Data Protection Board: Implications of Absence of Judicial Member

In today’s era, where the value of data stands next to be priceless, the Indian Parliament has enacted the Digital Personal Data Protection Act, 2023. Before the law was enacted, the Bill went through a turbulent series of discussions and revisions since the inception of the Justice B.N. Shrikrishna Committee in the year 2017. The previous versions of the Bill drew criticism from both the opposition and experts in the field. After the Digital Personal Data Protection Bill, 2023 was tabled by the Union Minister for Electronics & Information Technology, Ashwini Vaishnaw on August 3, 2023, in the Lok Sabha, the Bill received the approval of the Lower House and the Upper House. On August 11, 2023, the Hon’ble President, Droupadi Murmu granted assent to the Bill.

In the discussion that ensues, this article delves into an analysis of a facet that has not been given enough consideration relative to its possible consequences – the foundational principles and attributes that define the Data Protection Board. It also examines the critical question of whether the Board aligns with the concept of a tribunal, given its quasi-judicial role in data protection matters. Furthermore, the paper explores the constitutional implications of not mandating a judicial member within the Board, assessing potential conflicts with the doctrine of separation of powers. 

Establishment of a Data Protection Board

For the first time in India’s legal landscape, the Legislators have proposed the establishment of a Board which would be entrusted with overseeing and addressing multifaceted aspects of data protection – the Data Protection Board. On the face of it, the Board seems to be a strategic endeavour to alleviate the burden on the judiciary by facilitating the resolution of data-related disputes. 

Section 18[1] of the Act provides for the establishment of the Board, wherein it has been stated that this institution shall be a “body corporate”; this legal status grants the Board certain rights and powers, similar to a legal person, which enables it to function independently in legal and financial matters. The provision also grants the Board the authority to acquire, possess, and transfer both movable and immovable property. More importantly, the Board will have the capacity to initiate legal actions (sue) or be subject to legal actions (sued) in its own name.

Section 19(3)[2] sets forth the criteria for the selection of individuals who will serve as the Chairperson and Members of the Board. The Section outlines the qualifications required for individuals who are to be appointed as the Chairperson and other Members of the Board. According to the said clause, these individuals are expected to possess specific attributes and a background that encompasses specialised knowledge or practical experience in various areas. Especially, the provision mandates that at least one of the appointed individuals must be an expert in the “field of law”.

With an emphasis on leveraging technology, the Board is set to function as an independent entity, adopting a digital approach to its operations.  

Is the Data Protection Board Equivalent to a Tribunal?

The term “tribunal” has not been defined explicitly in any law in India, however, there are judgments wherein Courts have laid down the requisites or features of tribunals. The Law Commission of India in its 272nd report defined it as an administrative body created to carry out quasi-judicial functions. Additionally, an administrative tribunal is not an executive body or a court; it occupies a space in the middle between an administrative body and a court.

In Jaswant Sugar Mills Ltd., Meerut v. Lakshmichand[3], the primary criteria for identifying a tribunal was established – authority to determine matters, compel witness attendance, follow essential rules of evidence, and wield sanctioning powers.  The legal understanding of a tribunal extends beyond mere courtroom connotations. As elucidated in Durga Shankar Mehta v. Raghuraj Singh[4], the Apex Court held that the expression “tribunal” according to Article 136 of the Constitution does not mean “Court” but includes within it, all adjudicating bodies, provided they are constituted by the State to exercise judicial powers. In Virindar Kumar Satyawadi v. The State of Punjab[5], the court has emphasised that tribunals, akin to Courts, hold the responsibility to decide disputes judiciously, offering parties the right to be heard, adduce evidence, and obtain judgments based on sound legal reasoning.

The Board as envisaged under the Digital Personal Data Protection Act, 2023, bears a striking resemblance to the legal concept of a tribunal, serving as an institutional mechanism for adjudication. Section 27(1)[6] of the Act confers powers upon the Board, akin to those of a tribunal. It responds to various breaches, such as personal data breaches and violations by data fiduciaries, consent managers, and intermediaries. This proactive role mirrors the adjudicatory function of a tribunal, which often investigates alleged violations and imposes penalties. Furthermore, the Board’s process of inquiry, during which affected parties can present their case and respond to allegations, resonates with the principles of natural justice, an essential trait of tribunal proceedings.

The pivotal role of the Board becomes even more pronounced when considered in tandem with Section 28[7] of the Act. This section outlines the Board’s functioning as an independent body, which not only enhances efficiency but also resembles the autonomous nature of a tribunal. The ability of the Board to issue interim orders, a power typical of tribunals, underscores its capacity to intervene promptly and effectively in disputes. The said Section also specifies that the Board shall have the same power as that of a civil court under the Code of Civil Procedure, 1908 in discharging its functions.

In essence, the attributes and functions prescribed in the Digital Personal Data Protection Act, 2023 undeniably establish the Board as a tribunal, holding the central role of quasi-judicial adjudication in matters of data protection.

Absence of a Judicial Member in the Data Protection Board

The composition and qualifications for the appointment of the Chairperson and Members of the Board are outlined under Section 19(3)[8] of the Act. The provision mandates that the members possess expertise in various fields, including data governance, administration, etc. However, it does not explicitly require the presence of a judicial member, which contrasts with certain landmark judgments emphasising the importance of including judicial experts in tribunals.

In the case of L Chandra Kumar v. Union of India[9], the Supreme Court deliberated on the competence of members in administrative tribunals. It highlighted the significance of a balanced blend of judicial and administrative members to ensure efficient and specialised adjudication. The judgment acknowledged that purely judicial members might undermine the primary rationale behind tribunals’ creation, while a combination of legal and administrative expertise would provide the best framework for delivering speedy and effective justice.

The Administrative Tribunals Act, 1985, and the case of S.P. Sampath Kumar v. Union of India & Ors.[10] further underscore the importance of insulation of tribunals from executive interference. The Court observed that total independence of the judiciary from executive pressure is a fundamental constitutional feature. The appointment process of tribunal members should involve consultation with the Chief Justice of India or a high-powered selection committee to ensure meaningful and effective appointments, preserving the tribunals’ independence and integrity. In the Rojer Mathew v. South Indian Bank Limited & Ors[11] case, the Court highlighted the necessity of a judicial member’s presence within tribunals. It emphasised that the performance of judicial functions cannot be effectively carried out by technical members alone, and the absence of judicial input impairs the tribunals’ efficacy.

The absence of a requirement for a judicial member in the Data Protection Board raises pertinent concerns, not only from the perspective of tribunal expertise but also in the context of the separation of powers.

Repercussions

The doctrine of separation of powers is a foundational principle in a democratic system, aimed at preventing the concentration of unchecked power in any one branch of government. By omitting the necessity of a judicial member, the Act deviates from this principle, potentially jeopardising the independence and impartiality of the Data Protection Board. The Act’s provisions empower the Central Government to appoint members of the Board based on their expertise in various fields, without explicitly mandating judicial representation. This situation creates a potential avenue for exploitation, as the Central Government could theoretically appoint individuals who align with its interests, potentially undermining the impartiality of the Board in cases involving disputes between individuals and the government or government entities. Such a scenario could lead to a perceived lack of objectivity and raise concerns about the Board being utilised as a tool for the government’s advantage.

References:

[1] The Digital Personal Data Protection Act, No. 22 of 2023, § 18, Acts of Parliament, 1992 (India).

[2] The Digital Personal Data Protection Act, No. 22 of 2023, § 19(3), Acts of Parliament, 1992 (India).

[3] Jaswant Sugar Mills Ltd. v. Lakshmichand, AIR 1963 SC 677.

[4] Durga Shankar Mehta v. Raghuraj Singh, AIR 1954 SC 520.

[5] Virindar Kumar Satyawadi v. The State of Punjab, AIR 1956 SC 153.

[6] The Digital Personal Data Protection Act, No. 22 of 2023, § 27(1), Acts of Parliament, 1992 (India).

[7] The Digital Personal Data Protection Act, No. 22 of 2023, § 28, Acts of Parliament, 1992 (India).

[8] Supra note 2.

[9] L. Chandra Kumar v. The Union of India & Ors, (1997) 3 SCC 261.

[10] S.P. Sampath Kumar v. Union of India & Ors, 1987 SCC Supl. 734.

[11] Rojer Mathew v. South Indian Bank Ltd and Ors, (2020) 6 SCC 1.

Image Credits:

Photo by @memorystockphoto: https://www.canva.com/photos/MAFlth-ZANA-protection-network-security-computer-and-safe-your-data-concept-/

The doctrine of separation of powers is a foundational principle in a democratic system, aimed at preventing the concentration of unchecked power in any one branch of government. By omitting the necessity of a judicial member, the Act deviates from this principle, potentially jeopardising the independence and impartiality of the Data Protection Board. The Act’s provisions empower the Central Government to appoint members of the Board based on their expertise in various fields, without explicitly mandating judicial representation. This situation creates a potential avenue for exploitation, as the Central Government could theoretically appoint individuals who align with its interests, potentially undermining the impartiality of the Board in cases involving disputes between individuals and the government or government entities. Such a scenario could lead to a perceived lack of objectivity and raise concerns about the Board being utilised as a tool for the government’s advantage.

POST A COMMENT

Empowering Gender Neutrality: DPDP Act’s Use of Feminine Pronouns to Refer to All Genders

In a remarkable stride towards gender neutrality and inclusivity, the recently enacted Digital Personal Data Protection Act, 2023, has shattered conventional norms by adopting the pronouns “she/her” to address individuals of all genders.

This audacious linguistic shift signifies not only a modern legislative approach but also a subtle yet impactful gesture towards promoting and recognising the diversity of identities in today’s society. The Act received the President’s assent on August 11, 2023, thereby becoming a transformative law that safeguards digital privacy.

Gender Neutrality in Contemporary Legislative Approaches

The innovative use of gender-inclusive pronouns is reflective of a broader global trend where feminism is increasingly influencing legislative initiatives. The incorporation of gender-neutral language in the Digital Personal Data Protection Act, 2023, builds upon the foundation laid by various historical and contemporary feminist movements. This inclusionary language in the Act not only aligns with this legacy but also represents a proactive step towards erasing linguistic gender biases. The resonance of the gender-neutral approach taken in the Act finds a parallel in the Kerala Public Health Bill, 2023 passed by the Kerala State Assembly in March 2023, which also adopted feminine pronouns, albeit within the context of the State Legislation. This step highlights an emerging trend towards inclusivity and sensitivity in policy-making across India.

The trajectory of gender neutrality within the Digital Personal Data Protection Act, 2023, reverberates with the intricate threads of legal precedent. By weaving the principles set forth in the NALSA judgment[1], the Act elucidates a comprehensive vision of gender inclusivity. The Act’s recognition of gender beyond the binary reflects jurisprudential ethos that reverberates with constitutional principles. It epitomises the ethos of the NALSA judgment, where the Courts affirmed the right to self-identify gender, emphasising perception over biology.

It’s interesting to note the interpretation of the term “person” within the General Clauses Act, 1897 specifically under Section 3(42); the expansive definition encompasses entities beyond individual human beings, encapsulating companies, associations, and bodies of individuals, whether incorporated or not. Intriguingly, the Act refrains from providing an explicit definition of “person” but under Section 2(y) of the Act, it is specified that “’she’ in relation to an individual includes the reference to such individual irrespective of gender”. This astute approach seamlessly aligns with the broader legal canvas, showcasing a nuanced understanding of legal intricacies.

Conclusion

The Digital Personal Data Protection Act, 2023, stands as a testament to the symbiotic relationship between evolving jurisprudence and legislative evolution. Its endorsement of gender-neutral pronouns not only signifies a linguistic transformation but also echoes the judicial strides made in recognising the rights of transgender persons. As the Act navigates the legislative process, it underscores the metamorphosis of legal thought, harmonising constitutional ideals with contemporary societal nuances. It remains to be seen whether the pronouns “she/her” would be used more frequently in laws enacted in the future.

References:

[1] National Legal Services Authority (NALSA) Vs. Union of India, AIR 2014 SC 1863.

Image Credits:

Photo by SasinParaksa: https://www.canva.com/photos/MADm9NnOmUQ-digital-data-security-and-mobile-phone-security-technology/

It’s interesting to note the interpretation of the term “person” within the General Clauses Act, 1897 specifically under Section 3(42); the expansive definition encompasses entities beyond individual human beings, encapsulating companies, associations, and bodies of individuals, whether incorporated or not. Intriguingly, the Act refrains from providing an explicit definition of “person” but under Section 2(y) of the Act, it is specified that “’she’ in relation to an individual includes the reference to such individual irrespective of gender”. This astute approach seamlessly aligns with the broader legal canvas, showcasing a nuanced understanding of legal intricacies.

POST A COMMENT

Harmonizing Data Privacy and Mediation: A Progressive Outlook in India's Digital Personal Data Protection Bill, 2023

From inventing the bulb to defying possibilities with the touch of a button, mankind has come a long way in technology to reach where we are today. Globally, there are 5.19 billion internet users[1], and the tremendous volume of data exchanged over cyberspace emphasizes the need to protect sensitive private data from exploitation by institutions. According to UNCTAD[2], 137 out of 194 nations have legislation to protect the data and privacy of their citizens on the internet.

Having legislation and regulating bodies is essential to ensuring devious cyber activities are kept in check. The Indian Legislator has been expeditiously working on the drafting of the Data Protection Law. The recently unveiled Digital Personal Data Protection Bill, 2023, marks a significant milestone in India’s legislative journey, following numerous previous endeavours and extensive consultations with stakeholders from diverse domains, greatly influencing its formulation.

 

Right to Privacy vis-à-vis Puttaswamy Judgment

In the well-known Supreme Court decision of K.S. Puttaswamy v. Union of India[3], which recognized “privacy” as intrinsic to the right to life and liberty, guaranteed by Article 21 of the Indian Constitution, establishing “right to privacy” as a fundamental right, the groundwork for a single statute of legislation for the protection of data in India was laid down in 2017. The Puttaswamy Judgment touches on protections for people in the private realm while primarily addressing the range of rights of a citizen as opposed to the State. The Supreme Court found that the State had a positive burden of upholding and sustaining this dignity and connected the value of privacy to the value of individual dignity. The Puttaswamy Judgment serves as the basis for both establishing a prohibition against privacy-violating State activities and the State’s duty to regulate private contracts and private data sharing in order to protect individual privacy.

 

Timeline of the Bill

The first draft of the Personal Data Protection (PDP) Bill was proposed by the Justice Shrikrishna Committee in 2018. Since then, the legislative process has witnessed a series of turbulent turns, starting with the introduction of the PDP Bill 2019 in the Lok Sabha. The bill was subsequently sent to the Joint Committee for review but was eventually withdrawn in December 2021. The following year, the Ministry of Electronics and Information Technology (MeitY) released another Draft of the Digital Personal Data Protection Bill, (DPDP) 2022, which was made open for public comment in November 2022.[4] However, this version received several criticisms and businesses complained about onerous provisions on cross border data transfer.

Moving on to the present timeframe, the Union Communications, Electronics, and Information Technology Minister Ashwini Vaishnaw on 3rd August, 2023 introduced the new bill in the Lok Sabha during Monsoon session of Parliament.[5] The long journey of the Bill was foreseeable since it is arduous to strike the perfect balance between the Fundamental Right to privacy along with the permissible limitations linked to this entitlement, business feasibility, and the international criteria for being recognized as an appropriate jurisdiction for data processing.

 

The New Road: Mediation

In a progressive step towards strengthening India’s data protection framework, the Digital Personal Data Protection Bill 2023 reflects a notable emphasis on Mediation as an Alternate Dispute Resolution (ADR) mechanism. This emphasis signifies the legislature’s recognition of Mediation as an effective means to address data-related disputes while promoting fair and amicable resolutions.

Comparing the language between the 2022 and 2023 versions of the bill reveals a significant shift in focus. Section 23 of the 2022 bill provided the Board with the discretion to direct parties towards mediation or any other dispute resolution process if deemed appropriate. However, in the 2023 bill, the language has been further refined in Section 33, clearly stating that if the Board believes a complaint may be better resolved through mediation, it can direct the concerned parties to attempt mediation, leaving little room for ambiguity. This explicit inclusion of mediation in the text underlines its growing importance as a preferred ADR mechanism in data protection matters.

Furthermore, the recent passage of the Mediation Bill 2021 by the Rajya Sabha offers additional evidence of the legislature’s dedication to promoting mediation as an integral part of India’s legal landscape. The Mediation Bill seeks to provide a comprehensive regulatory framework for mediation, bolstering its credibility as a legitimate dispute resolution process. With the establishment of the Mediation Council of India and provisions for pre-litigation mediation and legally binding mediated settlement agreements, the Mediation Bill reinforces the government’s commitment to make mediation an acceptable and cost-effective means of resolving disputes.

 

The Balancing Act

The unveiling of the Digital Personal Data Protection Bill, 2023, marks a momentous step in India’s legislative journey towards protecting individuals’ data privacy rights. Drawing inspiration from the landmark Puttaswamy Judgment, which recognized the right to privacy as a fundamental right, the new bill brings redefined concepts and provisions that align with the evolving data protection landscape.

One striking feature of the 2023 bill is its strong emphasis on Mediation as an Alternate Dispute Resolution mechanism. The legislative shift from the 2022 version, coupled with the recent passage of the Mediation Bill 2021 by the Rajya Sabha, showcases the government’s earnest efforts to promote mediation as an effective means of resolving data-related disputes. With the explicit inclusion of mediation in the text and the establishment of the Mediation Council of India, the bill reinforces mediation’s credibility as a preferred method for fair and amicable resolutions.

As India progresses in the digital era, the new Digital Personal Data Protection Bill, 2023, stands as a testament to the nation’s commitment to safeguarding data privacy while actively embracing mediation as an instrumental tool for resolving data disputes. By creating a balance between individual privacy rights and business feasibility, this bill ushers in a new era of data protection in the country, inspiring confidence among its citizens and businesses alike. With the combined efforts of the legislative and mediation frameworks, India is poised to set new standards for data protection and dispute resolution in the global arena.

References:

[1] Internet and social media users in the world 2023, Statista (2023), https://www.statista.com/statistics/617136/digital-population-worldwide/#:~:text=Worldwide%20digital%20population%202023&text=As%20of%20April%202023%2C%20there,population%2C%20were%20social%20media%20users. 

[2] Data Protection and Privacy Legislation Worldwide, United Nations Conference on Trade and Development (2023), https://unctad.org/page/data-protection-and-privacy-legislation-worldwide 

[3] Justice K.S. Puttaswamy (Retd.) & Anr. vs. Union of India & Ors., AIR 2017 SC 4161.

[4] Ministry of Electronics and Information Technology, The Digital Personal Data Protection Bill, 2022,  https://www.meity.gov.in/writereaddata/files/The%20Digital%20Personal%20Data%20Potection%20Bill%2C%202022_0.pdf.

[5] IT Minister Ashwini Vaishnaw introduces Digital Personal Data Protection Bill, 2023 in Lok Sabha, Newsonair.gov.in (2023), https://newsonair.gov.in/Main-News-Details.aspx?id=465464

One striking feature of the 2023 bill is its strong emphasis on Mediation as an Alternate Dispute Resolution mechanism. The legislative shift from the 2022 version, coupled with the recent passage of the Mediation Bill 2021 by the Rajya Sabha, showcases the government’s earnest efforts to promote mediation as an effective means of resolving data-related disputes. 

POST A COMMENT