The draft Personal Data Protection Bill 2018 was submitted by the Justice BN Srikrishna Committee on Data protection on Friday, after nearly a year of consultations, to the Ministry of Electronics and Information Technology (MeiTY).
The draft Bill has proposed that critical personal data of Indian citizens be processed in centres located within the country. It lays down the rights of ‘data principals’ (Indian citizens), proposes the creation of a data authority to enforce the Act, and sets penalties for violations by ‘data fiduciaries’ (public and private sector entities that collect, process and store data).
The final shape the Bill would take depends on the type and scope of consultations the Modi government would hold and the suggestions it incorporates.
“It is a monumental law and we would be like to have widest parliamentary consultation… We want Indian data protection law to become a model globally, blending security, privacy, safety and innovation,” MeiTY Minister Ravi Shankar Prasad said. Prasad, PTI reported, said the report will go through the process of inter-ministerial consultations and Cabinet as well as parliamentary approval.
Justice Srikrishna said, according to a report in The Indian Express (IE), that privacy has become a burning issue and therefore, every effort has to be made to protect data at any cost. He added that report straddles three aspects – citizens, the state and the industry. The 10-member committee was set up in July 2017 to recommend a framework for securing personal data in the digital world.
The draft bill submitted by the committee notes that “the right to privacy is a fundamental right and it is necessary to protect personal data as an essential facet of informational privacy.”
The bill also notes that it is necessary to create trust between the individual who provide their data and those who process this. It says: “protect the autonomy of individuals in relation with their personal data, to specify where the flow and usage of personal data is appropriate, to create a relationship of trust between persons and entities processing their personal data…”
The bill lists out a host of rights that individuals have with regard to their data. These include: the ‘right to confirmation’ (is a company or a government department using my data?), the ‘right to correction’ (correction, completion or updating of inaccurate personal data), the ‘right to portability’ (Can I force Zomato to give me my order history data and then give it to Swiggy?) and the ‘right to be forgotten’ (Can I ask Google to delete a search engine result that’s about me?), reported The Wire.
Personal data, the draft law states, may be processed on the basis of the consent of the data principal, given no later than at the commencement of the processing. It added that processing of sensitive personal data should be on the basis of “explicit consent.” The law, the committee in its recommendations said, will not have retrospective application and will come into force in a structured and phased manner. “Processing that is ongoing after the coming into force of the law would be covered.”
However, on the right to be forgotten, the bill notes that that ‘data principal’ which means the individual or the person providing their data, has a right to “right to restrict or prevent continuing disclosure.” But the bill does not allow for a right of total erasure like the European Union does, said the IE report.
It also gives a data processor considerable leeway when it comes to deciding on this ‘right to be forgotten.’ The bill notes that “the data fiduciary may charge a reasonable fee to be paid for complying with requests.”
The Data Protection Bill also calls for privacy by design on part of data processors, and defines terms like consent, data breach, sensitive data, etc.
It, however, shall not apply to processing of anonymised data. The bill says that “anonymisation” in relation to personal data, means the irreversible process of transforming or converting personal data to a form in which a data principal cannot be identified, meeting the standards specified by the Authority.
The bill’s focus, said the report in The Wire, appears to be in fixing stronger accountability on data fiduciaries, or companies and government departments that collect and handle your data, and how they must act.
The rules that these entities now have to follow or comply with are broken down into three categories, The Wire reported.
There are theoretical safeguards: All data fiduciaries must design their systems with privacy in mind and ensure that appropriate security standards have been taken. If it’s found later that there was negligence at any step, the company can be punished.
There are also compliance requirements: All companies and government departments that handle data must notify the Data Protection Authority of India (DPA) of any breach of personal user data. The DPA will decide if the fiduciary is required to make this breach public and what the accompanying fines will be.
Additionally, all data fiduciaries will have to undertake annual data audits by an independent auditor. They will also have to appoint a ‘data protection officer’ – an employee within their own organisation – to ensure that all of their data processing activities are in compliance with the provisions of the bill.
Finally, there are data localisation requirements: the bill states that all data fiduciaries “shall ensure the storage, on a server or data centre located in India of at least one serving copy of personal data to which this Act applies”.
Put simply, private companies which deal with the personal data of Indian citizens will have to store a copy of that data in India. This will have significant consequences for Silicon Valley-based giants who store the data of their Indian users primarily in the United States, Europe or Singapore, said The Wire.
The bill goes onto to note that the Centre will notify further categories of personal data, called “critical personal data”, which can only be stored in India.
About data localisation, The Wire cited experts to say it appears not to be aimed at protecting Indian data from foreign eyes but looks more like an attempt at making sure the Indian government will be able to access the data of Indian citizens more easily, without having to wrestle Silicon Valley-based companies and the US government for it. Combined with the fact that there is nothing in the draft bill on reforming India’s mass surveillance apparatus, this raises concerns.
In addition, the bill also lays out that the data protection authority will decide if data breaches will be disclosed to the users that have been affected. The Wire report pointed out that Indian companies and government agencies are more than happy to be quiet about their lax security standards. Affected users should have a legal right to know if their data has been compromised, as they have in the United States, it said.
Reacting to the draft Bill, Vidur Gupta, partner, EY India said the data protection report will be a key step towards building the important base of ‘trusted’ digital India. “The proposed introduction of a Digital Protection Authority(DPA) as an independent regulatory body with wider powers would be quite beneficial in the enforcement of the data protection law,” IE reported him as saying.
PwC India’s Siddharth Vishwanath hailed the draft, said the IE report: “The draft is on expected lines. It clearly addresses key tenants like individual rights over their data, data protection, breach notification. What is positive is that the penalties are structured in a manner to create adequate deterrence. It will clearly drive the industry to create a safer ecosystem in the data economy.”
Pointing out loopholes in the draft, Amba Kak of Mozilla Corporation said, “This bill provides a strong foundation of protection for Indians’ privacy, but it is not without loopholes – in particular, the requirement to store a copy of all personal data within India, creating broad permissions for government use of data, and the independence of the regulator’s adjudicatory authority. We welcome the Government’s commitment to a public consultation process, which we hope will rectify the cracks in this foundation.”
Nikhil Pawa, co-founder of savetheinternet.in and internet freedom said that the bill needs fixing. Pawa said, “All your data is expected to be mirrored in India. There doesn’t seem to be any surveillance reform in the bill. So, basically settings the stage for mass surveillance. That’s my initial reading.”
In a tweet, Pahwa said: “This is a weak data protection bill and it should NOT be allowed to be passed in Parliament. Justice Srikrishna has disappointed. Above all, users are not being given ownership of their own data. @trai did better. Users aren’t being given right to erasure, only non disclosure.”