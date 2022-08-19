The government is considering doing away with the need for a data protection authority (DPA) in the new draft of the data protection law, this newspaper reported on Friday. Officials aware of the discussions said instead of DPA, a committee to hear and act on user grievances could instead be created. The officials who spoke of the plan reiterated that it is still in the works, and that the bill will be floated for public consultation once a draft has been hammered into shape. But they cited the ease of doing business, especially for small- and medium-sized enterprises for whom a regulator such as DPA, especially in how its role was envisioned in the last personal data bill, could lead to cumbersome compliance requirements. Their obligations, under a DPA-less regime, will likely be coded into the law itself.

In effect, not having DPA would mean abandoning a data protection regulator in its entirety. DPA, according to the provisions of the now-abandoned personal data protection bill, would have monitored the application and enforcement of statutory protections, looked into complaints, and specified rules and protocols. In the scope of its prerogatives was an acknowledgement that the information era poses unprecedented opportunities as well as challenges. Today’s technologies and their mass applications are unlike what they were 15 years ago, and what they will evolve into 15 years later is even more difficult to predict. Thus, DPA was also designed to be empowered to monitor technological advancements. The plan itself isn’t novel — it was borrowed from the European Union’s General Data Protection Regulation (GDPR), largely regarded as the gold standard for a user-focused privacy statute.

True, GDPR’s rollout was cumbersome. Ensuring a business doesn’t fall afoul of GDPR obligations has meant expensive legal costs. On the other hand, companies still violate the letter and spirit of the European law, especially Big Tech, which is holding on to data-harvesting business models, where risks to privacy come in previously unseen and unknown forms (internet-wide, cross-site user tracking). To assume that merely empowering users to have the right to be heard ignores the existence of invisible harms – both of which are and can be easily obfuscated by evolving tech and the protections private enterprises enjoy. To truly gain visibility into these areas thus requires a regulator, one that is independent, empowered and adequately resourced. Any decision on the country’s privacy framework must keep that in mind, and how problems have been dealt with by the regulators we have today, whether in banking, medicine, or the environment.