The recently tabled report on the Draft Personal Data Protection Bill, 2018, has seen both support and opposition from various quarters, including from within the Government. Coming down heavily on the Draft Bill, Central Information Commissioner, Prof Sridhar Acharyulu has stated that the Bill may render the Right To Information Act “absolutely useless in securing access to public records pertaining to public servants.”
In a letter to his colleagues from the CIC, Prof Acharyulu has written that the report’s recommendation of replacing section 8(1)(j) is not warranted as it has already “properly balanced the privacy rights of the public servants and the public interest in disclosure of information in connection with public activity.” He has called upon the other CICs to meet and deliberate on the report.
India ranks second amongst the countries with the highest internet users in the world, after China. With the Facebook data breach, and revelation that 80 percent of Indians are concerned about their Aadhaar data security, as per a study conducted by market research and analysis company, Velocity MR, it becomes even more important to have a framework to govern how data is being collected, used and stored. This is where the Draft Data Protection Bill, 2018 comes in.
What the draft Bill entails
The Justice BN Srikrishna Committee tabled its report on the draft Data Protection Bill to the Ministry of Electronics and Information Technology on July 27, after a year-long deliberation and research process. The Personal Data Protection Bill, 2018, will prescribe how organisations can collect, store and use personal data of citizens. According to the Committee, the Bill, which forms a framework for data protection laws in India, has been created keeping the ‘vertices of a triangle’ in mind. This involves protecting the interests of citizens, while also striking a balance between the trade and industries and the state.
The salient features of the Bill include:
- The draft Bill has introduced new definitions of data, divided into personal data and sensitive personal data. While personal data is any data of a citizen which identifies the person directly or indirectly, sensitive personal data includes aspects such as passwords, biometric information, finances and health, religion and caste.
- Replaces the traditional concepts of data controller and data subject with Data Principal and Data Fiduciary. While Data Principal is the person, company or entity whose data is being collected, the Data Fiduciary is the person, company or state which decides whose data is being collected, why and how it is being processed. On the lines of other countries which impose stringent rules, the draft Bill also prescribes penalties for data fiduciaries who violate the law. The Bill also introduced data processors, who are third party people who may process the data.
- The Draft Bill recommends the creation of a Data Protection Authority (DPA), which will be an independent regulatory body that will monitor and regulate all data related issues in the country. The DPA will define what is sensitive personal data, determine the lawful transfer of data outside India and conduct research and awareness building on data protection. The DPA will consist of one chairperson and six full-time members.
- The Bill will also introduce data localisation requirement, where companies need to keep one copy of all personal data to which law applies, in a server in India. Along with this, it mandates the absolute localisation (complete storage and processing) of critical personal data within India.
- Puts the onus on the data fiduciary to inform the DPA of any personal breach with regards to personal data which has been processed by the fiduciary, in particular, in cases where such a breach may cause harm to the data principal.
- The Committee has placed participation rights of individuals in three categories: (i) the right to access, confirmation and correction of data, (ii) the right to object to data processing, automated decision-making, direct marketing and the right to data portability, and (iii) the right to be forgotten.
A poor imitation
While the draft Bill takes on a strong privacy protection stance, it has received criticism from numerous quarters for certain worrisome provisions in it. The Draft Data Protection Bill 2018, follows the structure of the India Information Technology Act of 2000 and the European General Data Protection Regulation (GDPR), which is held as the pinnacle of data protection laws. However, critics argue that the Draft Bill is, in fact, a rather poor imitation of the GDPR.
Where the Draft Bill draws a parallel with the GDPR is the heavy fine which is being proposed on companies which don’t follow the law. As per the Draft Bill, any company which fails to comply with the law will be levied a penalty of Rs 5 crore or 2 percent of its turnover, whichever is higher. The GDPR levies a fine of Euro 20 million or 4 percent of a company’s turnover, whichever is higher.
However, there are also numerous areas where the Draft Bill has diverted from the GDPR. While it does provide the right to be forgotten, unlike the GDPR, the Draft does not entitle an Indian citizen to demand that his/her data be erased. The GDPR requires that the data fiduciary provide a copy of the data being processed to the data principal, however, the draft Bill just requires that a summary of the data being processed be provided, without specifying what the summary is.
Also, the Draft Bill requires that any breach of data be disclosed first to the government authorities, and not to the original provider of the data. Nor, does it mandate the data fiduciary to reveal the names and categories of the other recipients of the personal data, with the data principal.
The Committee has noted that eight out of the 10 most accessed sites in India are US entities, hence coming in the Government’s way in case it needs to investigate any crimes – either routine or cyber-related. Hence, the Draft Bill hopes to rectify this issue by mandating that data be localised in India.
However, critics argue that in cases where there are transnational crimes, or crimes involving foreign nations, which is the case with a number of cyber-related crimes, such a localisation of data will not be of much help. Experts state that it would be more useful to have a local representative in the lines of the GDPR, who can be held accountable for any fraud or breach. According to experts, the requirement to localise data in India would also be difficult for companies as they would then have to spend large sums of money to set up servers in India.
Till recently, India was among the few countries which did not have a framework in place to protect personal data. While the draft Bill will help change that, it needs further deliberation and debate before it can be passed to ensure that the fears of all stakeholders – the individuals whose data is being used, companies whose businesses may get affected and the government, are allayed.