India is rapidly digitising. Our goal is to enable every Indian to feel empowered and safe when she is online, reap benefits from technology, and face minimal harm from its risks. We call this approach – GoodTech. In order for technology to achieve its full impact, it must incorporate the principles of an important component of GoodTech – #ResponsibleTech that combines its key constituents of inclusion, privacy, security, transparency and good governance.
Like elsewhere globally, the principles of #ResponsibleTech will have to be championed through regulation. One example of this is the Personal Data Protection Bill that the Indian Parliament is currently debating. But passing the bill is not the end. In fact, it is only the beginning. The functioning of the Data Protection Authority (DPA), set to be established in the next 12-24 months, will determine whether Indians – especially the Next Half Billion – get to enjoy privacy when they are online.
Envisioned as an independent regulator along the lines of TRAI and SEBI, the DPA will have significant legislative, executive and judicial powers. The DPA, however, is likely to be a ‘super-regulator’ – it will cover nearly every public and private entity, will oversee a highly subjective law, and will have strong enforcement tools at its disposal. This sets it apart from many other Indian regulators.
Much of the public debate on the DPA has focused on the law itself and how that informs the mandate and powers of the regulator. However, the organizational effectiveness of the DPA – i.e. its ability to design and execute standard processes related to licensing, supervision and enforcement – will dictate whether the law remains a paper-tiger or if it will result in real privacy protection for Indian citizens.
The path will be tough and iterative, but India has the luxury of over thirty years of experience in running regulators. Those involved in running the DPA will likely rely on the Indian regulatory experience to inform their decisions.
But here is where we hit a stumbling block. We currently lack India-specific research on the operations aspects of regulatory governance. To address this deficit, we at Omidyar Network India have provided a grant to National Law School India University, Bengaluru, to set up a two-year research project on regulatory governance. Under this project, NLSIU will produce data-based research that can help build the capacity of the Data Protection Authority (DPA).
NLSIU will evaluate the administrative practices of other Indian regulators. For example, it will look at how other Indian regulators license regulated entities, what the standard operating procedures related to supervision and investigation are, and how they deal with individual complaints. It will also document best practices for each of these functions, both on efficiency and good governance. It will look at regulators from across sectors like telecom, finance, food, infrastructure, shipping, electricity, and others. The research team will use a mix of quantitative and qualitative approaches to examine these research questions.
We believe by supporting policymakers with data-driven research on regulatory governance, NLSIU can help strengthen the organizational capacity of the DPA, and that is why we invested.
Photo credit: Engage in Learning