In continuation of our thinking on the regulation of data, Beni Chugh, Malavika Raghavan, Nishanth K. and Sansiddha Pani have authored a Dvara Research Working Paper titled the Effective Enforcement of a Data Protection Regime. The effectiveness of a future Indian data protection regime would hinge largely on the capacity and approach to supervision and enforcement. The paper discusses some novel ideas to guide the enforcement of a data protection regime.
Any data protection regulator faces certain unique challenges. The ubiquitous collection and use of personal data by service providers in the modern economy creates a vast space for a regulator to oversee. Contraventions of a data protection regime may not immediately manifest and when they do, may not have a clear monetary or quantifiable harm. The enforcement perimeter is market-wide, so a future data protection authority will necessarily interface with other sectoral institutions. In light of these challenges, we present a model for enforcement of a data protection regime based on risk-based supervision and the use of a range of responsive enforcement tools.
This forward-looking approach considers the potential for regulators to employ a range of softer tools before a breach to prevent it and after a breach to mitigate the effects. Depending on the seriousness of contraventions, the regulator can escalate up to harder enforcement actions. The departure from the focus on post-data breach sanctions (that currently dominate data protection regimes worldwide) is an attempt to consider how the regulatory community might act in coordination with entities processing data to minimise contraventions of the regime.
In this paper, Part 2 proposes a unique methodology to identify those entities that potentially pose more risk (to individuals and the system) when the personal data they hold is compromised, building on thinking around risk-based approaches to regulation. Part 3 then sets out a range of enforcement tools inspired by the paradigm of responsive regulation, that could be used by a regulator to prevent and mitigate the effects of a compromise of personal data. These tools could be complementary to the risk-based approach to supervision. Finally, Part 4 of the paper presents some features of institutional design and intersectoral coordination required for effective implementation of such a model approach for risk-based supervision and enforcement of data protection rights.
Read the paper here.