The recently-released draft on the Personal Data Protection Bill 2018 has drawn a mixed response from the industry and other stakeholders. The bill, drafted by the nine-member expert committee headed by Justice BN Srikrishna, was submitted to the Ministry of Information and Technology (MeitY) on 27 July with an aim to set standards on data privacy, design, personal data, transparency and security.
However, the proposed draft has been panned for several reasons such as the omission of cross-border data transfer or even breach notifications. According to Venkatesh Krishnamoorthy, country manager at BSA, The Software Alliance, said that the most worrying aspect of the draft was the localisation of data. “We support the effort to create a comprehensive legislation to protect the personal information of citizens in India. However, including data localisation requirements in such legislation is contrary to the goals of promoting Digital India, as global data transfers are critical to cloud computing, data analytics, and other modern and emerging technologies and services that underpin global economic growth. BSA recommends that India’s Personal Data Protection Bill avoid imposing undue restrictions on the ability to securely transfer personal data outside of India,” shared Krishnamoorthy in a statement.
BSA, The Software Alliance, is an advocate for the global software industry before governments and in the international marketplace. Its members are among the world’s most innovative companies, creating software solutions that spark the economy and improve modern life. Some of its members include Microsoft, IBM, AWS, CISCO, Apple and Salesforce among others.
How The Personal Data Protection Bill 2018 Stacked Up For India
Upside: Some of the top highlights of the Bill are that it adjudicates the setting up of the independent Data Protection Authority that will wield punitive powers and will be staffed with adjudicating officers to handle complaints, penalties. Another welcome addition to the draft Bill is laying down stronger laws in terms of data privacy that apply to both private companies and the government, including processing of sensitive personal data, right to be forgotten, data collection, explicit consent, data security, documentation of limitations on collection. There are also laws regarding the processing of personal data and sensitive personal data of children. Indian residents are given rights for data security, privacy, the right of correction and portability. Biometric data and the Aadhaar identification number are included under sensitive personal data and this falls under stricter obligations. Also, when it comes to data processing for security purposes by law enforcement agencies, the proposed draft lists down it should be “necessary and proportionate” and authorised by law.
Now, let’s talk about cross-border data transfer wherein the draft Bill lays down a few conditions for transfer consent alone is not sufficient for transfer, and conditions transfers on having a high level of data protection in place.
Data Localisation And Why It Us Bad For Businesses: In an earlier article, we mentioned how cross-border data flows enables growth for all copies, but the current draft Bill proposes all Indian residents personal data to be stored locally, which would increase cost of compliance for international tech giants like Facebook, Google operating in India. As we mentioned in the article, data localization can hamper the growth of India’s $135-billion software exports industry.
The move met with a divided response with certain members saying it could have an impact on long-term innovation. It is also viewed to serve as a proxy for greater surveillance tool just like other countries like China and Russia that have an iron-tight data localisation policy.
The Bill mandates IT bellwethers to set up the position of Data Protection Officer. Besides, it also mandates third-party audits of the company’s data processing to prevent misuse. Under the new law, companies will have to enforce stricter security standards such as encryption to prevent unauthorized access to personal data.
Government Data Processing Power Increases: This is construed as another sign of Indian Government increasing surveillance power with a few governments agencies seemingly exempt from requiring consent for the processing of both sensitive and non-sensitive data. But for processing of personal data, the government is mandated to show that it is “strictly necessary” for the State.
At a time when countries are reeling under increased surveillance, India is also in the need for surveillance reforms. But the draft did not provide any changes to surveillance rules and this has drawn criticism from a wide section of society, claiming the Bill dilutes the rights of data privacy of Indian residents. Another big setback is the data localization factor that would stymie India’s growth and only increase the cost of compliance for tech and internet companies. According to the Internet Freedom Foundation, this is not the first attempt to draft a bill on data privacy in India. In 2012, a Group of Experts on Privacy drafted a report under Justice Ajit Prakash Shah that covered national and international privacy plans. The full report can be accessed here.