India’s Personal Data Protection Bill is still under review by lawmakers. Once passed, it will create a huge and complex task: how to oversee the processing of personal data across multiple sectors. Most Indian regulators face capacity constraints that make it difficult for them to carry out all their tasks. Their experience suggests that the new law’s regulatory arm—the new Data Protection Authority (DPA)—will face similar constraints.

A Landscape of Capacity Constraints

Although India has many regulators across multiple sectors, they are often unable to cope with the sheer size of their respective mandates. The country sits in the middle of the pack in the World Bank’s Worldwide Governance Indicators: in 2019, its percentile rank in regulatory quality was 48.56, with 0 being the lowest rank and 100 being the highest.

One reason for this average performance is structural weakness. India’s regulatory institutions lack a dedicated human resources department, meaning that their job vacancies go unfilled. As recently as 2012, the Telecom Regulatory Authority of India had 41 percent of its total posts lying vacant. In another instance, data compiled for India’s electricity regulators showed that more than a quarter of their jobs were vacant in 2011. India only has 139 civil servants per 100,000 of population, compared with 664 in the United States. This lack of capacity means that regulators find it difficult to provide technical expertise, set standards, and even enforce compliance in an effective and rational manner.

A second issue is the lack of clear objectives. Without them, it’s difficult to assess the performance of regulators, particularly those with a large number of functions.

A third problem is the lack of financial independence. According to a CUTS report, this issue can affect the overall independence of regulators.

The Need to Prepare In Advance

Will the new DPA be beset by the same troubles as India’s other regulatory institutions? Existing sectoral regulators with narrower mandates than the DPA are already marred by various capacity constraints that affect their ability to perform their functions meaningfully. The DPA will have an even bigger challenge: the mandate of ensuring data protection across all sectors. Both internal expertise and robust coordination with all the various sectoral regulators will be required to implement sector-specific measures.

One way that the DPA could address the capacity issue is by conducting thorough research before the law is implemented. There are some helpful examples of regulators doing preparatory work in advance to build capacity. The Securities and Exchange Board of India (SEBI)—initially set up as an advisory body—was not given statutory status for three years. To build its capacity gradually, it was first assigned interim functions—one of which was to prepare legal drafts for its own regulatory and development role. Other functions were limited to those considered essential to perform. SEBI was finally given statutory status as an autonomous body through an ordinance. SEBI has been highlighted as an unusual success story in India’s finance and public policy landscape and demonstrates an important lesson—that institutional capacity must be built before the relevant law is passed.

A similar process could be adopted for the DPA; it could start out with a limited mandate so it has time to prepare for its role as a giant cross-sectoral regulator. This could also help address the issue of multiple, unclear objectives, since the DPA’s functions would only expand along with its capacity.

Applying this process in a novel field would not be unique to India. For example, in Singapore, while the data protection law was enacted in 2012, the main provisions didn’t come into force until 2014—two years after the regulator was established.

Since the DPA’s mandate will be wider than any other sectoral regulator previously established, the preparatory work will be indispensable. Naturally, it will include studying other countries that have data protection laws in place. However, it is important that this research and any resulting inspiration accounts for India’s particular limitations and capacity issues. Transplanting best practices without modifying them to fit the Indian context may do more harm than good. External legitimacy is not helpful if the institution, despite what it looks like on paper, cannot do its job effectively in reality.

With this in mind, it makes sense for the government to take a pragmatic approach to data protection. It must think about the nature of the problem, along with its context. Preparatory work could include researching and deliberating on the following:

• Finer details of the DPA’s organizational structure
• Recruitment strategies to fill vacant posts and ensure adequate internal expertise to perform the DPA’s functions
• Prioritizing a few key functions and directing resources toward them
• Initial budgetary allocations based on these priorities
• Mandate of the DPA for its first two to three years

In addition to this work, sections of the law could be passed in a staggered manner. Here, inspiration can be taken from the Insolvency and Bankruptcy Code, 2016 which has not yet been fully signed into law. A similar approach could be taken for the Personal Data Protection Bill: the Indian government could take its time signing off on the new law’s more onerous provisions until the DPA is up on its feet.

Irrespective of the approach it decides to take, the government must prepare for the law in advance. The regulator responsible for the law’s implementation will be bigger than any other that India has ever seen.

Carnegie India is doing a research project on building state capacity for the upcoming Data Protection Authority.