Comparison of the Powers of Supervisory Authorities Under GDPR Vis-a-Vis the Data Protection Authori
"Privacy is not something that I’m merely entitled to, it’s an absolute prerequisite."
People and Governments around the world have now started to realize that in this age where technology is rapidly advancing and disrupting, protection of personal data and privacy are of utmost importance. In the year 2017, the Supreme Court of India recognised the ‘right to privacy’ as a fundamental right, in the prominent case of Justice K.S. Puttaswamy vs. Union of India[i].Subsequently, a Committee of Experts under the chairmanship of Justice BN Srikrishna was appointed by the Government of India. The committee’s responsibility was to prepare a report on the present data protection regime of India and put forward a draft Data Protection Bill.
After almost a year, the Committee submitted the report and the draft Personal Data Protection Bill (“PDP Bill”) to the Ministry of Law and Justice on 27 July 2018. Reading the provisions imbibed in the Bill, it can be seen that it is largely inspired by the European Union’s General Data Protection Regulation (“GDPR”) which came into effect on May 25, this year. Both these documents, the PDP Bill and the GDPR, have constituted Data Protection Authorities, with wide-ranging powers. This post seeks to analyse and compare the powers of the data protection authorities created under both these documents, namely the Data Protection Authority of India (“DPAI”), under the PDP Bill and the ‘Supervisory Authority’ under the GDPR.
The Data Protection Authority under the PDP Bill
The Central Authority, termed as the Data Protection Authority of India is envisioned to be incorporated for the proper enforcement and implementation of the provisions of the Bill. Chapter X of the Bill, titled “Data Protection Authority of India” consists of a comprehensive list of provisions relating to the Authority. The most important provision of all being ‘Powers and Functions of the Authority’ (Section 60), which will be analysed in detail later on.
In furtherance of this chapter, the DPAI needs to be a body corporate, comprising a chairperson and six full-time members. They shall be appointed by the Central Government on the recommendation of a selection committee comprisingtheCJI or a judge of the Supreme Court, the Cabinet Secretary, and an expert. The Chairperson along with the members must have a professional experience of not less than 10 years in the field of information technology, management and security of data and related fields. The DPAI will play the central role in making sure that the data fiduciaries (the companies who will handle and process the personal data) do not encroach upon the privacy rights of data principals (the natural person to whom the data belongs to).
Supervisory Authority under the GDPR
The Data Protection Authorities referred to as the ‘Supervisory Authorities’ under the GDPR have been burdened with the responsibility of ensuring and enforcing the provisions of the GDPR and protecting the privacy rights of natural persons. The term ‘supervisory authority’ defined in Article 4(21) means ‘an independent public authority which is established by a Member State pursuant to Article 51’.
Article 51 mandates that each and every Member State shall have one or more independent data protection authorities.
The aim of GDPR is the uniform application of the regulations across the European Union, and to make this possible, the supervisory authorities of each of the Member States need to work together, and in a consistent manner.
There is also a concept of ‘Lead Supervisory Authority’, which comes into play when a company is engaged in “cross-border processing”. Cross-border processing is defined in Article 4(23) of the regulations to mean as either processing in the context of activities where the company has an establishment in more than one Member State, or its working substantially affects data subjects in more than one Member States.
The main purpose of allowing a company to choose Lead Supervisory Authority is to lessen the confusion and increase co-operation between the Authorities across the Member States.
Comparison & Analysis
The DPAI under the PDP Bill and the Supervisory Authority under the GDPR are similar to the extent that both are responsible for observing compliance and implementation of the rules and regulations that have been framed under their respective documents. But the powers and functions of these two authorities are far from same.
The powers of DPAI have been mentioned in Sections 60 to 64 of the Bill, some of which are the power to take action in case of a data breach, monitor cross-border transfer of data, issuing codes of practice, promoting awareness of data privacy, etc. The Bill might have succeeded in comprehensively laying down the various powers of DPAI, but it has failed in providing sufficient guidelines and clarity for the same.
One of the powers of DPAI which lacks sufficient guidelines is the power to specify “reasonable purposes” for the processing of data under Section 17. The Bill does not lay down the definition of the word “reasonable”, neither does it provide any guidelines which the DPAI can follow while formulating these “purposes”.
Another instance of sweeping discretion given to DPAI is the power to specify any other category of data to the expansive list of categories mentioned under “sensitive personal data”. The definition of “sensitive personal data” includes various categories such as health data, sex life, caste or tribe, religious or political belief or affiliation. By not stipulating objective criterion or guidelines for the DPAI to follow, the Bill has provided unjustified discretion to the Authority which might result in law-making rather than the implementation of the law.
DPAI has also been given the power to impose fines. Furthermore, it is interesting to note that while Supervisory Authorities under the GDPR only have the power to impose civil penalties, the PDP Bill prescribes criminal offences, for which DPAI can even give a jail term.
On the other hand, the Supervisory Authorities established in each of the Member State of EU have been designated with the powers of investigation, corrective powers and sanctions, and authorisation and advisory powers.[ii] They have also been given the power to impose administrative fines.[iii]Depending on the infringement, Supervisory Authorities have the power to impose fines to the tune of 4% of the company’s worldwide annual turnover or 20 million Euros, whichever is greater. Supervisory Authorities look at the nature of the infringement, the actions taken by the company to minimise the damage, and previous instances of infringement to determine the fine.
Though comprehensive, Article 58(6) clearly states these powers are not exhaustive. The Member States have been given the power to assign any other tasks to the Supervisory Authorities which is required for the protection of data under GDPR, but it cannot reduce the scope that has already been prescribed.
Comparing the powers of these two authorities, it can be easily found out, that both of them have been given the authority to create new powers which may be necessary for proper implementation of their respective documents. Whereas the discretion given to the Member States in defining new powers is properly defined in the EU GDPR and thus restricted, this cannot be said to be the case with DPAI.
There are two fundamental reasons on the basis of which this can be stated. Firstly, as the aim of GDPR is the uniform implementation of its provisions, each supervisory authority has been designated the same tasks and powers.[iv]Thus, none of the Member States can create such a power to be exercised by the Supervisory Authority which is not in consonance with the powers of Supervisory Authorities of other Member States. Secondly, the already defined powers of the Supervisory Authorities do not contain ambiguity. As already analysed, the PDP Bill lacks clarity and fails to provide sufficient guidelines for DPAI in defining some of its powers, which might result in excessive delegation.
In the case of Justice K.S. Puttaswamy[v], it was held that as Sections 23 and 54 of the TheAadhaar Act[vi]fail to provide sufficiently defined legislative policy, the Unique Identification Authority of India (UIDAI)has been given excessive delegation. It is the duty of the legislature to make sure that it lays down proper policy and guidelines when delegating powers to the executive body.
Applying the principle enshrined in the aforementioned judgment, if the scope of discretion given to DPAI by the provisions of the Bill is not reduced, it might possibly lead to a lot of problems and litigation in the future. A statute providing for criminal offences is required by the Constitution to be clear and without any ambiguity.
The PDP Bill, consists of multiple unexplained terminologies, lacks the clarity and precision that GDPR has. In spite of the fact that the PDP is created with an intention of establishing a robust regime for data protection; it can pose a serious threat to the privacy of an individual if the infirmities are not taken care of.
[i]Justice K.S. Puttaswamy vs. Union of India, (2018) 1 SCC 809
[ii] Recital 129 of General Data Protection Regulation
[iii] Recital 150 of General Data Protection Regulation
[iv] Recital 128 of General Data Protection Regulation
[vi] The Aadhaar (Targeted Delivery of Financial and other Subsidies, benefits and services) Act, 2016.
By Siddhartha Tandon, 3rd Year, National Law University Jodhpur (NLUJ)