Online dispute resolution in India: Looking beyond the window of opportunity

by Rashika Narain and Smriti Parsheera.

Online dispute resolution (ODR) refers to the use of electronic communications and other information and communication technology for dispute resolution (UNCITRAL, 2016). Its objective being to bring the gains of efficiency, reach, cost-effectiveness, and convenience that technology has brought to so many sectors into the domains of redress, resolution and justice delivery. Some of the use cases of ODR include internal dispute management systems of businesses, electronic forms of alternative dispute resolution (often referred to as e-ADR), and operation of online courts.

India has seen a spate of recent developments in this space. There has been a rise in the number of ODR startups and businesses that are willing to experiment with ODR as an alternative to the traditional forms of dispute resolution. On the institutional side, COVID-19 induced pressures forced courts and Lok Adalats to switch to an online mode, the Reserve Bank of India directed payment systems operators to adopt ODR for failed payment disputes and the NITI Aayog put out a draft ODR Policy Plan.

Collectively, these developments signal the intersection of the problem, policy and politics streams to create a window of opportunity (Kingdon, 2013) for ODR in India. However, alongside the many benefits and opportunities of ODR lie a few areas of caution. First, the push toward ODR should account for the country's narrowing yet persistent digital divide. ODR solutions must, therefore, be designed in a manner that avoids extending digital exclusions into the domains of justice delivery and redress. Second, the immediate focus needs to be on building trust in the ODR sector though an emphasis on competence, accountability, equity, and transparency. These priorities should emerge from within the ODR ecosystem rather than being imposed through external forces. Lastly, the ecosystem should remain wary of any kind of central planning, particularly in terms of technical design. While controlled technical standardisation may seem attractive for initial adoption, it could result in the locking in of specific technologies and standards in the long run.

In this article we describe the meaning and evolution of ODR, explain the state of adoption in India, and introduce the Handbook on Online Dispute Resolution (ODR Handbook, 2021) created by a group of nine institutions that was recently launched by Justice D.Y. Chandrachud at a virtual event. The Handbook serves as an invitation to businesses to adopt and mainstream ODR solutions in India. While sharing the optimism generated by recent advancements in this space, we emphasise certain areas of caution and desirable practices for ODR to succeed beyond the current window of opportunity.

What is ODR?

ODR refers to the use of technology for enabling more accessible and efficient dispute resolution. Its genesis is often traced to the growth of Internet-based businesses and the resulting search for mechanisms to deal with online disputes and their accompanying jurisdictional uncertainties (Katsh, 2012). eBay and its payments arm PayPal are recognised to be among the early adopters of tech-enabled solutions for resolving cases arising on their platform (Rule, 2008). Similar tech-mediated systems for grievance redress are now commonplace across online businesses. Examples include the order returns management policies of e-commerce companies, feedback mechanisms of ride hailing companies and content reporting systems of social media firms. Beyond grievance management, e-ADR processes like mediation and arbitration are another popular use case.

The factors responsible for the growth of ODR include its efficiency, reach, cost-effectiveness, and the ability to improve business intelligence through data about dispute management. The possibility of asynchronous communication in many ODR models, which allows parties to respond at their own convenience, is another significant draw. Globally, ODR's reach has expanded to a range of sectors, such as property matters, family settlements, domain name disputes and financial matters (Kinhal et al, 2020). Further, tech solutions have also permeated into different layers of the dispute management process. For instance, negotiation tools like Cybersettle guide parties in making financial settlement bids and communication tools like Our Family Wizard are being used by courts to monitor parental custody settlements.

There are also many cases of institutional adoption of ODR in the public justice delivery system. Notable examples include Canada's British Columbia Civil Resolution Tribunal that uses ODR to handle condominium property claims, small claims, and motor vehicle injury cases, Hong Kong's ODR scheme for COVID-19 related cases, Mexico's Concilianet platform for consumer dispute resolution, and various small value claims courts in the United States (NITI Aayog, 2020).

State of play in India

The ODR industry in India has seen significant movement in the last few years although it still remains in the early stages of development. As per the ODR Handbook, the number of ODR start-ups has grown from 3 in 2018 to 13 by mid 2020. This includes operators like Presolv360, Centre for Online Resolution of Disputes (CORD) and SAMA that are directly involved in delivering online arbitration and mediation services as well as platforms like CREK ODR and Resolve Disputes Online that specialise in offering technology solutions to others.

A pilot project initiated by ICICI Bank in collaboration with SAMA presents one of the early examples of ODR adoption in India. As per the ODR Handbook, this mechanism was used for the resolution of 200 loan repayment related disputes before the introduction of the COVID-19 related loan moratorium. This reportedly led to significant cost and time savings for the bank -- its resolution effort went down from six person-days per case to only half a day (ODR Handbook, p. 61). In another example, SAMA recently organised an e-conciliation camp, called Suljhav Manch, which saw participation from companies like Udaan, Snapdeal and ICICI Housing Finance. An aggregate of over 8,000 loan and customer disputes were recorded for online resolution, of which 1,860 disputes have already been settled.

The COVID-19 situation has also created an impetus for institutional adoption through online filings, electronic court hearings and organisation of e-Lok Adalats in several states (Nair, 2020). Further, in line with RBI's directions for adoption of ODR by payment operators, the National Payments Corporation of India (NPCI) recently went live with its online resolution system for BHIM UPI app users. Others in the payment space are expected to shortly follow suit. The Income Tax Department has also introduced a Faceless Assessment Scheme that is meant to offer greater convenience and transparency in the assessment process.

In another interesting development, last year, the Supreme Court declared that the sole appointment of an arbitrator by a party interested in the dispute would be unlawful, even if previously agreed by the parties (Mehta et al, 2020). This may shift the standard practice of consumer facing companies appointing arbitrators en masse for low value, high volume disputes in favour of the incorporation of ODR clauses in commercial agreements.

Some areas of caution

While the developments above are cited as victories for ODR, the long term trajectory of tech-enabled dispute resolution will depend on a number of factors. First, there is the reality of India's digital divide, which spans across issues of connectivity, device ownership, digital literacy and skills, and social norms. A combination of these factors ends up generating varying levels of digital adoption across demographic groups. While sectors such as digital payments and e-commerce, which cater to an already digital population, are more conducive for ODR adoption, a broader policy push towards mandatory ODR could end up disenfranchising several sections of the population. For instance, the Tax Department's faceless assessment scheme has drawn criticism for the lack of opportunity for individuals to explain their case in person and limitations in technical skills and infrastructural facilities required to comply with the online processes (Chatterji, 2020).

Possible ways to minimise the harms of digital exclusion include keeping ODR adoption voluntary in most circumstances, investing in training and capacity building of intended users, and allowing them to opt for a combination of online and offline interactions. The emergence of a hybrid model where an intermediary can step in to facilitate the engagement between the parities and the technological requirements of the ODR system is another interesting solution. This is illustrated in the work being done by the Aajeevika Bureau to help migrant workers claim unpaid compensation from employers using an ODR process (ODR Handbook, p. 71-72).

Second, there is also the question of how to build trust in the ODR ecosystem in order to facilitate its adoption by businesses and individuals. There are some who argue that a certain level of government intervention and control is a necessary part of trust building (Schluz, 2004) while others have discussed interventions such as increasing knowledge about the process, certification of neutrals, and the existence of a code of ethics as mechanisms to bolster trust (Abedi et al, 2019). This points to the need for a discussion on the role of voluntary codes of conduct in building trust in ODR systems. We discuss this in the next section.

The third area of caution would be to avoid the creation of monolithic technical architectures in the ODR space. All too often in India, there is a temptation to create a state-mandated monopoly in a field, with government controlled technological standards (e.g. the Unified Payments Interface (UPI)) and a government controlled monopoly vendor (e.g. the NPCI). The NITI Aayog's draft report suggests a similar path for the ODR sector. It makes a case for the government's role in developing a 'scalable platform using technology' that will allow for the development of private sector services relying on government-led free and open source software (NITI Aayog, 2020, p. 96-97).

This is a less efficient path for several reasons. Government-mandated engineering designs tend to stagnate over time, and fall out of touch with the requirements of the people and of the technological possibilities. India is highly heterogeneous, and even if an efficient state-run planning process is able to emerge with a sound design for a modal use case, that may only cover a small fraction of the situations in the field. Further, despite being labeled as 'open', such solutions are often designed in a closed environment, with consultations being used as a tool for information dissemination rather than technical collaboration.

Providers and adopters of ODR have the incentives to understand opportunities, customer needs, and figure out innovative solutions. It would, therefore, be more efficient to allow a diverse set of actors to develop technology, protocols and standards in this space. Notably, ODR initiatives would also be bound by existing legal frameworks, such as the rights to data access and portability proposed under the draft Personal Data Protection Bill, 2019 and the safeguards available under competition law. Accordingly, government-backed technical standards are neither the only, nor the most efficient, path to achieving data access, portability, interoperability, and empowerment in this field.

A voluntary code for the ODR ecosystem

While resisting the push for government-backed standards and protocols, we recognise that a sound governance framework could be one of the ways to engender trust in the ODR ecosystem. There are several examples of non-binding ODR principles that have emerged globally. For instance, the International Council for Online Dispute Resolution (ICODR) is a US-based non profit that has put out a set of open standards on ODR. This includes requirements that the ODR programs must be accessible, accountable, competent, confidential, equal, neutral and impartial, legal, secure and transparent. Similar standards and guidelines have also been put out by other institutions such as the UNCITRAL's Technical Notes on ODR and the National Center for Technology and Dispute Resolution's Ethical Principles for ODR. The overlap in the principles outlined in these documents indicates a convergence of ideas on the basic requirements of a well functioning ODR system. Many ODR providers in India have also voluntarily adopted different international standards.

Given the current stage of development of India's ODR system, having mandatory standards or strict legal requirements could impede innovation and create entry barriers (ODR Handbook, p.51). However, this does not preclude the adoption of voluntary codes of conduct that are developed and operationalised by ODR players themselves. This could be done by having a basic set of good practices (see table below for the principles suggested in the ODR Handbook) that may be agreed to among the service providers in an open, inclusive and collaborative manner. Further, voluntary mechanisms such as peer review, ratings and accreditations can be used to verify the extent to which each platform is complying with these principles.

Principle	Description
Accessibility	Ensuring ODR platforms can be used across devices and by different demographic groups, accounting for the diversity of Indian languages and the ability to engage with technology.
Competence and neutrality	Neutrals should possess substantive knowledge and understanding of processes and must be free of conflicts of interest.
Accountability and fairness	Adherence to due process standards. Remain mindful of the possibility of unequal bargaining powers between parties.
Information and transparency	Proactive disclosure of conflict of interest, risks, and benefits to enable informed consent. Anonymised data on ODR trends and statistics can help in building trust.
Confidentiality and robust data security	Adherence to data protection norms, including safe storage and established protocols to deal with breaches, cyber attacks, and disasters.

Besides such voluntary adoption, providers of e-ADR are also bound by the existing laws and principles applicable to ADR processes. However, in many cases, these principles might need to be reframed to account for the impact of technology on ADR processes and the responsibility of ODR platforms and third parties neutrals conducing the mediation or arbitration processes (Rainey, 2014). For instance, use of the online medium might impose additional requirements of how confidentiality in mediation needs to be enforced in practice. This is because the mediator's ability to ensure confidentiality in ODR depends both on their own conduct as well as the design of the ODR platform. The ODR principle for confidentiality must, therefore, account for appropriate technical standards to ensure that the information transmitted on the platform remains confidential and secure. The practitioner also bears the responsibility to convey the risks of online communications to the parties (Rainey, 2014).

Conclusion

Developments in the past year or two have opened a window of opportunity for the adoption of ODR systems in India. As policymakers and private actors start warming up to the benefits of tech-enabled dispute resolution, the immediate goal should be to demonstrate capacity and build trust in ODR systems. This includes the realisation that not all sectors and user groups are equally equipped to immediately transition to ODR. Any kind of mandatory adoption should, therefore, be carefully considered so as to avoid extending digital exclusions into the domains of justice delivery and redress. An emphasis on hybrid models of ODR, both in terms of the choice between offline and online interactions and emergence of intermediaries who can help users in bridging the technological gap, would be useful.

Creating digital trust requires a framework that incorporates accountability, equity, ethics and auditability in its functioning. Thus, another priority at this stage should be to pursue the adoption of a voluntary code of conduct that is conducive to building trust in the ecosystem. Such a code of conduct should emerge, and be implemented, from within the ODR ecosystem rather than being enforced through State coercion. In addition to concerns of stifling innovation through over-regulation, it is also important to avoid excessive central planning in the technical design of ODR systems. This could result in the locking in of specific technologies and standards, hampering the long term prospects of the ODR sector.

References

Chatterji, 2020: B.M. Chatterji, Faceless Assessment: Concerns & Recommendations for Seamless Digital Integration, Tax Guru, 28 November 2020.

Katsh, 2012: Ethan Katsh, ODR: A Look at History, Online Dispute Resolution: Theory and Practice, Mohamed Abdel Wahab, Ethan Katsh & Daniel Rainey (Eds.), Eleven International Publishing, 2012.

Kelkar & Shah, 2019: Vijay Kelkar and Ajay Shah, In service of the republic: The art and science of economic policy, Penguin Allen Lane, 2019.

Kingdon, 2013: John W. Kingdon, Agendas, Alternatives and Public Policies. 2nd ed., Pearson, 2013.

Kinhal et al, 2020: Deepika Kinhal, Tarika Jain, Vaidehi Misra & Aditya Ranjan, ODR: The Future of Dispute Resolution in India, Vidhi Cenre for Legal Policy, July 2020.

Lederer, 2018: Nadine Lederer, The UNCITRAL Technical Notes on Online Dispute Resolution - Paper Tiger or Game Changer?, Kluwer Arbitration Blog, January 2018.

Mehta et al, 2020: Ankoosh Mehta, Maitrayi Jain & Anushka Shah, SC refuses unilateral appointment of single arbitrator, Indian Corporate Law, A Cyril Amarchand Mangaldas Blog, May 2020.

Nair, 2020: Ria Nair, E-Lok Adalats In India, August, 2020.

NITI Aayog, 2020: The NITI Aayog Expert Committee on ODR, Designing the Future of Dispute Resolution: The ODR Policy Plan for India, October, 2020.

ODR Handbook, 2021: NITI Aayog, Agami, Omidyar Network India, Ashoka, ICICI Bank, Trilegal, Dalberg, Dvara Research, NIPFP and Cracker & Rush, Online Dispute Resolution: Shifting from Disputes to Resolutions, April, 2021.

Rainey, 2014: Daniel Rainey, Third-Party Ethics in the Age of the Fourth Party, 2014.

Rule, 2008: Colin Rule, Making Peace on eBay: Resolving Disputes in the World's Largest Marketplace, ACResolution Magazine, Fall 2008.

Schluz 2004: Thomas Schulz, Does Online Dispute Resolution Need Governmental Intervention - The Case for Architectures of Control and Trust, 6 N.C.J.L. & Tech. 71 (2004).

UNCITRAL, 2016: UNCITRAL Technical Notes on Online Dispute Resolution, 2016.

Rashika Narain is lawyer and mediator associated with SAMA and the Centre for Mediation and Arbitration, Mumbai. Smriti Parsheera is a Fellow with the CyberBRICS Project and was previously a researcher with the National Institute of Public Finance & Policy (NIPFP). NIPFP was one of the contributors to the ODR Handbook. The authors would like to thank Vimal Balasubramaniam, Keerthana Medarametla, Renuka Sane and Ajay Shah for valuable inputs.

Comments on the draft Personal Data Protection Bill, 2019: Part II

by Rishab Bailey, Vrinda Bhandari, Smriti Parsheera and Faiza Rahman.

In our previous post, we had discussed some of the concerns arising out of the draft Personal Data Protection Bill, 2019 (the "Bill"), focusing on how the State-citizen relationship is dealt with under the Bill. We examined the provisions granting wide ranging exemptions to the State for surveillance and law enforcement purposes, as well as the problems in the design and functioning of the proposed Data Protection Authority of India (the "DPA"). In this post, we extend our analysis to discuss certain other issues with the Bill, including the provisions on data localisation, processing of children's data, implementation of privacy by design and regulatory sandbox, inclusion of non-personal data, the employment exception, and the research exemption. We argue that these provisions need to be amended in order to provide more effective safeguards for the privacy of individuals.

Cross Border Data Transfer (Data Localisation)

One of the most contentious issues in the drafting of India's privacy law has been the issue of data localisation, or in other words, the nature and scope of restrictions that should be applied to cross-border data transfers.

Section 33 of the Bill enables the transfer of personal data outside India by imposing transfer restrictions on two sub-categories of personal data. The first sub-category consists of sensitive personal data, such as financial data, health data, sexual orientation data, biometric data, etc., that has to be mirrored in the country, i.e. a copy of such data will have to be kept in India. The second sub-category consists of critical personal data (which has not been defined in the Bill), and which is barred from being transferred outside India. The constituents of this sub-category have not been identified in the Bill and are left to be notified by the Government at a subsequent stage. While imposing these restrictions, the Bill also specifies (in Section 34) a list of conditions that can enable a cross-border data transfer to take place. This includes determination of the adequacy of the laws of another country by the Government or requirements for data processing entities to put in place intra-group schemes or contracts to ensure appropriate standards for the protection of Indian data sent outside the country.

These provisions are significantly more liberal than those proposed in the 2018 version of the draft Data Protection Bill released by the Justice Srikrishna Committee ("PDP Bill, 2018"). The PDP Bill, 2018, required both personal and sensitive personal data to be mirrored in the country, subject to different conditions and exemptions. These provisions attracted significant criticism -- from dissenting members of the Srikrishna Committee, to technology companies (particularly multinationals), as well as sections of civil society (Basu et al., 2019). We had also argued in our submissions on the PDP Bill, 2018 that these restrictions were overly broad and that the costs of strict localisation measures may outweigh any possible gains.

The move to liberalise these provisions will undoubtedly be welcomed by many stakeholders. The less stringent provisions of the Bill imply that costs to business may be limited, and users will have greater flexibility in choosing where to store their data. Prima facie the Bill appears to reflect a more proportionate approach to the issue, thereby bringing it within the framework of the Puttaswamy tests of proportionality and necessity (Bhandari et al., 2017). This is achieved by implementing a sliding scale of obligations, ostensibly based on the sensitivity or vulnerability of the data -- "critical personal data", being the most vulnerable category, is required to be localised completely; while "personal data" being the broadest category, can be freely taken out of the country. The obligations with respect to "sensitive personal data" lie in between these two.

However, we believe that even the revised provisions of the Bill may not withstand the test of proportionality.

As explained by us previously on this blog, there are broadly three sets of arguments that are advanced in favour of imposing stringent data localisation norms (Bailey and Parsheera, 2018):

1. Sovereignty and Government functions: Referring to the use of data as a resource to be used to further India's strategic and national interests, to enable the enforcement of Indian laws and discharge of other state functions.
2. Economic benefits: The second claim is that economic benefits will accrue to local industry in terms of creating local infrastructure, employment and aiding development of the artificial intelligence ecosystem.
3. Civil liberties: The third argument is that local hosting of data will enhance its privacy and security by ensuring Indian law applies to the data and users can access local remedies. It will also protect (Indian) data from foreign surveillance.

If the Bill was localising data for the first two purposes, it would have required that local copies be retained of all the categories of personal data, as was the case with the previous draft of the law. On the other hand, if privacy protection is the main consideration, as it now appears given the changes from the PDP Bill, 2018, and the fact that vulnerability or sensitivity of the data is the differentiating factor in terms of the obligations being imposed, we believe that the aims of this provision can be equally achieved through less intrusive, suitable and equally effective measures. This includes requirements for contractual conditions, and using adequacy tests for the jurisdiction of transfer, as already provided for in Section 34 of the Bill. This is also in line with the position under the European General Data Protection Regulation ("GDPR"). Further, the extra-territorial application of the Bill also ensures that the data protection obligations under the law continue to exist even if the data is transferred outside the country.

In case data localisation is meant to serve any of the goals other than privacy, sectoral obligations can be used to meet these specific objectives based on a perceived and specific need. This is already the case in respect of digital payments data, certain types of telecom data and Government data. Any such move would of course have to be preceded by an open and transparent process setting out the problem that is sought to be addressed and assessing the different alternatives before arriving at localisation as a solution.

Given the infirmities in the Bill, particularly concerning the powers of the State, individuals and businesses may well believe that their data would be more secure if stored and processed in jurisdictions with strong data protection laws and a more advanced technical ecosystem. Therefore, assuming that privacy is the primary motivating factor behind design of this provision, it would make sense to allow individuals to store their data in any location of their choice, provided that the specified conditions are being met.

Accordingly, we believe that Section 33 ought to be deleted from the Bill. As an alternative, general restrictions on cross-border transfers may be imposed only for "critical personal data". In this context, it is also important that the Bill should provide a definition of "critical personal data" or at least clarify the grounds on which personal data may be declared as such. This would help limit the otherwise extremely broad powers of the State in this respect.

Children's Data

Section 16 of the Bill contains an enhanced set of obligations for fiduciaries dealing with children's personal data and sensitive personal data. It requires fiduciaries to act in the best interests of the "child", defined to mean a person below 18 years. The provision mandates age verification and parental consent for the processing of such data, which, while well-intentioned, gives rise to some concerns.

For instance, a large part of India's internet using population comprises young people, including children. Requirements for age verification and parental consent may not be practical for a vast number of children who may not have access to relevant documents, may not receive parental support, or their parents may not be in a position to engage with the technology and verification system. Such a requirement is also likely to have a disproportionate impact on already vulnerable and marginalised communities, including adolescent girls. Section 16 also leads to a loss of agency for many young internet users, who are often the creators and consumers of online content for educational, recreational, entertainment and other purposes.

The procedure to conduct mandatory age verification is also beset with ambiguity, since any requirement to verify children's data will effectively amount to the verification of all users in order to be able to distinguish children from adults. This would clearly be a disproportionate invasion of privacy.

Finally, the Bill does not draw any distinction in the level of protection based on the age of the child, in effect treating children of 5 years and 17 years in the same manner. This, in essence, goes against the UN Convention on the Rights of the Child, to which India is a party. The Convention inter alia recognises that: (a) regulation of children should be in a manner "consistent with the evolving capacities of a child" and that children have a right to engage in play and recreational activities "appropriate to the age of the child" (Articles 5, 14 and 31); (b) children have a right to protection of the law against invasions of privacy and a right to peaceful assembly (Articles 16 and 15); and that (c) access to mass media, particularly from "a diversity of national and international sources" is important for a child's development (Article 17).

In order to allay these concerns, we recommend that the provisions pertaining to parental consent and age verification (Sections 16(2) and 16(3) of the Bill) should be deleted. In the event these provisions are retained, they should be amended to prevent the complete loss of agency for many young internet users; to enable a level of protection that is consistent with the age group of the child; and to ensure that the rights of all individuals to expression and access, including children, are not unduly restricted. Accordingly, Section 16 should lay down that the principle of best interests of the child and the requirement of consent from parents and guardians have to be interpreted "in a manner consistent with the evolving capacities of the child". Further, any requirement of age verification should be limited to guardian data fiduciaries to be classified by the DPA. Finally, the factors to be considered under Section 16(3) while deciding upon the manner of verification, should also include the impact of the verification mechanism on the privacy of other data principals.

Privacy by Design and Sandbox

Section 22(1) of the Bill requires every data fiduciary to prepare a privacy by design ("PBD") policy containing details of the processing practices followed by the fiduciary and the risk-mitigation measures put in place. According to Sections 22(2) and 22(3), the data fiduciary may submit the PBD policy to the proposed DPA for certification, which shall be granted upon satisfaction of the conditions mentioned in Section 22(1). The fiduciary and DPA shall then publish the certified PBD policy on their websites.

Section 22, as it is currently drafted, only requires data fiduciaries to prepare a PBD policy -- it does not require them to implement the same. Without a requirement to implement the PBD Policy, this would remain a mere paper requirement and serve no real privacy enhancing purpose. In contrast, Section 29 of the PDP Bill, 2018, required every data fiduciary to "implement policies and measures to ensure [privacy by design]". Similarly, Article 25 of the GDPR also requires data controllers to "implement appropriate technical and organisational measures" in order to meet the requirements of the regulation.

Further, given the range and scope of duties conferred on the DPA, requiring it to verify and certify every data fiduciary's PBD policy (as an ex-ante measure) could cast an unreasonable burden on the regulator. It must be noted that the scrutiny of a PBD policy will have to take into account each entity's specific business model, and the specific risk mitigation measures proposed to be implemented. This is clearly not an insignificant task. We therefore believe it would be prudent to permit independent data auditors to certify PBD policies, with further review of the certified policies by the DPA in cases where it is assessing the fiduciary's eligibility to participate in the sandbox under Section 40. This would reduce the burden on the DPA while enabling quicker turn-around times for business entities. The DPA could in turn regulate the process of certification by independent auditors through appropriate regulations.

Moving now to the issue of the regulatory "sandbox". This is a new concept in the data protection discourse in India although other sectors, such as finance, have already seen such developments. For instance, the Reserve Bank of India announced the creation of an enabling framework for a regulatory sandbox in 2019. We have also seen international examples that discuss such measures in the data protection context, such as in case of the UK's Information Commissioner's sandbox initiative.

Section 40 of the Bill permits the DPA to restrict the application of specific provisions of the Bill to entities that are engaged in developing innovative and emerging technologies in areas such as artificial intelligence and machine-learning. Presumably, the purpose is to enable companies to experiment with new business models without the fear of falling foul of the law (while at the same time enabling supervision by the authorities), in a controlled setting, where exposure to harm can be limited. According to Section 40, the DPA can modify the application of the provisions of the Bill relating to clear and specific purpose for data processing; collection only for a specific purpose; and limited period of data retention for eligible entities. In order to be eligible for the sandbox, an entity should have in place a PBD policy that has been certified by the DPA (Section 22).

The current draft vests significant discretion in the hands of the DPA in deciding which entities will be included or excluded from the sandbox. Despite this, there is no clear criteria provided in Section 40 that would allow the DPA to judge the entry of an entity into the sandbox. We believe that certain criteria, based on the expected level of innovation, public interest, and viability, should be specified in Section 40 itself, to improve transparency and accountability. The provision of specific criteria needs to be accompanied by the requirement of a written, reasoned decision by the DPA, so as to reduce arbitrariness. Apart from this, the DPA should also be empowered to lay down conditions and safeguards for data fiduciaries to follow (with respect to personal data processed while in the sandbox) once they have exited the sandbox. Finally, changes flowing from the proposed revisions to the certification process of the PBD policy (discussed above) will also need to be made to Section 40.

Non-consensual Processing for Employment Purposes

Section 13 of the Bill gives significant leeway to employers for carrying out non-consensual processing of personal data, other than sensitive personal data, that is necessary in the context of employment. Given the inherent inequality in an employer-employee relationship, we believe that the Bill should have greater safeguards to prevent coercive collection or misuse of employees' personal data by employers.

For instance, the present draft of the provision permits non-consensual processing of personal data of an employee if considered necessary for "any other activity relating to the assessment of the performance" of the employee. This phrase is very wide in scope and can be easily misused by the employer, for instance through continuous monitoring and analysis of all activities of the employee, including the time spent in front of screen, private calls and messages, etc. Given the increasing relevance of remote working arrangements, this sort of monitoring could even be extended outside the office premises.

We have already referred to the significant imbalance of power in the relationship between the employee and employer. There can be many ways in which technology can further tilt the balance of power in favour of the employer. For instance, there has been considerable reporting on the "productivity firings" by Amazon. The company is said to be using "deeply automated tracking and termination processes" to gauge if employees are meeting (very stringent) productivity demands placed on them (Lecher, 2019). Similar stories of management or termination based on algorithmic decision-making are increasingly being heard from many other sectors of the economy. When one considers the advances being made in tracking and privatised surveillance systems, the ability of employers to collect and analyse data of their employees without their consent, can become extremely problematic.

Accordingly, we believe the broad exemption provided for employers should be done away with by deleting this provision. However, if the provision is to be retained, we recommend that two amendments need to be made to it. First, the provision should only permit non-consensual processing as is "reasonably expected" by the data principal. Second, any processing under this provision should be proportionate to the interests being achieved.

Exemption for Research, Archiving, or Statistical Purposes

Section 38 permits the DPA to exclude the application of all parts of the law to processing of personal data that is necessary for research, archiving or statistical purposes, if it satisfies certain prescribed criteria. As highlighted in our earlier submissions, the framing adopted by the provision is very broad as it extends the exemption to research and archiving conducted for a wide variety of purposes, including situations where this may not be appropriate. This includes research that is predominantly commercial in nature. Market research companies carrying out consumer surveys, focus groups discussions, etc., often use intrusive means of data collection and are repositories of large quantities of personal data. We believe that such purposes should not be exempted from the purview of data protection requirements as doing so would significantly lessen the privacy protections offered to individuals, without any significant public benefit being achieved.

Accordingly, we recommend narrowing the scope of the provision only to the processing of personal data where the purpose is not solely commercial in nature and the activity is being conducted in public interest. Notably, the GDPR also limits exemptions granted to research purposes to "archiving purposes in public interest, scientific or historical research or statistical purposes"(Article 89). Further, a somewhat similar approach has been adopted in the Copyright Act, 1957, which in Section 32 provides for the issuance of licenses to produce translations of works, inter alia, for research purposes. Section 32 specifically excludes "industrial research" and "research by bodies corporate" (not being governmental controlled bodies) "for commercial purposes" from the scope of the law -- thus, the exemptions from copyright protection under the law do not apply to the use of copyrighted material for such categories of research.

In addition, it is unclear why provisions pertaining to transparency, fair and reasonable processing, deployment of security safeguards etc. are not made applicable to entities that may avail the exemption under Section 38, as was suggested in the earlier draft of the PDP Bill, 2018. As mentioned above, commercial research companies collect, process and store large quantities of personal data, thereby making them susceptible to significant breach of privacy (in the case of data breaches, unauthorised disclosures, etc). Therefore we suggest that Section 38 should be revised to ensure that the provisions of the law are only exempted to the extent they may significantly impair or prevent achieving the relevant purposes. Notably, the UK Data Protection Act, 2018, also follows a similar approach in Schedule 2 (Part 6, paragraph 27 and 28).

Non-personal Data

Section 91(2) is a new provision that has been introduced in the latest version of the Bill. Under this section, the Central Government may, in consultation with the DPA, direct any data fiduciary or processor to provide any non-personal or personal data that is in an anonymised form. The Government is required to lay down regulations governing this process. This non-personal data is to be used for "better targeting of delivery of services or formulation of evidence-based policies" by the Government.

We find that this provision is misplaced in the Bill and is disproportionate in nature, for the following reasons. First, regulating non-personal data flows is outside the scope of the present law. Notably, the White Paper and Report of the Justice Srikrishna Committee exclusively consider the regulation of personal data, as do the Statement of Objects and Reasons and Recitals to the Bill.

Second, the Government has already constituted a Committee of Experts to examine regulatory issues arising in the context of non-personal data. The inclusion of this provision pre-empts the findings and recommendations of this Committee of Experts.

Third, the provision does not adequately consider and balance all relevant interests, as it provides the State with an omnibus power to call for any non-personal data. This could affect property rights of data fiduciaries, competition in the digital ecosystem (especially where the State is a market participant), and also affect individual privacy, particularly in situations where unrelated data sets available with the Government could be processed to reveal personally identifiable data. There is significant literature on the possibility of anonymised data sets being re-identified through advanced computing, or on being combined or added to new information to reveal personal data.

Fourth, calling for data on grounds that it may be used for "evidence based policy making" is vague, ambiguous and susceptible to arbitrary use. Existing provisions of law allow sectoral regulators and Government agencies to collect relevant data (personal or non-personal) where required for making regulatory or policy interventions. The provision would therefore fail the Puttaswamy tests of ensuring proportionality and being subject to appropriate procedural safeguards.

In the circumstances, we believe the provision must be dropped from the Bill.

Conclusion

In this post, we have highlighted how the Bill offers limited privacy protections for individuals in various contexts, such as when it comes to an employee-employer relationship or in the context of processing of personal data by entities engaged in commercial research and statistical work. At the same time, certain provisions, while they may seem well intentioned, require significant fine-tuning so as to not unduly limit individual rights, such as the requirement for verification of users' age.

We show that by failing to ensure that data fiduciaries must implement a PBD policy, the Bill merely envisages a paper requirement, while at the same time casting a significant burden on the DPA to certify such policies. Similarly, the provision on data sandboxes, while in theory may not be a bad idea, also requires much more discussion and work. To begin with, we propose that the provision needs modifications to limit the discretionary power available to the DPA, particularly in terms of selection of entities to take part in the sandbox. Finally, we also explain why the provisions pertaining to data localisation and non-personal data are poorly conceptualised and disproportionate in nature.

Based on the discussions here and in our previous post on the Bill, we conclude that there are a number of areas where the Bill needs further work before it can be said to be providing an appropriate standard of data protection. Further, the introduction of various completely "new" provisions in the Bill at this stage, such as those pertaining to non-personal data, sandboxes, social media intermediaries, and consent managers is less than ideal given the significant public discussion carried out on the draft law over a two year period. In this context, the fact that the Joint Parliamentary Committee that is currently examining the Bill has called for, and is considering, public comments is a positive step.

References

Bailey and Parsheera, 2018: Rishab Bailey and Smriti Parsheera, Data Localisation in India: Questioning the Means and Ends, NIPFP Working Paper No. 242, October 2018.

Basu et al., 2019: Arindrajit Basu, Elonnai Hickok and Aditya Singh Chawla, The Localisation Gambit: Unpacking Policy Measures for Sovereign Control of Data in India, The Centre for Internet and Society, 19 March, 2019.

Bhandari et al, 2017: Vrinda Bhandari, Amba Kak, Smriti Parsheera and Faiza Rahman, An analysis of Puttaswamy: the Supreme Court's privacy verdict, LEAP Blog, September 20, 2017.

Justice K.S. Puttaswamy v. Union of India (Right to privacy case), 2017 (10) SCC 1.

Lecher, 2019: Colin Lecher, How Amazon automatically tracks and fires warehouse workers for 'productivity', The Verge, 25 April, 2019.

 

Rishab Bailey, Smriti Parsheera, and Faiza Rahman are researchers in the technology policy team at the National Institute of Public Finance Policy. Vrinda
Bhandari is a practicing advocate in Delhi. The authors would like to thank Renuka Sane and Trishee Goyal for inputs and valuable discussions.

Street-level officials in India's Covid-19 response

by Smriti Parsheera.

In a federal union of 28 States and 9 Union Territories, divided into over 700 Districts, translating policies into effective implementation is testing in the best of times. But when a country of 1.3 billion people comes to a near halt, as witnessed after the Prime Minister's announcement of a 21 day lockdown, the implementation challenge becomes all the more significant. The events that have unfolded over the past few weeks remind us that policy outcomes are determined not just by decision-makers sitting in the corridors of power in the Central and State Governments but also by the street-level officials who intermediate the everyday relationship between the citizen and the State.

The term "street-level bureaucrats" was coined by Michael Lipsky in 1980 to describe the host of front-line public workers who interact directly with citizens, often enjoying a substantial level of discretion in the execution of their functions (Lipsky, 2010). In the present context, this includes various district-level officials, police officers, social workers and other members of the local administration, all of whom have have become the first point of contact between the individual and the State's constantly evolving response to the Covid-19 crisis (See Shah & Misra, 2020). In Lipsky's analysis, street-level workers often lack the time, information, or other resources that are necessary to properly respond to individual cases. They therefore invent their own devices "to cope with uncertainties and work pressures, effectively become(ing) the public policies they carry out." (Lipsky, 2010). In the present situation, these pressures would include shortage of staff and protective equipment, while facing greater risks of exposure; uncertainty about the course of the virus and the policy response; and reports of attacks faced by health workers and police personnel while discharging their functions.

The Covid-19 situation has many of the ingredients of what Kelkar & Shah (2019) define as a "hard policy problem" -- problems that involve some combination of a high level of discretion, a high number of transactions, high stakes and high secrecy. Three of these four sources of complexity are present in the lockdown.

The stakes involved are high on account of the challenges posed to the life, health, livelihood and liberty of citizens.

The response involves a fairly large volume of transactions, including provision of health care services, tracing and isolating contacts, and ensuring adherence with quarantine and lockdown conditions.

In some cases, Government policies have reduced the level of discretion that might have otherwise been available to front-line actors. For instance, stating that only those who meet the specified inclusion criteria will be eligible for testing reduces the discretion in the hands of doctors and testing centres. However, as we illustrate ahead, there are many transactions where the officials on the ground enjoy a substantial degree of discretion in the implementation of the stated policy.

Role of street-level officials in the lockdown

To implement the lockdown, various States have issued regulations and orders under the Epidemic Diseases Act, 1897, imposing restrictions on the operation of establishments and movement of people. At many places, orders have also been issued under Section 144 of the Code of Criminal Procedure, 1973 (CrPC). This provision allows District Magistrates and Sub-divisional Magistrates to "direct any person to abstain from a certain act or to take certain order with respect to certain property in his possession" if this is required for reasons of health, safety, public order, etc. These measure prohibit individuals from stepping outside their homes unless it is for providing or availing an essential service, and from assembling in groups. A list of essential services, which includes groceries, hospitals, chemists, e-commerce services, etc., has been indicated in the orders.

While the letter of the orders might seem to make it clear as to what are the permitted and restricted activities, every police officer who encounters a potential detractor on the street gets to make some important choices. The officer will decide whether the person should be heard and, if appropriate, left off with a reprimand. Should legal action be initiated for violation of Section 144 of the CrPC or relevant provisions of the Epidemic Diseases Act and the Indian Penal Code? Or, as seen in several reports from the initial days of the lockdown, should violators be given an instant taste of the law through the use of brute force and humiliating physical punishments? While it may be easy, and legitimate, to classify these actions as forms of State violence, it is also important to recognise them as the actions of individual actors (acting on behalf of the State).

Visuals of overcrowded boarding points and packed buses carrying stranded migrant workers in Uttar Pradesh and Delhi have been a stark reminder of the gap between the policy messaging on mandatory social distancing and the ground reality. What role did the officials on the ground play, or should have played, in this process?

In a symbolic distancing of the policy from the implementation, the Ministry of Home Affairs reacted with the suspension of certain officials in Delhi who were held to be responsible for the lapses. The Ministry also passed an order imposing a country-wide ban on further movements of migrant workers. This order mandates State Governments to provide food and shelter to those in need and quarantine facilities for migrants arriving from outside. Again, there are bound to be many differences in the ways in which this order will be implemented by the police and local administrators in different parts of the country. For instance, some areas may still permit movements under exigent circumstances or allow relaxations for those who are already in transit. Similarly, the facilities available at the shelters, including regard for the differential sanitation and safety needs of women, will also be determined at the ground level.

Front-line officials are also playing an important role in determining the attitude towards individuals coming from outside the region or those who have had contact with coronavirus patients. Are they to be regarded as "Covid-19 suspects" who will be shunned and disinfected, as seen in the Bareilly town of Uttar Pradesh? Or are they just individuals who face a higher risk of infection and therefore need specific monitoring and care? The local administration in Himachal Pradesh has, for instance, tried to adopt the latter approach but, like in many other parts of the country, this comes with insufficient checks to safeguard individual privacy.

The author's own, admittedly privileged, interaction with the local administration in District Kullu of Himachal has been that the authorities are in regular touch with those placed under home quarantine. This includes phone calls and visits from teams consisting of doctors, the local police, ASHA workers, panchayat members and land revenue officials. Without exception, the interactions have been courteous and reflect a sense of responsibility towards ensuring the health of the individual and the community. These positive steps are, however, marred by the awareness that the personal data of the travellers, like their name, phone number, address, etc., is being freely circulated on local WhatsApp groups. Similar reports have also emerged from places like Delhi, Nagpur and Ajmer. While some States, like Karnataka, are deliberating pushing out this data, the violations in many other cases are more likely the result of indiscreet sharing by those who gained access to the data in the course of their official functions. Given that India's legal and enforcement framework around data protection remains deficient, urging local officials to prevent the dissemination of this information might be the most effective check at this point.

Finally, a number of street-level actors will also have to step in to ensure that the relief measures announced by the Finance Minister actually end up reaching the intended beneficiaries, in a fair and timely manner. To the extent that these benefits have been tied to existing schemes, functionaries like operators of fair price shops and gas distributors under the Ujjwala scheme, who discharge public official-like functions, will be responsible for intermediating access to the promised entitlements. Through the last decade, the focus of systems like Aadhaar has been on increasing accountability and reducing the discretion available to such front-line actors. The Covid-19 crisis might, however, be a time to temporarily suspend the insistence on precise targeting through technical tools, even if this leads to some increase in the discretion available to street-level officials.

The way forward

The examples given above illustrate how officials who may not traditionally be regarded as "policymakers" have a profound impact on the ways in which most Indians will navigate their lives in the coming months. How we come out of this unprecedented crisis will depend not just on the government’s policies, its available resources and citizens' cooperation but also the individual choices made by various front-line actors. Policy design for Covid-19 should take this into account, applaud the role of street-level officials, and compel them to act in ways that are compassionate and preserving of individual dignity. This perspective would be a useful addition to the Prime Minister's public addresses, the text of official orders, all the way to local coordination meetings at the district level. Traditional and social media also need to play a more responsible role in bringing out both the violence being inflicted by the authorities, as well as the positive stories of compassion and care shown by some front-line workers.

Recognising the complexities of implementation at the ground level is one element of better planning. It is a reminder that loose wording of legal instruments, of the kind that we often see in India, can end up resulting in unplanned and undesirable outcomes, from the perspective of policymakers and the public. Therefore, instead of treating the implementation stage as something that is distinct from policy planning, the planning process itself needs to account for the challenges of policy-making in high-stakes, discretionary and transaction-intensive scenarios. While this may not always be possible because, as noted by Pritchett & Woolcock (2004), practices that are discretionary and transaction-intensive in nature are by definition not amenable to be standardised and (easily) replicated, policy-makers should try to anticipate the incentives and actions of front-line agents, to the best extent possible.

Another appropriate response to the present crisis would be to initiate a systematic review of the legal framework under which the various elements of the current policy actions have been taken. The Epidemic Diseases Act, 1897, which has been the basis of the Covid-19 response by many State Governments, is a case in point. It is a skeletal legislation that consists of only five sections including one that allows the State Government to take any measures to prevent the outbreak, or spread, of a "dangerous epidemic disease", a term that is not defined under the law (Kaur, 2020). In fact, the law does very little other than specifying the broad powers of the Government, immunity for any of its actions, and legal consequences for non compliance. In particular, it does not define the scope of the measures that may be prescribed under it or lay down requirements like adherence to basic human rights, proportionality of adopted measures, transparency, accountability or redress mechanisms. A few years back the Central Government had initiated a move to replace this law with the proposed Public Health (Prevention, Control and Management of Epidemics, Bio-terrorism and Disasters) Act, 2017. Critics were, however, of the view that the proposed draft remained equally deficient in most respects (Rao, 2017). Similarly, there is a need to develop standard operating procedures on the acceptable conduct of police forces in times of public health emergencies, and incorporating these in police training programmes.

We recognise that the monopoly on violence, and not compassion, is at the essence of the State. This makes it all the more important to push for appropriate checks and balances in the exercise of any emergency powers by the State. When it comes to the role of street-level officials, their actions are motivated not only by the directions issued by the State but also by the incentives, uncertainties, pressures and threats faced by them. Better policy planning should account for these factors and address them while designing the policy response.

References

Kelkar & Shah, 2019: Vijay Kelkar and Ajay Shah, In Service of the Republic: The Art and Science of Economic Policy, Penguin Allen Lane, 2019.

Kaur, 2020: Harleen Kaur, Can the Indian legal framework deal with the Covid-19 pandemic? A review of the Epidemic Diseases Act, Bar and Bench, March 27, 2020.

Lipsky, 2010: Michael Lipsky, Street-Level Bureaucracy: Dilemmas of the Individual in Public Services, 30th Ed., Russell Sage Foundation, New York, 2010.

Pritchett & Woolcock: Lant Pritchett and Michael Woolcock, Solutions When the Solution is the Problem: Arraying the Disarray in Development, World Development, 32(2), 2004, 191–212.

Rao, 2017: Menka Rao, A new bill on public health emergencies allows for dubious restrictions of citizens' liberties, Scroll, March 31, 2017.

Shah & Misra, 2020: Kadambari Shah and Prakhar Misra, Covid-19: Importance of street-level bureaucracy to fight the pandemic, Moneycontrol, April 6, 2020.



Smriti Parsheera is a lawyer and technology policy researcher. She would like to thank Ajay Shah and Rudra Chaudhuri, and an anonymous referee, for valuable inputs.

Comments on the draft Personal Data Protection Bill, 2019

by Rishab Bailey, Vrinda Bhandari, Smriti Parsheera and Faiza Rahman.

In December 2019, the Government introduced the draft Personal Data Protection Bill, 2019 (the "Bill") in the Lok Sabha. The genesis of this Bill lies in the report and draft law ("PDP Bill, 2018") prepared by a Committee of Experts headed by Justice B.N. Srikrishna. This committee was constituted by the Government in the course of the hearings before the Supreme Court in the right to privacy case (Justice K.S. Puttaswamy v. Union of India). This blog post is the first of a two part series containing our comments on the latest version of the PDP Bill, which has been referred to a Joint Parliamentary Committee for their consideration. It builds on our previous submissions on the white paper released by the Justice Srikrishna Committee and the draft PDP Bill 2018 prepared by them.

The Bill offers a fairly comprehensive set of data protection principles and rights to data subjects, particularly in relation to data processing by private entities. However, several provisions are in need of further improvements and revisions. In this piece, we focus on the provisions pertaining to the relationship between citizens and the State and the structure and independence of the proposed Data Protection Authority of India (the "DPA"). We find that by crafting a number of wide ranging exemptions for the State, providing it with various broad and ambiguous powers, and failing to check its influence over the functioning of the DPA, the Bill significantly limits the exercise of privacy rights by individuals.

Defining the State and its functions

The State is one of the biggest collectors/processors of data, and has a unique ability to impact the lives of individuals. While the Bill takes an important and essential step towards empowering the citizen vis-a-vis the State by including the State within the definition of the term "data fiduciary" (and "data processor"), it needs to do more in terms of meaningfully empowering the individual. This process has to begin with providing greater clarity on some definitional aspects.

First, the definition of "data fiduciary" in Section 3(13) and of "person" in Section 3(27) seem to refer to "the State" in its entirety, instead of regarding each of its agencies / departments as an independent data fiduciary. This would, for instance, become relevant in a context like Section 7(1)(g), which requires individuals to be given notice of any data sharing arrangements with other fiduciaries. Clearly, the State cannot be regarded as a monolith for this purpose and the requirement of notice for data sharing should also apply to any inter-departmental sharing within the Government. This is also reflected in international best practice -- the UK's Data Protection Act, 2018, for instance, applies to distinct government agencies, while the US Privacy Act, 1974 refers extensively to intra-government information sharing. To make sure that this will also be the case under Indian law, the definition of "data fiduciary" needs to clarify that any reference to the "State" means the relevant department or Government agency of the State.

Second, Section 3(39) of the Bill imports the definition of the State from Article 12 of the Constitution. Article 12 defines the State to include the Parliament and State Legislatures, Central and State Governments, and all local or other authorities that are controlled by the Government. Given its place in Part III of the Constitution (dealing with fundamental rights), Article 12 has been drafted broadly so as to impose the broadest set of "responsibilities and obligations on the 'State' vis-a-vis the individual to ensure constitutional protection of the individual's rights..." (Pradeep Kumar Biswas v. Indian Institute of Chemical Biology). Accordingly, the term "other authorities" has been read to encompass a range of bodies such as state electricity boards, research and educational institutions, regional rural banks, and statutory corporations such as the Oil and Natural Gas Commission, the Industrial Finance Corporation and the Life Insurance Corporation.

However, when this definition is used in a context that limits, rather than expands the rights of individuals, the intent of the wide definition is turned on its head. For example, Section 12 of the PDP Bill permits non-consensual processing by the State in various circumstances. Given the wide scope of the word "State", this provision could be used by a range of entities, thereby limiting individual rights. Further, terms like "function of the State" and "service or benefit" used in Section 12(a) can also be interpreted very broadly. Thus, the breadth of the word "State", together with the wide ranging nature of functions carried out by the State will imply that a whole range of entities will be permitted to exercise the option of non-consensual processing. Such a wide exemption would be against the spirit of the Bill. Further, it may also create differential regimes for private and public sector entities providing similar services (such as education and health).

Accordingly, we suggest that the references to the "State" in Section 12(1)(a) of the PDP Bill and, by extension, Section 19(2)(a) (which provides an exemption from the right to data portability), should not include any of the "other authorities" under Article 12 of the Constitution. Further, given the challenge of trying to narrowly define the scope of the State, its functions, services or benefits, we propose that the State should be required to meet requirements of "proportionality" when processing data under Section 12. This will help in safeguarding the privacy interests of the individual, in keeping with the Supreme Court's decision in the Puttaswamy right to privacy case (See Bhandari et al, 2017).

Exemption of surveillance and other agencies

Section 35 of the PDP Bill empowers the Central Government to exempt any government agency from the application of the entire Act, if it is satisfied that it is necessary or expedient to do so, subject to procedures, safeguards, and oversight mechanisms that will be prescribed by the Government. This is a very wide power, that enhances the existing asymmetry in the relationship between the citizen and the State, without increasing any corresponding accountability or transparency in the functioning of the State. This is of concern for a variety of reasons.

First, the Central Government needs only to be satisfied that the exercise of such powers is "necessary" or "expedient". The expedience test is hard to check or restrict, and can easily descend into being a mere convenience test, thereby providing an easy justification to invoke this provision.

Second, Section 35 permits the invocation of the exemption on various grounds, that go well beyond the grounds considered by the 2018 version of the PDP Bill. The earlier draft restricted its scope only to "security of the State" while the 2019 version has introduced several additional grounds that are relatable to the "reasonable restrictions" listed under Article 19(2) of the Constitution. For instance, it includes terms like "public order" that are much wider in scope and require a lower threshold for invocation as compared to "security of the State" (Ram Manohar Lohia v. State of Bihar).

Third, the provision does not require that any order that exempts the application of the legislation, and violates privacy in the process, has to be proportionate to the achievement of a stated legitimate aim. This is not compliant with the Supreme Court's judgment in the Puttaswamy right to privacy case.

Fourth, the Section allows both the scope of the provisions from which the agency would be exempted; as well as the procedures, safeguards and oversight mechanisms to be subsequently laid down by the Government. By delegating important powers to the Government, including the power to prescribe procedural safeguards, the Bill precludes the involvement of the legislature and the accompanying benefit of Parliamentary debate.

Fifth, Section 35 permits the Government to exempt the application of the entire Act. We find that there does not seem to be any discernible rationale for exempting the application of provisions like Sections 4, 5, 6, 9, 24, and Chapters I, IX-XIV of the Bill, which provide basic protections like need for fair and reasonable processing, retention norms, security safeguards, etc. Notably, jurisdictions such as the UK also do not exempt law enforcement agencies from the application of their data protection laws in their entirety (Bailey et al, 2018).

Finally, the provision lacks any independent high-level oversight mechanism or periodic review, and actions of the Central Government to exempt an agency are not subject to application of a judicial mind. The need for such oversight was recognised by the Report of the Justice Srikrishna Committee, and the Supreme Court too has repeatedly stressed on the need to implement appropriate procedural fetters on interferences with privacy rights. Further, democratic countries across the world employ multiple layers of oversight to intelligence and law enforcement agencies (See Bailey et al, 2018).

Accordingly, we believe that Section 35 of the Bill ought to be deleted in its entirety. There is an urgent need to revisit the entire legal framework pertaining to surveillance in India, and a broad exemption such as that contemplated under the Bill is undesirable. However, in the event that such a provision is to be retained, it would need to be strengthened by addressing the various concerns detailed above though appropriate safeguards to be built into the primary law. Specifically, the law must ensure that use of the provision and the actions taken pursuant to it are subject to appropriate (judicial) oversight; the grounds for invocation of the provision need to be restricted to "security of the state"; and proportionality requirements need to be specified. Further, relevant provisions of the Bill, as outlined above, must continue to apply even if an agency is being exempted from the application of other provisions of the law.

Exemption for law enforcement purposes

The PDP Bill also provides for an exception in situations where personal data is being processed in the interests of prevention, detection, investigation and prosecution of any offence or any other contravention of any law (Section 36(a)). This provision is extremely wide in its import and can thereby end up creating unreasonably restricts on the fundamental right to privacy. We list the various concerns with the provision and corresponding changes that are being suggested to limit its scope.

First, the provision does not clarify that the exemptions from the obligations under the Bill will only be available to the State. For instance, nothing currently precludes an individual from relying on this provision to set up CCTV in any public place under the guise of preventing any criminal activities. The provision could therefore encourage vigilantism or enable privatised surveillance, significantly limiting the right to privacy. Therefore the provision should clearly state that this exemption can only be availed by the Central Government or a State Government or any officer specially authorised in this behalf by the Government.

Second, the use of the phrase "any offence or any other contravention of any law" extends the exemption to include even relatively minor contraventions of law or even civil wrongs arising from a breach of contract, violations of civil laws, violations of statutory obligations, etc. The provision is therefore overboard and unworkable in its current form. One of the ways to limit its scope could be by providing that the exemption would only be applicable to the prevention, investigation or prosecution of cognizable offences and that too if they are punishable with imprisonment of 3 years and above (indicating the more serious nature of the offence). Further, the phrase "any other contravention of any law for the time being in force" should be dropped.

Third, there is no requirement that the processing has to be proportionate to, and necessary for, interests of prevention, detection, and investigation of the offence, as required under the Puttaswamy tests (Bhandari et al, 2017). There is also no requirement of prior judicial review for such collection and processing of personal data, which was one of the potential safeguards suggested by the Supreme Court in the Puttaswamy Aadhaar case. The PDP Bill should ideally ensure that any processing of personal data under this provision is subject to prior judicial review and is in compliance with the proportionality standard.

Fourth, while the Bill lists some provisions that would continue to apply despite the exemption, it is unclear why other critical user rights, like fair and reasonable processing, access, correction, retention etc., have not been included. We propose that all of these provisions should be applicable to authorities availing this exemption, subject to situations where discharging data protection obligations may actively harm or interfere with their duty of investigating or prosecuting the relevant offences. As noted previously, countries like the UK that provide similar exemptions to their investigative agencies still apply a robust set of data protection norms in such cases (Bailey et al, 2018).

Finally, the Bill removes some of the safeguards that were suggested in the PDP Bill, 2018, pertaining to the processing of personal data of victims, witnesses, informants and other such relevant persons (Section 43(3)). Under the PDP Bill, 2018, the exemptions in relation to the processing of personal data of such people were available only where following the general obligations under the law would obstruct or prejudice the investigation process. This safeguard is critical since it protects the privacy of individuals who are not suspected of having committed an offence but are involved in investigative or legal proceedings by virtue of being victims, witnesses or informants. This approach has also been adopted by the U.K Data Protection Act, 2018 (Section 38(3)). We suggest that this safeguard should be reinstated in the Bill.

Independence of the Data Protection Authority

Ensuring independence of any regulator is one of the basic pillars of good regulatory governance. As noted by the Financial Sector Legislative Reforms Commission (FSLRC), independence of regulators yields greater legal certainty, and therefore better outcomes (FSLRC, 2013). Independence also enables functioning of the regulator as an expert body, which can be particularly relevant in the context of privacy rights given their contextual and often technical nature. Independence of the regulator is even more critical in case of the proposed DPA, as unlike many existing Indian regulators, it will be charged with supervising the private sector as well almost all Government agencies. Further, the range of discretionary and enforcement powers that the DPA enjoys under the law (which range from standard setting to enforcement and adjudication) makes it vital that the body functions without favour and in an accountable and transparent manner (Parsheera, 2019). The DPA's independence therefore needs to be reflected in its composition, selection process, and functioning.

1. Structure of the DPA: Section 42 of the Bill provides that the DPA will consist of a Chairperson and up to six whole-time members. This does not allow for the appointment of any part-time/non-executive members, who can bring in technical expertise as well as independent ideas and critiques into the functioning of the DPA. Not only is this considered good regulatory practice, it is also in line with existing Indian laws, such as those constituting regulators such as the Telecom Regulatory Authority of India (TRAI) and the Securities and Exchange Board of India (SEBI).

2. Selection process: The Bill provides that all DPA members will be appointed on the recommendations of an executive-led selection committee comprising of the Cabinet Secretary and two other secretaries of the Central Government. This ensures that the Government will have absolute control over the DPA's selection process, thereby seriously threatening its independence. In contrast, the PDP Bill, 2018 had proposed a judiciary-led selection process. We believe that such a process should be reinstated in the Bill, in addition to which one could also learn from the Right to Information (RTI) Act, which includes the Leader of Opposition (together with representatives of the government) to select Information Commissioners. A selection committee could therefore comprise the Chief Justice of India or a nominee (as chair), and include the Cabinet Secretary, the Leader of the Opposition in Parliament, and two experts (appointed by the Chief Justice in consultation with the other two members). The Bill should also require transparency in the functioning of the selection committee, such as by making the deliberations, votes and recommendations of the committee publicly available.

3. Terms and conditions of appointment: Section 43(2) of the Bill states that the salaries and allowances and other terms and conditions of service of the Chairperson and the Members of the DPA shall be as prescribed. Empowering the Government to vary salaries of its members, which could also be to their detriment, could end up hindering the independent functioning of the DPA. As with numerous other agencies in India such as the Information Commissioners under the RTI Act and members of the Securities Appellate Tribunal under the SEBI Act, the Bill must ensure that Government is not able to reduce salaries of the members of the DPA once they are appointed. The PDP Bill, 2018 had also suggested the inclusion of such a provision.

4. Power of the Government to issue directions: Section 86 of the Bill allows the Government to issue any directions to the DPA on issues of public policy and also in the interests of the sovereignty and integrity of India, security of the State, friendly relations with foreign States or public order. While similarly broad provisions are contained in laws governing some other regulatory agencies - such as the TRAI, the Airports Economic Regulatory Authority and the Petroleum and Natural Gas Regulatory Board - the presence of such broad provisions has been questioned in the past, notably by the Parliamentary Standing Committee in its 93rd Report on the Competition Bill, 2001.

Needless to say, conferring such a broad power on the Government can be problematic not least due to the possibility of political interference in technical and administrative functions of the DPA. Given the DPA's wide scope of authority and discretion, ensuring its functional autonomy becomes vital. Further, it must be remembered that State agencies will be among the biggest entities regulated under the law and therefore there should be no scope for such directions being issued in respect of any ongoing investigations by the DPA. In this sense, the Bill is similar to the RTI Act, which does not contain a similar provision for government directions. The Competition Act, 2002 could be seen as another example. Section 51 of that law limits government directions to matters of policy, which is admittedly a vague concept, but also clarifies that this would not include any "technical and administrative matters".

Accountability of the DPA

The Bill currently lacks sufficient mechanisms to ensure the DPA's accountability to the Government and the Parliament, as well as to stakeholders and the public. Given that the DPA is an unelected body, it is critical that appropriate accountability mechanisms be set out in the primary law itself rather than leaving this to the DPA's discretion or through rules to be framed by the Government.

1. Meetings of the Authority: Section 46(1) of the Bill provides that the rules and procedures relating to the meetings of the DPA are to be prescribed by the Government. We believe that minimum requirements of transparency should be laid down in the primary law. For instance, the law should clearly state the time period within which the minutes of the meetings of the DPA, along with any votes cast or resolutions made, should be published.

2. Transparency in DPA's functioning: While the Bill does contemplate a consultative and transparent process in the drafting of codes of practice to be issued by the DPA, it does not require the DPA to act transparently during the exercise of it regulation making powers, its supervisory or adjudicatory functions, or in relation to the recommendations that it will give to the Government. We recommend that the Bill ought to provide for a general obligation for the DPA to act transparently in the discharge of all its functions. Further, it should also specify what it would mean to be transparent in specific contexts.

For instance, the Bill should lay out a clear process for drafting new regulations. Such a process should include the drafting of a consultation paper that lays down the problem, the possible interventions and the costs and benefits of each intervention. This should be put through an open and transparent consultation process involving all stakeholders. The DPA should then be required to provide its responses to the comments along with the proposed draft text of the regulation, and seek comments on the same, before proceeding with its final adoption. In case regulations are required to be issued urgently, DPA may issue such regulations without following the consultation process outlined above. However, such regulations should cease to operate at the expiration of six months from its notification unless the consultation process is initiated within this duration.

DPA's redress functions

The Bill creates an adjudication wing within the DPA, which would be responsible for undertaking enforcement actions against any non-compliance of the law as well as providing redress for individual complaints. Given the large number of data fiduciaries in the system and the data principals interacting with them, a large number of complaints are likely to come up before the DPA. As highlighted in our earlier submissions, expecting the same set of adjudication officers to undertake enforcement as well as redress functions, leads to a blurring of the DPA's objectives.

Housing adjudication and enforcement functions within one body could also lead to a conflict of interest within the DPA. For example, a large number of complaints on a particular issue may be due to non-compliance by the data fiduciaries or due to the DPA failing to take appropriate regulatory or supervisory actions to curb such malpractices. Embedding the redress functions within the DPA is therefore not suitable either from a design or execution perspective.

Therefore, we reiterate the need for a separate ombudsman service or a redress agency that would be responsible for adjudicating complaints raised by data principals and awarding compensation to them. By hiving-off the adjudicatory functions of the DPA from its regulatory and supervisory responsibilities, each unit can then focus on its core functions, while also acting as a check on the exercise of the other functions. A similar division of responsibilities between regulatory and redress functions was recommended by the FSLRC in the context of the financial regulatory framework (FSLRC, 2013).

The proposed redress agency should consist of specialised adjudication officers, who would function independent of the DPA, although there should be a strong feedback loop between the two bodies. The redress agency should make use of technology, such as remote participation through audio/visual means to make redress more accessible. If this proposal is accepted, the provisions regarding the terms and conditions of appointment, powers and functions, codes of practice, and other provisions in Chapter IX of the Bill could apply mutatis mutandis to the redress agency. Further, an appeal from any decision made by adjudication officers of the redress agency should lie to the Appellate Tribunal constituted under Section 67 of the Bill.

Inter-regulatory coordination

Given the cross-sectoral purview of the DPA there is significant scope for overlap between the DPA's functions and that of other sectoral regulators. Equally, there is also scope for drawing valuable synergies through cooperation between them. Section 56 of the Bill is therefore a welcome provision that requires coordination between the DPA and other regulators. The provision, however, needs to be further strengthened in order for it to be utilised effectively.

First, the current provision leaves it to the discretion of the DPA and other statutory authorities to enter into a Memorandum of Understanding (MoU) for the coordination of their activities. We propose that the MoU should instead be made mandatory along with a suggested (non-exhaustive) list of provisions that need to be covered in the MoU. This list should include items such as the process for inter-regulatory references; mechanism for cooperation in framing of regulations and codes of conduct; appointment of a nominee of one party as non-voting observer member on an action being considered by the other party; mechanism for exchange of information, subject to confidentiality obligations; and coordination in conducting awareness related activities. This list draws from the MoU between the United Kingdom's Financial Conduct Authority and the Information Commissioner's Office (FCA-ICO MoU, 2014).

Further, the agencies with whom the DPA would necessarily have to cooperate should also be set out in an Annexure to the Bill or the Central Government should be authorised to prescribe this list. For instance, this would include agencies like the Competition Commission of India, the Reserve Bank of India, SEBI, the Insurance Regulatory and Development Authority of India, the Pension Fund Regulatory and Development Authority of India, and TRAI. This will ensure that the agencies cannot subsequently deny the need or the statutory basis for such agreements.

Conclusion

As detailed in our response to the PDP Bill, 2018, the current state of Indian privacy law means that virtually any improvement thereon would represent a significant step towards protection of privacy rights of individuals. However, given the broad scope of the proposed law, and the significant powers given to the DPA, it becomes important to ensure that the law is properly crafted. The role of the Joint Parliamentary Committee currently examining the law becomes all the more relevant given the significant changes made to the law compared to the PDP Bill, 2018, and the absence of any explanations for the same (say in the form of an explanatory memorandum detailing why certain provisions of the law were modified). The fact that the Committee has called for and is considering public comments on the Bill is therefore a positive step.

In this post we examined the lacunae in the Bill in the context of how it delineates the State-citizen relationship, particularly in the form of the exemptions crafted for the State. We highlighted the overbroad nature of the exemptions for the State -- in the context of non-consensual processing, State surveillance and data processing for prevention and investigation of offences of offences -- and demonstrated how this may limit individual rights in a number of contexts. Carving out such broad exemptions detracts from the "horizontal" nature of the law, and also renders the Bill susceptible to constitutional challenges.

At the same time, the Bill also gives significant powers to the Central Government, not just directly (for instance through various standard setting powers), but also by limiting the independence of the proposed DPA. We point, in particular, to the problems in the structure of the DPA, provisions that enable the Government to interfere in its technical and administrative functioning and the need for greater accountability from what is likely to become one of the most powerful regulators in the country.

References

Bailey et al, 2018: Rishab Bailey, Vrinda Bhandari, Smriti Parsheera, Faiza Rahman, Use of Personal data by intelligence and law enforcement agencies, LEAP Blog, August 1, 2018.

Bhandari et al, 2017: Vrinda Bhandari, Amba Kak, Smriti Parsheera and Faiza Rahman, An analysis of Puttaswamy: the Supreme Court's privacy verdict, LEAP Blog, September 20, 2017.

FCA-ICO MoU, 2014: Memorandum of Understanding dated 29 September, 2014 between the United Kingdom's Financial Conduct Authority and the Information Commissioner's Office.

FSLRC, 2013: Financial Sector Legislative Reforms Commission, Volume I: Analysis and Recommendations, March, 2013.

Justice K.S. Puttaswamy v. Union of India (Right to privacy case), 2017 (10) SCC 1.

Justice K.S. Puttaswamy v. Union of India (Aadhaar case), 2019 (1) SCC 1.

Parsheera, 2019: Smriti Parsheera, Regulatory governance under the PDP Bill: A powerful ship with an unchecked captain?, Medianama, January 7, 2020.

Pradeep Kumar Biswas v. Indian Institute of Chemical Biology, 2002 (5) SCC 111.

Ram Manohar Lohia v. State of Bihar, (1966) 1 SCR 709.

 

Rishab Bailey, Smriti Parsheera, and Faiza Rahman are researchers in the technology policy team at the National Institute of Public Finance Policy. Vrinda Bhandari is a practicing advocate in Delhi.