The recommendations of the Expert Committee chaired by Retd. Justice BN Srikrishna for drafting The Personal Data Protection Bill, 2018 are a mixed bag. On one hand, the committee proposes a set of ground-breaking rules that can make India the flag-bearer of data protection legislation globally, but on the other it fails to plug potential loopholes that can be misused against the interest of users. For example, while the committee has given users comprehensive rights of correction, updation, and data portability, there is no clarity on ownership of data. The Telecom Regulatory Authority of India’s recommendations on data protection did a better job on this front by categorically stating that the user owns her data. Rights to deletion of past data and right to object to processing of user data are also missing from the draft Bill. These are well enshrined in regulations in other geographies, including the recently implemented General Data Protection Regulation (GDPR) by the European Union. The Srikrishna panel has in fact made the user responsible for the consequences of withdrawing consent for the processing of any personal data. The other big worry is the exemptions allowed for processing of data by the the State. While the proposed legislation states that such exemptions can be given only when it’s necessary, it is vague and leaves it open to interpretation and potential misuse. What makes this more ambiguous is that State agencies can process personal data of users, albeit subject to conditions, without any judicial oversight. To be fair, the committee has flagged concerns related to the need to gather user data for surveillance by intelligence agencies and has argued in favour of bringing a law to ensure oversight. But the proposed Bill has left out this crucial aspect of data protection. The draft Bill in fact gives sweeping powers to the Centre by allowing it to issue binding directions to the proposed Data Protection Authority.
The proposal to restrict cross-border data flows and making it mandatory to store one serving copy of all personal data within India, could be counterproductive for Indian businesses. This could become a trade barrier and impact the thriving Indian business processing industry. On the positive side, the Bill has proposed stringent penalties in case of any violation or misuse of personal data by public or private entities. The thrust on creating an institutional structure for data protection is also a good move towards creating a framework for all stakeholders to be more responsible and build trust while dealing with personal data. The Bill also includes a generally inclusive and progressive list of sensitive personal data.
While the overall intent of the Srikrishna panel and the draft Bill is good, policy-makers should iron out areas of concern to make the proposed legislation the gold standard in data protection laws. Indians are set to become the world’s top data consumers. They deserve legislation that ensures comprehensive protection.