21 August 2023

Trivialising Privacy through Tribunals in India

Analysing the Digital Personal Data Protection Act, 2023

On 11th August 2023, India’s Digital Personal Data Protection Act, 2023 (‘DPDP Act’) has received Presidential assent. The Act’s passing is critical in light of increasing concerns about data security and surveillance in India, including allegations that the government has illegally been using spyware against activists. Moreover, the government and its agencies are major data fiduciaries, having access to various identification and biometric data that have in the past been breached on a large scale. Given this, it is vital that the DPDP Act is able to function effectively and independently against the government in cases of non-compliance. In this piece, I argue a novel provision bestowing appellate jurisdiction on a Tribunal that lacks both the necessary expertise and independence is likely to hinder this goal.

The DPB’s Appellate Tribunal

The DPDP Act, like its previous draft, creates an adjudicative authority, namely, the Data Protection Board of India (‘DPB’). The DPB, under Section 27 of the Act, is empowered to inquire into complaints made or intimations given to it regarding personal data breach by a data fiduciary. The Chairperson and other members of the Board are to be appointed by the Central Government. Further, the salaries, tenure and conditions of service are to be determined by the Central Government. Together, these provisions effectively curb the independence of the DPB, especially considering that the Central Government and its agencies are major data fiduciaries against whom complaints may be made. It is important to note that the previous draft of the Bill, released in 2022, also contained similar provisions that enabled the Central Government to exercise vast powers in determining the composition, tenure, service conditions of the Board. Despite commentators noting that this impinges on the independent functioning of the Board, no substantial change has been made to the current Act to alleviate these concerns.

In fact, the DPB’s lack of independence has been exacerbated due to the appellate mechanism now set up under the Bill. In particular, the DPDP Act provides for the Telecom Disputes Settlement and Appellate Tribunal (‘TDSAT’) as the Appellate Tribunal. This is a significant deviation from the 2022 draft which had declared the relevant High Court as the appellate body for decisions taken by the DPB.  No reason has been given for this change. This matters because the new appellate body is likely to further undermine the DPB’s capacity to act as an effective and independent watchdog, safeguarding the individual’s right to privacy. The core problem, in this respect, is the Tribunal’s failure to conform to the principles of independence and expertise laid down by the Indian Supreme Court.

The Chequered History of Tribunals

Tribunals like the TDSAT were originally constituted to bypass the case backlog and time-consuming procedures in High Courts and the Supreme Court. Further, Tribunals were necessary to resolve disputes that require specialised knowledge, such as tax or environmental matters. While the need for expertise and efficiency is beyond dispute, Tribunals have often been criticised for their lack of independence and for stripping jurisdiction from High Courts. Regarding the former, the manner of constituting Tribunals is markedly different from appointment of judges to High Courts. Members of the judiciary are appointed by a process headed by the higher judiciary, which minimizes the likelihood of them being biased towards the Executive. By contrast, Tribunal membership is largely determined by the Executive (like in the present case). The Government may ‘pack’ them with expert members who are favourable to the government, a major litigating party before Tribunals. The terms and conditions of their service is also dependent on the Union Government’s rules, unlike the service conditions of judges, which is provided in the Constitution itself. The problem is exacerbated by the fact that the jurisdiction of the High Courts has consistently been stripped away and bestowed upon Tribunals instead.

These issues in the structure and working of Tribunals has received judicial scrutiny. The Supreme Court in L Chandra Kumar held that Tribunals are indeed necessary because of their technical expertise but they cannot be deemed equivalent to High Courts because of the weaker protections to independence present in their structure (¶78). Over time, the judiciary has sought to strengthen the functioning and independence of Tribunals. In Union of India v R Gandhi, the Supreme Court, noting the premise behind Tribunals, held that the technical members should be persons with expertise in a field relevant to the purpose behind setting up a Tribunal (¶59). If the technical members do not have the relevant expertise, the Tribunal will be unconstitutional for encroaching upon the powers and jurisdiction of the judiciary (¶90). Further, Tribunals must have a judicial member who can ensure fairness in adjudication (¶59). Significantly, the Court also struck down a provision in the Companies Act that mandated a maximum term of office for three years with a retirement age of 65 years for members of that relevant Tribunal. The reasoning of the Court was that in specialised Tribunals, a term of three years would not be sufficient for the members to acquire the required knowledge and expertise. The provisions also ended up making Tribunals a post-retirement haven for bureaucrats occupying positions of technical members. This is because no expert professional would leave their thriving careers to become a technical member for a short tenure of three years (¶120[ix]). The overall inference from R Gandhi is that Tribunals must reflect both technical expertise and adjudicative competence, apart from being independent in their functioning. Yet, in the presence instance, both technical expertise and independence are gravely compromised.

The TDSAT: Encroachment Disguised as Efficiency

The TDSAT is a creature of the Telecom Services Regulatory Authority Act, 1997 (‘TRAI Act’). The context of the legislation itself is clear – it seeks to protect both telecom service providers and its users. Consequently, the TDSAT is an adjudicative body for disputes that may arise between a licensor and licensee, two or more service providers or between a service provider and consumers. It is evident therefore, that the TDSAT’s purpose has no relevancy to the purpose of an appellate body under the DPDP Act, which as mentioned above, is to adjudicate on cases of data breach.

Further, the members of the TDSAT do not have expertise on data protection and governance. To illustrate, as per, Section 19 of the DPDP Act, the DPB’s members are required to possess special knowledge or practical expertise in data governance, administration or related fields of law, governance and regulation. At least one member must be an expert in law. The underlying premise of these qualifications is that adjudication must be in tune with principles that are relevant to the specific field of data privacy and protection. It follows that the premise must apply even in the case of a body that hears appeals from the DPB.

By way of comparison, the Companies Act 2013 sets up both a Tribunal of first instance and an appellate Tribunal. The technical member of the appellate Tribunal, like the members of the first instance Tribunal, must have specialised knowledge and experience in matters related to company law (Section 411 of the Act). The same is true of the Securities Appellate Tribunal (Section 15M(2) of the SEBI Act) and the Income Tax Appellate Tribunal (Section 252(2A) of the Income Tax Act). But unlike these appellate Tribunals, the TDSAT is a generalist body in the context of data protection. Under Section 14C of the TRAI Act, its Chairperson is a retired Supreme Court judge or Chief Justice of a High Court and its members are persons who have been Secretary to the Government of India or occupants of similar posts or persons who are ‘well versed in the field of technology, telecommunication, industry, commerce or administration.’

Moreover, it is evident that the TDSAT does not pass the muster of the principles in R Gandhi. Section 14D of the TRAI Act clearly mandates a tenure of three years for its members. Thus, the members, apart from being non-experts, will not be able to acquire the requisite knowledge considering their short tenure. If the rationale behind a Tribunal is to provide adjudication guided by expertise, then the TDSAT is indefensible. As per the principle in R Gandhi, since the Tribunal does not in fact possess adequate expertise in the context of data protection, it is unconstitutional for encroaching upon the jurisdiction of the judiciary.

The TRAI Act also sets a retirement age of 65 years for its members. This renders Tribunal membership a ‘sunset’ jobs for retired civil servants, who typically retire at the age of 60. This practice has already been scrutinised for its repercussions on judicial independence. Along similar lines, this can have great effects on both the functioning of the civil service and that of the Tribunal to which they are appointed due to the perverse incentives it may create for civil servants. Thus, to attain these post-retirement jobs at Tribunals, bureaucrats tend to pander to the government or a ruling party during the time of their service, instead of functioning as a neutral, objective administrator. This in turn, raises questions about their functioning while in an independent adjudicatory body after retirement.

As a result of these design flaws, the Tribunal will not be able to inspire public trust and confidence in its adjudication on critical issues of constitutional import. This is the exact situation that R Gandhi sought to repel. While the Chief Justice of India is indeed consulted in the process of selection of members, recent doubts around judiciary-executive snugness in India mitigates the safeguard that such consultation may present. The TDSAT cannot therefore function as a sufficiently independent adjudicatory body. The factors explained above clearly indicate that the appellate structure provided for in the DPDP Act is not just flawed but likely unconstitutional. Given that the DPB and the TDSAT must adjudicate in cases involving the government as a non-compliant data fiduciary, the lack of independence and expertise does not bode well for the fundamental rights of India’s citizens.

 

DOWNLOAD PDF
LICENSED UNDER CC BY-SA 4.0
EXPORT METADATA
Marc21 XMLMODSDublin CoreOAI PMH 2.0
SUGGESTED CITATION  Prasad, Niveditha: Trivialising Privacy through Tribunals in India: Analysing the Digital Personal Data Protection Act, 2023, VerfBlog, 2023/8/21, https://verfassungsblog.de/trivialising-privacy-through-tribunals-in-india/, DOI: 10.17176/20230821-182851-0.

Leave A Comment

WRITE A COMMENT

1. We welcome your comments but you do so as our guest. Please note that we will exercise our property rights to make sure that Verfassungsblog remains a safe and attractive place for everyone. Your comment will not appear immediately but will be moderated by us. Just as with posts, we make a choice. That means not all submitted comments will be published.

2. We expect comments to be matter-of-fact, on-topic and free of sarcasm, innuendo and ad personam arguments.

3. Racist, sexist and otherwise discriminatory comments will not be published.

4. Comments under pseudonym are allowed but a valid email address is obligatory. The use of more than one pseudonym is not allowed.



Explore posts related to this:
India, data protection, judicial independence, privacy

Other posts about this region:
Indien