The Joint Parliamentary Committee (hereinafter ‘the JPC) on the Personal Data Protection Bill, 2019 (hereinafter ‘the Bill’) tabled its report (hereinafter ‘the Report’) on the 16th December 2021. It included within its ambit, various provisions which detailed aspects such as Data Localisation, Data Mirroring, Cross-border Data Transfers etc. However, one of the controversial provisions was that of the establishment of the Data Protection Authority (hereinafter ‘DPA’) through Section 41 of the Bill. The DPA is supposed to be act as a enforcement authority with the powers to impose fines, award damages, make rules etc. to enforce different provisions of the Bill. To enforce the spirit and the letter of the Bill, it is necessary that the individuals in-charge of the DPA discharge their duties in a dispassionate manner. A government independent approach is essential for adequate measures in data protection, as the government itself is one of the biggest data fiduciaries. Hence, a truly independent approach can be ensured through the selection process of the members of the DPA being structured in a way where government involvement would be minimum. This is also extremely crucial in perspective of cross border data transfers from the EU, which makes ‘independent oversight’ an essential ground for determining a jurisdiction as adequate for seamless data transfers. This article would discuss if the current structure of the DPA satisfies the test of independent oversight propagated by the European Union.
Background of the European Data Protection Board:
The EDPB (European Data Protection Board) is an European Union body in charge of the GDPR as of May 25, 2018. The EDPB is made up of the head of each Data
Protection Authority of the member state and of the European Data Protection Supervisor (EDPS) or their representatives. The European Commission takes part in the meetings of the EDPB without voting rights. The Secretariat of the EDPB is provided by the EDPS.
The Supervisory Authorities of the EFTA (European Free Trade Association) EEA States are also members with regard to the GDPR related matters and without the right to vote and being elected as chair or deputy chairs.
The four EFTA EEA States are Iceland, Liechtenstein, Norway and Switzerland.
Kindly read more about EFTA EEA at The EFTA States | European Free Trade Association
To understand the intricacies of the General Data Protection Regulation’s mandates on the concept of cross-border data transfers, one must look into the role that the European Data Protection Board plays within the subject matter of such aforesaid transfers. The European Data Protection Board has been established through the Article 68 of the General Data Protection Regulation. Since the GDPR mandates a separate Data Protection Authority in every jurisdiction within the European Union, the European Data Protection Board has been tasked with the function of promoting cooperation between different Data Protection Authorities within the European Union. The Article 19 Working Party was replaced by the European Data Protection Board, on 25th May 2018.
Read more about the European Data Protection Board EDPB | European Data Protection Board (europa.eu)
Functions of the European Data Protection Board:
Some of the functions of the European Data Protection Board, as given by the Article 70 of the General Data Protection includes:
- without prejudice to the functions of national supervisory agencies, monitor and oversee the correct application of the General Data Protection Regulation in the instances provided for in Articles 64 and 65;[1]
- issue procedures for wiping connections, copies, or replications of personal data from publicly available communication services, as stated to in Article 17(2) of the General Data Protection Regulation;[2]
- establish guidelines, recommendations, and best practises in accordance with the purpose of elaborating the criteria and standards for personal data transfers under Article 49 (1) of the General Data Protection Regulation;[3]
- encourage supervisory authorities to work together and exchange information and best practises on a bilateral and multilateral basis;[4]
- keep a publicly accessible electronic record of supervisory authority and judicial judgements on matters handled by the consistency mechanism[5]
- The EDPB will not only issue guidelines on the interpretation of core concepts of the GDPR but also be called to rule by binding decisions on disputes regarding cross-border processing, ensuring therefore ensuring uniform application of EU rules to avoid the same case potentially being dealt with differently across various jurisdictions.
Importance and essence of Independent Oversight:
The importance of an independent DPA has been put forth by Dr Amar Patnaik, member of the JPC when he demanded a DPA independent enough to keep the Government and its branches in check, for it is the biggest data fiduciary under the Bill. The existence of independent oversight has been termed as an “Essential Guarantee” by the European Data Protection Board (hereinafter ‘the EDPB’) for adjudicating a jurisdiction’s status for qualifying as a recipient in cross border data transfers. The EDPB also construed the independence of a Data Protection Authority as a core element of gauging proportionality of governmental interference and a
[1] Article 70(1)(a), General Data Protection Regulation, 2018
[2] Article 70(1)(d), General Data Protection Regulation, 2018
[3] Article 70(1)(j), General Data Protection Regulation, 2018
[4] Article 70(1)(u), General Data Protection Regulation, 2018
[5] Article 70(1)(y), General Data Protection Regulation, 2018
part of Article 45(2) of the General Data Protection Regulation (hereinafter ‘the GDPR’). The European Courts of Human Rights (hereinafter ‘the ECHR’) has held in the case of Roman Zakharov v. Russia that the manner of appointment of the members of the supervisory body needs to be taken into account when assessing independence.
Structure of the Selection Committee:
Section 42(2) of the Bill originally gave out a different structure of the Selection Committee (hereinafter ‘the Committee’) which would appoint the Members and the Chairperson of the DPA. The Selection Committee was poised to be headed by the Cabinet Minister alongside the Secretary of Government of India in the Ministry in charge of Legal Affairs and Secretary of Government of India in the Ministry in charge of Information Technology. However, the Report recommended the addition of 4 other members to this clause. The additions being,
- the Attorney General of India;
- an independent expert to be nominated by the Government of India from the fields of Data Protection, Information Technology, Data Management, Data Security, cyber and internet laws, public administration or related subjects;
- Director of any IIT – appointed by the Government of India;
- Director of any IIM – appointed by the Government of India.
Lack of Independence:
Apart from the Attorney General of India, all the members of the Selection Committee are either appointed directly by the Government of India or are bureaucratic members of the Central Government. Hence, there was criticism levied against the provision and the Selection Committee was called lopsided in the favour of the Executive. This exact contention was put forth by a member of the JPC, Dr Amar Patnaik himself. Such criticism came not only from the general public but also from the Justice Srikrishna Committee as well. The Justice Srikrishna report recommended making the DPA a constitutional body to make it truly independent. On the contrary, Shri. P. P. Chaudhari, chairman of the JPC, defended this provision
by saying “if the Government does not appoint [the DPA members] then who will [appoint]?” He also cited examples of the U.S. Supreme Court justices being an independent body despite being directly appointed through the President of America and the Senate.
The overall perception about the Selection Committee is seen to be heavily skewed in the favour of the Executive. The ECHR in the case of Iordachi and Others v. Moldova expressed its preference for a judge to be responsible to maintain oversight. The Justice Srikrishna Committee explicitly recommended the inclusion of the Chief Justice of India or his/her nominee. Dr Amar Patnaik has also called for a committee having bipartisan legislative representation along with representatives from the judiciary – as is the case with the Information Commissions and the National Human Rights Commission. Both the aforementioned bodies are statutory bodies formed to fulfil a constitutional obligation to protect fundamental rights to the people of India. The DPA, which is poised to be established to protect Article 21 and the Right to Privacy, should be allowed a similar level of autonomy in terms of
appointment. However, despite the suggestions from notable persons, precedents and suitable circumstances, this level of autonomy in terms of appointment was denied to the DPA.
Conclusions:
The EDPB has listed reports of Parliamentary and autonomous bodies as sources to assess the adequacy of a jurisdiction. A perusal of these reports by competent authorities of the EU could come to a negative conclusion of noting the restraint shown by the Government to include bipartisan representation and independent judicial oversight. Furthermore, the denial of the same amount of appointment-based autonomy to the DPA as the NHRC, Central Vigilance Commission and the Information Commissions could indicate a lower level of importance given to data protection by the Indian authorities. Hence, considering the current ECHR precedents and the standard of Data Protection provided by the GDPR, it seems
unlikely that the DPA could be considered independent enough for the EU authorities to consider it as adequate protection against governmental interference. The
Indian Authorities might have to resort to initiate development of a data sharing mechanism with the EU for seamless data transfers.
Inspiration could be taken from the French Data Protection Authority (CNIL): where amongst the 18 members of the DPA, only 12 are elected or designated by the national authorities and courts to which they belong (i.e. Senate, National Parliament, Economic and Social Committee, Supreme Civil and Administrative Courts, Court of Auditors and the Commission of Access to Administrative Documents). The CNIL’s president can freely recruit its other staff. This level of autonomy has been considered to be independent enough in the eyes of the GDPR. Perhaps such appointment mechanism can be implemented in India in due course.
Source: GDPR General Data Protection Regulation – DATA SECURE
Source: UK Data Protection Act 2018 – DATA SECURE
Source:European Data Protection Board EDPB | European Data Protection Board (europa.eu)
We at Data Secure (DATA SECURE – Privacy Automation Solution) can help you to understand Privacy and Trust while dealing with personal data and provide Privacy Training and Awareness sessions in order to increase the privacy quotient of the organisation.
We can design and implement RoPA, DPIA and PIA assessments for meeting compliance and mitigating risks as per the requirement of legal and regulatory frameworks on privacy regulations across the globe especially conforming to India
PDPB 2019. For more details, kindly visit DPO India – Your outsourced DPO service (dpo-india.com).
For any demo/presentation of solutions on Data Privacy and Privacy Management as per EU GDPR, CCPA, CPRA or Draft India PDPB 2019 and Secure Email transmission, kindly write to us at info@datasecure.ind.in or info@dpo-india.com.
For downloading various Global Privacy Laws kindly visit the Resources page in DATA SECURE – Privacy Automation Solution
For solutions on Schrems II or Lawful Borderless Data Transfer solutions, kindly visit our website www.borderless-data.com.
Kindly write to us at info@borderless-data.com for six steps solution for Lawful Borderless Data Transfer Solution