Designing an Effective Data Protection Regulator

The revised Personal Data Protection Bill, expected to be tabled in the current monsoon session of Parliament, is a significant move towards India’s first dedicated personal data protection legislation. One of the proposals is a data protection authority, a cross-sectoral regulator that will significantly influence the Indian regulatory landscape. Against the backdrop of these developments, the author seeks to draw out the appropriate regulatory design keeping in mind essential questions of India’s existing regulatory capacity, framework, and jurisprudence.

The author would like to thank Malavika Raghavan for her support and feedback.

On 24 August 2017, a nine-judge constitutional bench of the Supreme Court of India reaffirmed the right to privacy as a fundamental right (K S Puttaswamy [Retd] and Anr v Union of India and Ors, 2017). Although the Constitution of India does not explicitly recognise the right to privacy, the apex court departs from previous cases—like Govind v State of Madhya Pradesh and Another (1975) and Kharak Singh v State of Uttar Pradesh and Ors (1964)—by holding that the right to privacy is enshrined within Part III of the Constitution (Puttaswamy 2017). From decriminalising homosexuality to adjudicating on the Aadhaar programme’s constitutionality, this comprehensive verdict—which spans over six opinions—has already become seminal for extending its influence on other areas of law closely related to the issue of privacy.¹ However, what distinguishes Puttaswamy from the previous privacy cases—in Kharak Singh v State of Uttar Pradesh (1964) and M P Sharma and Ors v Satish Chandra and Ors (1954)—is that it conceptualised privacy as a right, rather than as a means of protection from specific situations like domiciliary visits, search and seizure, or phone tapping. As Burman (2020) argues, the judgment tilted our jurisprudence from a narrow approach that focused solely on the harms that arose from privacy violations to a broader conception wherein privacy was viewed “as a right worth protecting in itself.”

And it is in this setting, informational privacy gains recognition as a subspecies of the right to privacy, paving the way for the development of a dedicated data protection legislation to protect the rights of the citizens. This is around the same time the General Data Protection Regulations (GDPR) in the European Union (EU) and the California Consumer Privacy Act (CCPA) in the United States (US) were taking shape. The Personal Data Protection Bill, 2019 (henceforth PDPB, 2019) is, therefore, a product of over a decade of privacy jurisprudence influenced by domestic and international developments in technology, informational privacy, and data protection. Keeping this in mind, the article, in its evaluation of the proposed regulatory structure of India’s data protection authority (DPA) and its evolution from the White Paper on the data protection framework, will make references to literature and contemporary developments taking place in other jurisdictions.