A citizen's biometric data is collected for his Aadhaar card. Photo: Wikipedia Commons
A citizen's biometric data is collected for his Aadhaar card. This program sparked off the need for a data protection law in India. Photo: Wikipedia Commons

India is at the cusp of a major policy decision that will have a deep impact on its democratic principles and economic future, as the country debates the creation of a privacy framework.

The first step of that framework is currently being debated as a proposed data-protection law. A committee appointed under former Supreme Court Justice B N Srikrishna is looking into what the framework of this new law should be.

So far in this series, we have argued how the consent of users is primary in any such law. We have also shown there is a robust economic argument in favor of a strong law. In this final piece, we will show how to enforce such a law.

Most data-protection regimes are based on the Fair Information Practices Principles and the OECD Privacy Principles, which lay down the key principles that should inform a regulatory regime. The white paper released by the Srikrishna Committee also closely follows these guiding documents.

Aside from reaching a consensus on the privacy principles, the committee must also deliberate on the governance model that should be adopted by India, and how the principles must be applied. While there is relative global consensus on a liberal framework for data-protection principles, there is much less agreement on what the most effective ways are of applying and enforcing these principles.

The white paper deliberates on different models of enforcement, looking at the three models of command and control, self-regulation and co-regulation. However, this discussion is sorely incomplete, as it focuses almost entirely on the actors responsible for regulation – command and control involving the regulator as the key actor responsible for regulation; the self-regulation models involving the industry bodies as regulating actors; and the co-regulatory model involving a mixture of both.

While this discussion is important, it is even more important to delve into the approach that the chosen actors (regulator, industry or a mix of the two) will adopt in governance.

Adversarial vs persuasion

Two strategies dominate the discussion on enforcement strategy of regulators. Regulatory agencies have considerable discretion with the enforcement task. In broad terms, they can choose between two very different enforcement strategies: deterrence and “advise and persuade,” sometimes referred to as a “compliance” strategy.

The deterrence approach is an adversarial style of enforcement built around sanctions for rule-breaking behavior, and built on a model of economic theory that those regulated are rational actors who would respond to incentives and disincentive.

On the other hand, compliance strategy emphasizes cooperation rather than confrontation and conciliation rather than coercion. It seeks to prevent harm rather than punish an evil. Its conception of enforcement centers upon the attainment of the broad aims of legislation, rather than sanctioning its breach.

Given the limitations of both compliance and deterrence as standalone strategies, most contemporary regulatory specialists now argue for a judicious mix of compliance and deterrence as the optimal regulatory strategy.

Regulated entities have a variety of motivations and capabilities. Regulators must invoke enforcement strategies that both successfully deter egregious offenders and encourage virtuous employers to comply voluntarily, while rewarding those who are proactive. Thus good regulation means invoking different responsive enforcement strategies based on the behavior of the regulated actors. This approach is called responsive regulation.

Central to this model are the need for a gradual escalation up the face of the pyramid and the existence of a credible tip that, if activated, will be sufficiently powerful to deter even the worst offenders.

For a country like India with an abysmal state of data protection, such a graded approach is necessary. Introduction of a robust law is fully necessary, but could lead to extreme non-compliance in the beginning. Therefore, India needs a graded regulation that allows those controlling the data sufficient time to create internal policies and capacity for compliance.

Empowering regulators

For such an approach to work, the regulator needs to be given a range of powers and functions. The regulator must be able to perform the functions of an educator, an ombudsman, a judicial body and an enforcer.

On one end of the spectrum, the regulator should be able to perform support functions such as educating data controllers through guidance and codes of practice, standards setting, advisory services and training. On the other hand, the regulator should have a variety of carrots and sticks at its disposal starting from soft powers such as notices and warnings, naming and shaming, mandatory audits, to powers to investigate and impose fines and compensatory orders.

This system requires a co-regulatory or joint approach. In a country like India with limited state capacity, such a co-regulatory model is an attractive option. Such a model also allows greater participation from other actors, which would lead to greater compliance in case of a more bottom up process.

However, the international experience with regard to co-regulation has been a mixed one. The white paper approvingly refers to articles detailing examples of collaborative governance in the Netherlands and the attempts made in the US. The experience closer home in the APEC (Asia-Pacific Economic Cooperation) countries has been less favorable. Such approaches have been experimented with and discarded in Australia. Therefore, it needs to be adopted with sufficient mechanism for oversight and monitoring.

Data-protection regimes have had mixed results due to a lack of appreciation of the complexity of the subject matter of regulation. A reliance on too much hard power in the form of criminal prosecution and exorbitant fines such as in countries like Spain, or alternatively too much emphasis on industry self-regulation as seen in the US, both suffer from a limited understanding of the scope of the problem.

A graded approach that allows for responsively dealing with the different kinds of issues that arise is the answer in a country like India. While India is extremely late in framing its data-protection law, it must use the advantage of learning from the experience of other jurisdictions.

This is the last article of a three-part series.

Amber Sinha

Amber Sinha is a program manager with the Centre for Internet & Society, India