What you must know about India’s draft personal data protection bill – the genesis, the controversy and the essential features…
On Friday, Justice BN Srikrishna, chairman of the nine-member committee set up by the government to draft a personal data protection bill, handed over its 213-page report, A Free and Fair Digital Economy – Protecting Privacy, Empowering Indians, along with the draft data protection bill to the Minister for Information Technology Ravi Shankar Prasad.
A nine-judge constitutional bench of Supreme Court had delivered a historic judgment on August 24 last year recognizing right to privacy as a fundamental right and urged the government to bring in data protection legislation. “Informational privacy is a facet of the right to privacy. The dangers to privacy in an age of information can originate not only from the state but from non-state actors as well. We commend to the Union Government the need to examine and put into place a robust regime for data protection,” Justice DY Chadrachud, part of the bench had said, in his judgment.
Justice Srikrisha committee, formed just prior to that judgment (in July 2017), had released a white paper in November 2017 with major points under considerations under the proposed bill and had asked for stakeholder comments.
The draft bill is prepared taking into account the inputs received, according to Justice Srikrishna. However, unlike some other public consultation processes like those of the Telecommunications Regulatory Authority of India (TRAI) which makes the stakeholders’ comments public, the panel chose not to release them publicly, leading to criticism that it was non-transparent. However, the report does include a dissent note by one of the members, Rama Vedashree, the CEO of Data Security Council of India (DSCI), the only such dissent note.
The release of the report was marked by high drama. In an interview post the release of the report and the draft bill, Justice Srikrishna accused RBI of ‘jumping guns, for its notification on data residency requirements for payment data in April and calling the release of TRAI’s own version of data privacy guidelines released just a couple of days earlier as ‘one-upmanship’.
On social media, this first step towards a personal data protection bill was welcomed by many, even though experts perceived it as a ‘weak’ piece of legislation. The prime accusation was it leaves a lot of scope for government to control personal data the way it wants. Data localization provision attracted the maximum criticism while many discussed how the bill has left scope for Aadhaar to use personal data the way it wants. On its part, the committee suggested amendments to Aadhaar Act, but did not get into further details as “it is with the Supreme Court.”
Like most of the policy and legislation on data protection the world over, the draft Indian Data Protection Bill 2018, recognized the rights of the citizens on their personal data.
Some of the major features of the bill are as follows.
- Personal data to be processed only for purposes that are clear, specific and lawful; the purpose should be communicated to the data principal (whose personal data is in question) by the data fiduciary (the entity that determines the purpose of processing personal data) at the time of collection or in a reasonable time if it is not collected directly from him or her. A data fiduciary is the equivalent of data controller in GDPR while a data principal is the equivalent of data subject.
- Processing of sensitive personal data and personal data of children require additional compliance
- The bill makes consent of data principal necessary to process any personal data, while allowing certain exceptions.
- The bill also talks of rights of data principal—right to access, right to correct, right to data portability.
- The bill then goes into ways and means of ensuring this data protection by imposing certain checks and balances on the data fiduciary which it calls privacy by design (process, technological, organizational changes needed to ensure data privacy). It also explicitly deals with security safeguards, obligations in case of a breach, need for audits as well as appointment of a data protection officers
- Data protection officers will be responsible for compliance as well as act as the point of contact for the individuals for raising grievances
- It also specifies conditions of transferring data across organizations (third party) and across political boundaries of India.
- It also articulates the exceptions and certain special rights of the government in national interest. Processing of personal data for journalistic or domestic purpose are exempt from complying with these
- The bill specifies the scope of a regulatory body, Data Protection Authority of India, which the government will notify
- The penalties (INR 5cr or two percent of global annual revenue, whichever is higher) in case of failure to comply with any of the requirements
- All anonymized data will be outside the scope of the provisions in the bill
The bill, when passed, will necessitate the need to amend existing Acts such as Right to Information Act, IT Act and Aadhaar Act