How India can operationalize its data protection regulation
Privacy and data protection experts from Germany, Ghana and the Philippines have suggested ways through which India’s Data Protection Authority can work to effectively operationalize the country’s data protection regulation, whenever it is enacted.
India has since 2019 been working to introduce a new data protection regulation intended to completely change the country’s data protection regime, which is governed by the Information Technology Act 2000. The legislation is still to be enacted and there have been discussions and consultations by both government and private stakeholders about how to expand the scope of the legislation in order to make it more relevant and easily implementable.
It is within this context that Medianama organized a two-day virtual event, dubbed PrivacyNama 2021, which brought together experts in the data protection and promotion domain in order to cross views on a number of different topics and proffer suggestions for India’s data protection regulation journey.
The session of the online event that looked at the setting up and operationalization of a data protection authority was moderated by Indian lawyer and researcher Malavika Raghavan, and saw the participation of three panelists who included Marit Hansen, data protection commissioner of Land Schleswig-Holstein in Germany; Commissioner Raymund Liboro, chairman of the National Privacy Commission of the Philippines, and Teki Akuetteh Falconer, former executive director of the Data Protection Commission of Ghana.
Specifically, the goal of this session was to highlight what it requires to put into operation a data protection regulation, and what lessons can be learned from the experiences of those who have had the responsibility of implementing such policies.
All three speakers shared experiences of how data protection authorities in their countries succeeded in implementing the rule changes – experiences which they said can be adapted to the Indian case.
Among other things, the panelists agreed that in order to get the data protection regulation operational, there is need to put in place the right political and technical leadership, adequate material and human resources, strategic collaboration with a wide range of government and private sector stakeholders, a strong communication mechanism as well as transparency and the building of trust.
Speaking in the case of the Philippines, Liboro said although there is no “playbook” on how to organize a data protection regulation authority, it is important to establish strong leadership and clarity, and also to break down the theoretical concepts to simple notions which people and understand.
Risk management approach
Liboro said the Philippines took the risk management approach, which meant risk for data subjects, businesses, and even for the Data Protection Authority itself. “The goal is to build data privacy resilience and see how we can prevent privacy disasters from happening. You can do that by building data and privacy resilience from the ground, upward. That’s what we do everyday; we prevent privacy disasters from happening,” he said.
“The 21st century regulator promotes and protects rights… Data protection regulation involves three key things: risk, technology and legal framework. You’ve got to have a good mix of these,” Liboro added, mentioning that the regulator must also work to promote and protect rights.
“Promoting rights is about coming out with the right policies, advice, information, dialogue standards and support. Protecting rights has to do with strong awareness campaigns, and building capacity to be able to respond to complaints,” the official said.
Teki Akuetteh Falconer, for her part, shared the Ghanaian experience, reiterating the aspect of right leadership and resources. She said in Ghana, it took about three years (from when the data protection authority was created) to get the staff it needed in place. She said in some way, the body lacked the right capacity from the start, for instance not having “the resources to hire people with the right kind of skill sets that could help us get things done the right way.”
As time went on notwithstanding, she said the situation improved as the authority made much use of the traditional media and also engaged in useful partnerships with other data protection regulation bodies such as that of the UK.
“Beyond the passage of the laws, we need the right political leadership. We also need the right institutional leadership. This is important for a new institution that is being set up. Having the right kind of people in the right places brings integrity and trust to the institution. The leadership of the institution and even how these people are appointed is critical to creating the right operational framework,” said Falconer.
She added: “Another important thing is having the adequate financial resources, and also the human resource. You also have to be very strategic because what tends to be happening with some data protection regulators is that they are in the party when it’s a little bit too late. Learning from others is also important. Collaboration for such an ecosystem is also required. Do not see yourself as an island, if not you are going to be lost. Early on, we got Ghana to sign up to what is now known as the Global Privacy Assembly, and that gave us the space and opportunity to meet other people.”
On her part, Marit Hansen said it is important for the data protection authority to evaluate its work from time to time and see where there is something new to learn.
“Privacy disasters must be understood and prevented. We need a data protection management system where we re-evaluate for each situation and see whether we have to change something or learn. Make visible what is happening, make visible the risks and also make sure that there are solutions. Choose your cooperation partners wisely, you will need them. Look into communities and meet people, otherwise they’ll get frustrated,” Hansen recommended.
Other issues emphasized by the panelists is the need to build a strong collaboration with companies that deal with data. Using the example of the Philippines on this, Liboro said, “we are working with data protection officers in companies and they are helping us implement our laws. Companies that process data have to have data protection officers, and these officers have to have the required skills. The Philippines has 23,000 registered data protection officers. Leveraging and empowering private sector capacity as a way of helping the data protection authority is important.”
Other aspects discussed by panelists during the session that lasted an hour and thirty minutes included the nature of administrative and criminal sanctions and how to apply them in the case of non-compliance with the law, the importance of awareness campaigns so that people can understand what their rights and obligations are as provided for by the law, as well as the powers that the data protection authority needs to be vested with in order to make their work effective and results-oriented.