewed by the tribunals. There is a high likelihood those rules will be struck down.

Apart from independence of adjudicators and tribunals, there is also the question of accessibility. By delegating to the government the power to fix the number of adjudicators and tribunals and their seat of hearing, the bill implicitly gives the government the power to control access to the adjudicators and tribunals. This can have implications for access to justice. For example, the creation of the National Green Tribunal severely shrunk access to environmental justice because of the simple fact that the tribunal is limited to five cities in the entire country. A possible way to avoid such a situation in the context of the Data Protection Authority is to avoid the creation of a new judicial system under it and instead harness the existing system of civil or consumer courts to adjudicate disputes under the authority. The proposed data protection law is not rocket science since most of it deals with subjects like contract law or harm or calculation of damages, none of which are new concepts to civil or consumer courts.

Very often the debate on new laws and rights in India misses the woods for the trees – we spend all our time debating new rights and liabilities without concentrating on the logistics and independence of the enforcement and adjudication mechanism. It would be in everybody’s interest to focus on these while debating the new data protection legislation.

Prashant Reddy T is an assistant professor at the National Academy of Legal Studies and Research, Hyderabad, where he teaches intellectual property law and administrative law. He is co-author of Create, Copy, Disrupt: India’s Intellectual Property Dilemmas (OUP).