The Ministry of Electronics and Information Technology (MEITY) tabled the Personal Data Protection Bill, 2019 in Parliament on 11 December, 2019. Among other significant elements of the bill is a provision to create a ‘Data Protection Authority of India’ (DPAI). In this blog, I propose two possible organizational designs to constitute the DPAI. The first option is to merge DPAI with the Telecom Regulatory Authority of India (TRAI). An alternate suggestion is to constitute DPAI with representation from other sectoral regulators.
Proliferation of regulatory authorities
In the last couple of decades India established many regulatory authorities. Starting with the Securities and Exchange Board of India in 1992, numerous other authorities such as TRAI, the Electricity Regulatory Commissions, the Insurance Regulatory and Development Authority of India, and the Real Estate Regulatory Authority were created.
It is important to differentiate these regulatory authorities from autonomous agencies such as the Directorate General of Civil Aviation (DGCA) or the National Highway Authority of India (NHAI). Whereas agencies like DGCA and NHAI are embedded in their parent ministries (the Ministry of Civil Aviation and Ministry of Road Transport & Highways respectively), regulatory authorities like TRAI, CERC, and RERA operate separately from their respective parent ministries and rely on experts in their respective fields for sectoral regulation.
That there is fragmentation in India’s regulatory framework is no secret. In its 2006 consultation paper on Approaches to Regulation – Issues & Options, the erstwhile Planning Commission of India noted a lack of a common regulatory framework in India, because existing institutions have developed with little co-ordination and cross-fertilization of ideas across sectors. Similar observations were also made by the Second Administrative Reforms Commission constituted by the Government of India.
Among other issues, the fragmentation of regulatory framework has led to jurisdictional challenges between regulatory authorities. For instance, under the Telecom Regulatory Authority of India Act, 1997, the telecom regulator has to provide suggestions on measures required to facilitate competition. As per the Competition Act, 2002, the Competition Commission of India (CCI) is supposed to promote and sustain competition and prevent adverse anti-competitive practices.
The turf war between TRAI and CCI over who can regulate anti-competitive behaviour in the telecom sector was settled by the Supreme Court of India in a judgment issued on 5 December 2018. While deciding the matter, the apex court reminded both TRAI and CCI that they must work together to regulate the sector.
A merger of DPAI and TRAI (1st suggestion)
Vesting the new data protection authority with TRAI not only helps in avoiding a future turf war that could emerge between TRAI and DPAI (depending how telephonic technology evolves), it also helps in augmenting the regulatory capacity of TRAI. The premise of creating regulatory authorities like TRAI, CERC and DPAI is to use specialised knowledge and experience in the regulation of a sector. However, many studies in India have found that none of the regulatory authorities have adequate capacity and expertise to regulate.
Year after year, TRAI’s annual reports state how it experiences difficulty in recruiting specialised manpower on account of unattractive terms and conditions. Besides, a major chunk of its employees who come on deputation opt not to stay with TRAI for more than two years, thereby creating continuity issues. The story is no different for other sectoral regulators. It can be assumed that similar issues of attracting and retaining experts will arise with DPAI as well. Merging the two institutions would also allow DPAI to build on existing resources of TRAI rather than starting from scratch.
Introducing representation from other sectoral regulators (alternate suggestion)
The above suggestion of merging DPAI with TRAI would require amending several pieces of legislation, which could become a potential hurdle. An alternate suggestion could be to introduce representation of different sectoral regulators. Article 42 of the proposed bill states that the ‘Data Protection Authority’ shall consist of a Chairperson and not more than six whole-time Members. Representation from other sectoral regulators could be introduced as part-time members or at the mid-management level (create verticals at mid-management level to coordinate and work closely with other sectoral regulators). There could be other ways in which the DPAI could be designed but in any instance the objective should be to ensure it works in tandem with other sectoral regulators.
A possible organizational design is shown below. This kind of structure would help in overcoming the silos in which sectoral regulators operate and provide for better coordination among themselves. This could also give DPAI access to resources of existing sectoral regulators.
Setting up DPAI on the lines of other existing regulatory authorities would add to the existing fragmentation in India’s regulatory framework. The two possible options suggested are in line with the bigger objective of seeking regulatory convergence. Ideally, merging DPAI with TRAI should be given consideration even though it would require amending the TRAI Act, 1997. It is an opportunity to improve upon design of TRAI as well. The Ministry of Communications and MEITY are headed by the same minister. For this reason, merging DPAI and TRAI could provide a template for bringing about convergence in regulatory framework of India. Realistically, however, bringing such convergence could be akin to taking too many steps at a time. Therefore, the second option could be the potential step in the direction of bringing convergence in India’s regulatory framework. It focuses on the organizational design of a new regulatory authority which is cross-sectoral in nature without tinkering with other existing regulatory authorities.